Last week, an online user reported to us that he cannot access some AV websites while he doesn't have problem with Google.com and Yahoo.com. He also added that he thinks his computer might be infected with the notorious Virut malware.
Hmm... wait a minute, Virut doesn't include web site blocking capability just like how Conficker.C did a couple of months ago. So we asked a couple of samples immediately for us to verify his intuitions. Not surprisingly, its indeed a slightly modified version of W32/Virut.CE.
I wasn't surprised because this is what W32/Virut.CE is known doing - continuous modification to avoid detection from security products like AV & IPS. In fact, even earlier variants of Virut file infector were observed doing the same, but this particular variant was first spotted in the wild last February 2009. When we see major modification, its worth mentioning to the public to keep everyone informed, just like this one.Whats hot and whats not?
There's no doubt its the same Virut variant which we currently detect as W32/Virut.CE, with just some face lift and other added functionalities. For instance, the following characteristics are still intact:
Garbage instructions and too many jumps. This is how Virut.CE attain polymorphism - code full of garbage instructions and jumps connecting those code chunks.
File Infection. The file infection routine is still intact and did not change that much, with the same targets: EXE, SCR, ASP, HTM and PHP files.
Process Injection. This virus is known to inject its main malicious routine in WINLOGON process, before hooking some NTDLL APIs to trigger its infection routine. Also the SFC disabling function is pretty much the same.
IRC Download. Virut connects to a remote IRC server via HTTP to download more malware or components such as varying kinds of Spambot, rootkits, Injector and the likes. Clearly, it works as an agent to implant more malware on the compromised machines.
File Modification. It modifies the file %System%\drivers\etc\HOSTS to map its own malicious domain as 127.0.0.1. Some believes that this way, the infected machine will prevent from re-visiting the malicious domain to repeat the infection process.
Registry modifications. The registry entry to bypass firewall still exists. This is how it attempts to hide its network activity from Firewall.
Now here is the list for the newly added features:
1. Blocking of AV-related websites. This is probably the major enhancement from the modified version. The infected machine will not be able to access websites that has the following domain names, which are hard coded in the virus body:
**eset, avg, windowsupdate, wilderssecurity, threatexpert, castlecops, spamhaus, cpsecure, arcabit, emsisoft, sunbelt, securecomputing, rising, prevx, pctools, norman, k7computing, ikarus, hauri, hacksoft, gdata, fortinet, ewido, clamav, comodo, quickheal, avira, avast, esafe, ahnlab, centralcommand, drweb, grisoft, nod32, f-prot, jotti, kaspersky, f-secure, computerassociates, networkassociates, etrust, panda, sophos, trendmicro, mcafee, norton, symantec, defender, rootkit, malware, spyware, virus ** The blocking behavior can be best described by the screen shot below which was taken from an infected machine:
_ Picture 1: Blocked AV-related websites_
**2. Autorun. **Another added feature is the autorun functionality. The virus chooses from among the first infected files and drops it in the removable drives. Though this may not work for long as Microsoft is now planning to abandon this feature in the next Windows version to put an end to this heavily abused Windows feature.
Picture 2: Autorun infection
- Hooking additional API. The new version also adds additional hook API from NTDLL:
**ZwDeviceIoControlFile <-- added **
Picture 3: Hooked NTDLL APIs
3. Type of infection. **Based on our generated replicated samples, this new version seems to use only one type of infection, which is Type 4 (See **Win32 Infection **part from its description)**.
4. Hidden Second-Layer Decryption Routine. **There is also an interesting behavior from the updated version which I haven't seen in the old versions. The second-layer decryption routine is "blocked" or "locked" by a RETN call (opcode 0xC3). For example, in the following code snippet, at address _0061D078 **_is initially RETN. If everything goes well, the RETN (byte C3) will be patched with E8 opcode to transform as CALL operation:
0061D069 8AF1 MOV DH,CL 0061D06B 83FE B8 CMP ESI,-48 0061D06E 39E1 CMP ECX,ESP 0061D070 66:8B95 0100000>MOV DX,WORD PTR SS:[EBP+1] 0061D077 90 NOP 0061D078 C3 RETN **<<=== will be converted as CALL (E8) 0061D079 **634B 00 ARPL WORD PTR DS:[EBX],CX 0061D07C 008A E8F6D586 ADD BYTE PTR DS:[EDX+86D5F6E8],CL 0061D082 CD F9 INT 0F9 0061D084 80FD A6 CMP CH,0A6
After patching: 0061D069 8AF1 MOV DH,CL 0061D06B 83FE B8 CMP ESI,-48 0061D06E 39E1 CMP ECX,ESP 0061D070 66:8B95 0100000>MOV DX,WORD PTR SS:[EBP+1] 0061D077 90 NOP 0061D078 E8 634B0000 CALL aaa.00621BE0 <<== second layer decryption 0061D07D 8AE8 MOV CH,AL 0061D07F F6D5 NOT CH 0061D081 86CD XCHG CH,CL 0061D083 F9 STC 0061D084 80FD A6 CMP CH,0A6 0061D087 90 NOP 0061D088 8D7B E1 LEA EDI,DWORD PTR DS:[EBX-1F] 0061D08B 8D49 00 LEA ECX,DWORD PTR DS:[ECX] 0061D08E E9 D9000000 JMP aaa.0061D16C ;next code chunk
The virus has a simple anti-debug tricks by using GetTickCount() and RDTSC calls, and it avoids multiple instances by checking a mutex named "L30N" (the original versions used an event name "Vx_5" to check its presence). If it passed these criteria, thats the only time that the second-layer function call will be unlocked, and continue execution (See address 0061D078 after patching).
I'm sure the malware author will not stop from here, and continue its modification effort to avoid detection from AV scanners. But as long as we also continue our effort in finding better ways to detect such complex virus, we can stay confident that our customers are well-protected.