Virut infecting worms, hitching a ride

by Derek Manky
March 16, 2009 at 9:40 am

Back in 2004, several mass mailing worms spread in unprecedented fashion: MyDoom, Bagle, and Netsky. Netsky had instructions to remove MyDoom and Bagle, leaving this message in one of its variants: “We are the skynet–you can’t hide yourself—we kill malware…MyDoom.f is a thief of our idea!”. This turf war was not the only one to happen, Storm took a similar approach to Warezov/Stration in late 2007.

Here we are in 2009, five years later; Netsky is still quite prevalent. It is commonly used as a benchmark, and has persistently been in our top ten ranking of malware on a monthly basis. While MyDoom and Bagle have not quite enjoyed the same dominating success, there has been another interesting virus which indeed has: Virut. W32/Virut.A has consistently been in our malware top 10 (frequently positioned in the top 5) for one year solid now. While we have highlighted Virut in our reports, I decided to have another look at this family. Nicolas Brulez, by the way, has two excellent write-ups on Virut which are worth a read (part 1 and part 2).

The main characteristic of W32/Virut.A is that it is a parasitic file infector, which is fairly uncommon when compared to the mass amounts of trojans/droppers and worms we see today. Virut also contains a bot component, connecting to a single IRC server domain to await further commands. Due to the high volume we have seen with Virut, the authors must be enjoying quite a bit of control through this component. File infectors will typically infect many executables on a system, as well as others connected (via shares, USB drives). So, cleansing can be a bit of a process since it is not just registry entries and one or two loaded components on boot; every single infected file must be cleaned – and this certainly helps Virut be persistent as we have seen. Persistent, but why so prevalent? One of the first samples I looked at for W32/Virut.A exhibited some familiar behavior when executed in a safe environment. Yes, it attempted to establish a connection to the hardcoded IRC server as expected; however, it also spawned multiple SMTP sessions. What’s this, a mass mailing component with Virut.A? Could that explain how Virut has been spreading so vigorously? Indeed it would help… The question though, is not what component it is, but who’s component it is. After further analyzing this particular sample, the answer became clear.

MyDoom's Message to Netsky (Circa 2004)

The sample was UPX packed, very standard stuff – after unpacking, some familiar strings popped up from the past: “to netsky’s creator(s): imho, skynet is a decentralized …”. Yes! This looked like a MyDoom sample. Internally, we have the ability to scan samples through all possible signatures / detection names. While we primarily detected this one as W32/Virut.A, we also detect it as W32/MyDoom.H@mm. Indeed, this was a hybrid of sorts. W32/MyDoom.H opens up a backdoor on TCP port 1080 to await commands, while W32/Virut.A establishes an IRC connection on TCP port 65520 to report to its herder. Both of these conditions occurred. Moreover, the MyDoom malcode was sending copies of this hybrid through its SMTP engine. In a nutshell, here is what happened:

  1. MyDoom infects a system
  2. Virut infects the same system
  3. Virut (the parasitic file infector) infects the UPX packed MyDoom sample
  4. When the hybrid virus (MyVirut?) executes, it uses the modified entry point (Virut’s addition in a .rsrc segment)
  5. Virut executes its infection routine, and passes back control to the UPX decompressing segment (original entry point)
  6. UPX decompressing executes as normal, unpacking MyDoom and executing the original virus
  7. MyDoom drops itself (really the hybrid), makes multitudes of copies (various filenames, extensions) of what it *thinks* is itself (again, the double infected hybrid) and starts sending these off to victims using its own SMTP engine; propagating both MyDoom and Virut to the victim.
  8. On system startup, both Virut and MyDoom are executed independently {and transparently in this case}

Virut has effectively (and possibly inadvertently) hitched a free ride on another worm — this is quite interesting indeed.

Author bio: Derek Manky is FortiGuard Labs' senior security strategist and contributes to security research and development, while also acting as a bridge to the public forum on results and findings. He coordinates research team efforts and manages responsible disclosure, and industry collaboration efforts between Fortinet and other vendors.