Win32.Virtob.Gen

SYMPTOMS:

Increased size of some executable files with appreciatively 8K.

Increased system activity (increased net traffic and processor usage)

TECHNICAL DESCRIPTION:

The virus is written in assembly language.          
It infects *.exe and *.scr files when files are opened (the usage of tools that show file icons is very harmful in this situation). When infecting the virus appends itself at the end of the file as a crypted body. It does not infect dll files or file whose name start with (“winc”,”wcun”,”wc32”,”psto”). It hides its process by injecting viral code in other processes in the system.

 

The virus is continuously trying to connect to a IRC (proxima.irc[removed]) server on port 65520  and receives commands to download a file. It can interpret 2 different commands:

• a "check if connected" command
• a PRIV command witch can contain a link to a possible virus.

The default file witch is being downloaded from the IRC server is VT100.exe (witch moves itself in %windir%/system32 directory and acts as a backdoor program).

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Suiu Andre, virus researcher Cimpoesu Mihai, virus researcher