New Virut Strain Blocks AV/Security Web sites

Last week, an online user reported to us that he cannot access some AV websites while he doesn’t have problem with Google.com and Yahoo.com.   He also added that he thinks his computer might be infected with the notorious Virut malware.

Hmm… wait a minute, Virut doesn’t include web site blocking capability just like how Conficker.C did a couple of months ago.  So we asked a couple of samples immediately for us to verify his intuitions.  Not surprisingly, its indeed a slightly modified version of W32/Virut.CE.

I wasn’t surprised because this is what W32/Virut.CE is known doing – continuous modification to avoid detection from security products like AV & IPS.  In fact, even earlier variants of Virut file infector were observed doing the same, but this particular variant was first spotted in the wild last February 2009.  When we see major modification, its worth mentioning to the public to keep everyone informed, just like this one.

Whats hot and whats not?

There’s no doubt its the same Virut variant which we currently detect as W32/Virut.CE, with just some face lift and other added functionalities.  For instance, the following characteristics are still intact:

1. Garbage instructions and too many jumps.  This is how Virut.CE attain polymorphism – code full of garbage instructions and jumps connecting those code chunks.

2. File Infection. The file infection routine is still intact and did not change that much, with the same targets: EXE, SCR, ASP, HTM and PHP files.

3. Process Injection.  This virus is known to inject its main malicious routine in WINLOGON process, before hooking some NTDLL APIs to trigger its infection routine. Also the SFC disabling function is pretty much the same.

4. IRC Download.  Virut connects to a remote IRC server via HTTP to download more malware or components such as varying kinds of Spambot, rootkits, Injector and the likes.  Clearly, it works as an agent to implant more malware on the compromised machines.

5. File Modification. It modifies the file %System%\drivers\etc\HOSTS to map its own malicious domain as 127.0.0.1. Some believes that this way, the infected machine will prevent from re-visiting the malicious domain to repeat the infection process.

6. Registry modifications. The registry entry to bypass firewall still exists. This is how it attempts to hide its network activity from Firewall.

Now here is the list for the newly added features:

1. Blocking of AV-related websites. This is probably the major enhancement from the modified version. The infected machine will not be able to access websites that has the following domain names, which are hard coded in the virus body:

eset, avg, windowsupdate, wilderssecurity, threatexpert, castlecops, spamhaus, cpsecure, arcabit, emsisoft, sunbelt, securecomputing, rising, prevx, pctools, norman, k7computing, ikarus, hauri, hacksoft, gdata, fortinet, ewido, clamav, comodo, quickheal, avira, avast, esafe, ahnlab, centralcommand, drweb, grisoft, nod32, f-prot, jotti, kaspersky, f-secure, computerassociates, networkassociates, etrust, panda, sophos, trendmicro, mcafee, norton, symantec, defender, rootkit, malware, spyware, virus

The blocking behavior can be best described by the screen shot below which was taken from an infected machine:

Picture 1:  Blocked AV-related websites

2. Autorun. Another added feature is the autorun functionality.  The virus chooses from among the first infected files and drops it in the removable drives. Though this may not work for long as Microsoft is now planning to abandon this feature in the next Windows version to put an end to this heavily abused Windows feature.

Picture 2: Autorun infection

4. Hooking additional API.  The new version also adds additional hook API from NTDLL:

• ZwCreateFile
• ZwCreateProcess
• ZwCreateProcessEx
• ZwOpenFile
• ZwQueryInformationProcess
• ZwDeviceIoControlFile  <– added
  

Picture 3: Hooked NTDLL APIs

3. Type of infection. Based on our generated replicated samples, this new version seems to use only one type of infection, which is Type 4 (See Win32 Infection part from its description).

4.  Hidden Second-Layer Decryption Routine. There is also an interesting behavior from the updated version which I haven’t seen in the old versions.  The second-layer decryption routine is “blocked” or “locked” by a RETN call (opcode 0xC3).  For example, in the following code snippet, at address 0061D078 is initially RETN.  If everything goes well, the RETN (byte C3) will be patched with E8 opcode to transform as CALL operation:

The virus has a simple anti-debug tricks by using GetTickCount() and RDTSC calls, and it avoids multiple instances by checking a mutex named “L30N” (the original versions used an event name “Vx_5” to check its presence).  If it passed these criteria, thats the
only time that the second-layer function call will be unlocked, and continue execution (See address 0061D078 after patching).

I’m sure the malware author will not stop from here, and continue its modification effort to avoid detection from AV scanners. But as long as we also continue our effort in finding better ways to detect such complex virus, we can stay confident that our customers are well-protected.