SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Virtob.Gen

HIGH
MEDIUM
aprox. 8K
()

Symptoms

Increased size of some executable files with appreciatively 8K.

Increased system activity (increased net traffic and processor usage)

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Suiu Andre, virus researcher Cimpoesu Mihai, virus researcher

Technical Description:

The virus is written in assembly language.          
It infects *.exe and *.scr files when files are opened (the usage of tools that show file icons is very harmful in this situation). When infecting the virus appends itself at the end of the file as a crypted body. It does not infect dll files or file whose name start with (“winc”,”wcun”,”wc32”,”psto”). It hides its process by injecting viral code in other processes in the system.

 

The virus is continuously trying to connect to a IRC (proxima.irc[removed]) server on port 65520  and receives commands to download a file. It can interpret 2 different commands:

  • a "check if connected" command
  • a PRIV command witch can contain a link to a possible virus.

The default file witch is being downloaded from the IRC server is VT100.exe (witch moves itself in %windir%/system32 directory and acts as a backdoor program).

Antivirus Software For Home Users
Business Security Solutions
Latest News
Tools & Resources