Immediately after the file is executed, it establishes an encrypted connection to
irc.zief.pl:65520(should it fail, the back up server is proxim.ircgalaxy.pl) to contact it's command and control server. Virut then downloads several executable files from
adx2.2288.orgdisguised as "non files" (per the file extensions):
- adx.gif, a Trojan downloader
- 8.txt, a password stealer. An analysis of 8.txt shows the following strings embedded in it:
Pic.1: Strings embedded in executable "8.txt"
The network traffic confirms that "8.txt" it is a password stealing Trojan:
Pic.2: Network traffic showing password-stealing Trojan in action
Additional malware is downloaded from
Note that the files downloaded, including their names have the potential of being completely different every time because of Virut gets commands on what to do at runtime through its connection to the C&C server.
Virut is also a classic "virus" in the sense that it spreads from file to file by appending malicious code to clean files, making them some 20 kb larger than before. In infected files, a jump (JMP) instruction is inserted to point to the end of the original file. Picture 3 shows the virus entry point.
Pic.3: Virut entry point
This variant of Virut is also an entry-point obscuring virus. Different infected files show that the virus' entry point is always at different offsets relative to the entry point of the infected files. Virut patches the code of the executables so that the virus is not always invoked when the files are run, but is called randomly.
Additionally, Virut is highly polymorphic. Pictures 4 and 5 show the file-appending virus code for 2 infected exectutables. The two set of instructions do not match at all because Virut uses garbage instructions and a different decryptor for for each file it infects, making analysis more difficult.
Pic.4: Virut code appended to an executable
Pic.5: Virut code appended to another executable
According to VirusBulletin (www.virusbtn.com), the malware family Virut was the 5th most prevalent in March 2009. Virut has used the same domain name for the server it contacts when it is initally run. Rules to detect detect Virut attempting to contact its command and control server will be released in the near future. I will then update this blog post with the GIDs and SIDs.