Fortinet Blog | News and Threat Research

Last week, an online user reported to us that he cannot access some AV websites while he doesn’t have problem with Google.com and Yahoo.com.   He also added that he thinks his computer might be infected with the notorious Virut malware.

Hmm… wait a minute, Virut doesn’t include web site blocking capability just like how Conficker.C did a couple of months ago.  So we asked a couple of samples immediately for us to verify his intuitions.  Not surprisingly, its indeed a slightly modified version of W32/Virut.CE.

I wasn’t surprised because this is what W32/Virut.CE is known doing - continuous modification to avoid detection from security products like AV & IPS.  In fact, even earlier variants of Virut file infector were observed doing the same, but this particular variant was first spotted in the wild last February 2009.  When we see major modification, its worth mentioning to the public to keep everyone informed, just like this one.Whats hot and whats not?

There’s no doubt its the same Virut variant which we currently detect as W32/Virut.CE, with just some face lift and other added functionalities.  For instance, the following characteristics are still intact:

1. Garbage instructions and too many jumps.  This is how Virut.CE attain polymorphism - code full of garbage instructions and jumps connecting those code chunks.

2. File Infection. The file infection routine is still intact and did not change that much, with the same targets: EXE, SCR, ASP, HTM and PHP files.

3. Process Injection.  This virus is known to inject its main malicious routine in WINLOGON process, before hooking some NTDLL APIs to trigger its infection routine. Also the SFC disabling function is pretty much the same.

4. IRC Download.  Virut connects to a remote IRC server via HTTP to download more malware or components such as varying kinds of Spambot, rootkits, Injector and the likes.  Clearly, it works as an agent to implant more malware on the compromised machines.

5. File Modification. It modifies the file %System%\drivers\etc\HOSTS to map its own malicious domain as 127.0.0.1. Some believes that this way, the infected machine will prevent from re-visiting the malicious domain to repeat the infection process.

6. Registry modifications. The registry entry to bypass firewall still exists. This is how it attempts to hide its network activity from Firewall.

Now here is the list for the newly added features:

1. Blocking of AV-related websites. This is probably the major enhancement from the modified version. The infected machine will not be able to access websites that has the following domain names, which are hard coded in the virus body:

eset, avg, windowsupdate, wilderssecurity, threatexpert, castlecops, spamhaus, cpsecure, arcabit, emsisoft, sunbelt, securecomputing, rising, prevx, pctools, norman, k7computing, ikarus, hauri, hacksoft, gdata, fortinet, ewido, clamav, comodo, quickheal, avira, avast, esafe, ahnlab, centralcommand, drweb, grisoft, nod32, f-prot, jotti, kaspersky, f-secure, computerassociates, networkassociates, etrust, panda, sophos, trendmicro, mcafee, norton, symantec, defender, rootkit, malware, spyware, virus The blocking behavior can be best described by the screen shot below which was taken from an infected machine:

---

_ Picture 1:  Blocked AV-related websites_

2. Autorun.Another added feature is the autorun functionality.  The virus chooses from among the first infected files and drops it in the removable drives. Though this may not work for long as Microsoft is now planning to abandon this feature in the next Windows version to put an end to this heavily abused Windows feature.

Picture 2: Autorun infection

1. Hooking additional API.  The new version also adds additional hook API from NTDLL:

* ZwCreateFile

* ZwCreateProcess

* ZwCreateProcessEx

* ZwOpenFile

* ZwQueryInformationProcess

* ZwDeviceIoControlFile  <– added

Picture 3: Hooked NTDLL APIs

3. Type of infection.Based on our generated replicated samples, this new version seems to use only one type of infection, which is Type 4 (See Win32 Infectionpart from its description).

4.  Hidden Second-Layer Decryption Routine.There is also an interesting behavior from the updated version which I haven’t seen in the old versions.  The second-layer decryption routine is “blocked” or “locked” by a RETN call (opcode 0xC3).  For example, in the following code snippet, at address 0061D078is initially RETN.  If everything goes well, the RETN (byte C3) will be patched with E8 opcode to transform as CALL operation:

Before patching:

0061D069    8AF1            MOV DH,CL 0061D06B    83FE B8         CMP ESI,-48 0061D06E    39E1            CMP ECX,ESP 0061D070    66:8B95 0100000>MOV DX,WORD PTR SS:EBP+1 0061D077    90              NOP 0061D078    C3 RETN«=== will be converted as CALL (E8) 0061D079    634B 00 ARPL WORD PTR DS:EBX,CX 0061D07C    008A E8F6D586   ADD BYTE PTR DS:EDX+86D5F6E8,CL 0061D082    CD F9           INT 0F9 0061D084    80FD A6         CMP CH,0A6

After patching: 0061D069    8AF1            MOV DH,CL 0061D06B    83FE B8         CMP ESI,-48 0061D06E    39E1            CMP ECX,ESP 0061D070    66:8B95 0100000>MOV DX,WORD PTR SS:EBP+1 0061D077    90              NOP 0061D078    E8 634B0000 CALL aaa.00621BE0       «== second layer decryption 0061D07D    8AE8            MOV CH,AL 0061D07F    F6D5            NOT CH 0061D081    86CD            XCHG CH,CL 0061D083    F9              STC 0061D084    80FD A6         CMP CH,0A6 0061D087    90              NOP 0061D088    8D7B E1         LEA EDI,DWORD PTR DS:EBX-1F 0061D08B    8D49 00         LEA ECX,DWORD PTR DS:ECX 0061D08E    E9 D9000000     JMP aaa.0061D16C            ;next code chunk

The virus has a simple anti-debug tricks by using GetTickCount() and RDTSC calls, and it avoids multiple instances by checking a mutex named ”L30N” (the original versions used an event name ”Vx_5” to check its presence).  If it passed these criteria, thats the only time that the second-layer function call will be unlocked, and continue execution (See address 0061D078 after patching).

I’m sure the malware author will not stop from here, and continue its modification effort to avoid detection from AV scanners. But as long as we also continue our effort in finding better ways to detect such complex virus, we can stay confident that our customers are well-protected.