Wednesday, September 9, 2009

Interesting about W32.Virut variant

Within last 2 month, I continuously reading and made some RCE for well known viruses call W32.Virut or other malware analyst named it as W32.Sality. This is not a new virus. It is already detected around 2006. Since last 2 month I received more than 20 report from my friend around Malaysian about this virus that already infecting their labs and PCs.

W32.Virut is a parasitic file infector, polymorphic and backdoor capabilities. Once it has been executed it will inject its code into winlogon.exe process and create a new thread in that process. But its depend on version of the variant. Other variant injecting their code onto smss.exe and csrss.exe process. It infects all EXE and SCR file type by appending to the last section of the host file and set it entry point to point to viral code. So, any execution from the infected file will run the viral code first before passing to host code. W32.Virut prevent its execution from running on Virtual Machine such as VMWare or Virtual PC and make it difficult to trace its presence, thread and processes. Also, its polymorhic making my sandbox generate inaccurate result and need manually analyst.

PICTURE 1From Picture 1, it is clearly shown that the string inside the W32.Virut is working its jobs such as adding its process list to the Windows Firewall, Disabling System File Protection, Modify HOSTS file, contacting external server address and as well as Windows API pointing to Windows DLL files.

W32.Virut has already generate a few hundred variant generated from its polymorphic technique. Making it hard to detect with a simple static Hash detection.



Solution: Repair & Cleaning

There is many tools out there for quick repair your infected file. One of the best tools is AVG Win32/Virut Removal. It free to download & use.