Virut infecting worms, hitching a ride
March 16, 2009 at 9:40 am
Back in 2004, several mass mailing worms spread in unprecedented fashion: MyDoom, Bagle, and Netsky. Netsky had instructions to remove MyDoom and Bagle, leaving this message in one of its variants: “We are the skynet–you can’t hide yourself—we kill malware…MyDoom.f is a thief of our idea!”. This turf war was not the only one to happen, Storm took a similar approach to Warezov/Stration in late 2007.
Here we are in 2009, five years later; Netsky is still quite prevalent. It is commonly used as a benchmark, and has persistently been in our top ten ranking of malware on a monthly basis. While MyDoom and Bagle have not quite enjoyed the same dominating success, there has been another interesting virus which indeed has: Virut. W32/Virut.A has consistently been in our malware top 10 (frequently positioned in the top 5) for one year solid now. While we have highlighted Virut in our reports, I decided to have another look at this family. Nicolas Brulez, by the way, has two excellent write-ups on Virut which are worth a read (part 1 and part 2).
The main characteristic of W32/Virut.A is that it is a parasitic file infector, which is fairly uncommon when compared to the mass amounts of trojans/droppers and worms we see today. Virut also contains a bot component, connecting to a single IRC server domain to await further commands. Due to the high volume we have seen with Virut, the authors must be enjoying quite a bit of control through this component. File infectors will typically infect many executables on a system, as well as others connected (via shares, USB drives). So, cleansing can be a bit of a process since it is not just registry entries and one or two loaded components on boot; every single infected file must be cleaned – and this certainly helps Virut be persistent as we have seen. Persistent, but why so prevalent? One of the first samples I looked at for W32/Virut.A exhibited some familiar behavior when executed in a safe environment. Yes, it attempted to establish a connection to the hardcoded IRC server as expected; however, it also spawned multiple SMTP sessions. What’s this, a mass mailing component with Virut.A? Could that explain how Virut has been spreading so vigorously? Indeed it would help… The question though, is not what component it is, but who’s component it is. After further analyzing this particular sample, the answer became clear.
The sample was UPX packed, very standard stuff – after unpacking, some familiar strings popped up from the past: “to netsky’s creator(s): imho, skynet is a decentralized …”. Yes! This looked like a MyDoom sample. Internally, we have the ability to scan samples through all possible signatures / detection names. While we primarily detected this one as W32/Virut.A, we also detect it as W32/MyDoom.H@mm. Indeed, this was a hybrid of sorts. W32/MyDoom.H opens up a backdoor on TCP port 1080 to await commands, while W32/Virut.A establishes an IRC connection on TCP port 65520 to report to its herder. Both of these conditions occurred. Moreover, the MyDoom malcode was sending copies of this hybrid through its SMTP engine. In a nutshell, here is what happened:
- MyDoom infects a system
- Virut infects the same system
- Virut (the parasitic file infector) infects the UPX packed MyDoom sample
- When the hybrid virus (MyVirut?) executes, it uses the modified entry point (Virut’s addition in a .rsrc segment)
- Virut executes its infection routine, and passes back control to the UPX decompressing segment (original entry point)
- UPX decompressing executes as normal, unpacking MyDoom and executing the original virus
- MyDoom drops itself (really the hybrid), makes multitudes of copies (various filenames, extensions) of what it *thinks* is itself (again, the double infected hybrid) and starts sending these off to victims using its own SMTP engine; propagating both MyDoom and Virut to the victim.
- On system startup, both Virut and MyDoom are executed independently {and transparently in this case}
Virut has effectively (and possibly inadvertently) hitched a free ride on another worm — this is quite interesting indeed.
All Posts
Twitter
FaceBook
LinkedIn
YouTube
[...] nowhere near as high as rogue security software this month. Look out for this though, as Virut has hybrid capabilities (can spread through other infections) and may indeed piggyback on high-profile scareware campaigns [...]
I have never in my 26 years of working as a tech run into a virus as difficult as this one is to clean. Yes, it can be cleaned but with GREAT difficulty! You MUST remove the drive from the infected pc and use an alternate non-infected pc to scan with several scanners and cleaners. I recommend first using AVG’s virut/32 removal tool followed by Avira Antivirus and lastly malwarebytes Antimalware. After cleaning reinstall the hard drive, do NOT connect to the internet and run a windows repair. Then re-run all the scanners one last time and you should be free and clean.
The long and the short is though this is by far the worse virus threat I have seen to date and the most time consuming to clean. More suprising was most antiviral packages were not only unable to clean/remove the infection but in most cases didn’t even detect the infection or when it did detect wanted to delete all the exe files. In a word – ugly!! Someone needs to write a working/less time consuming fix as this thing is spreading across the net at warp speed.
[...] variant, but is refactored to be more efficient and robust. Watch out for this as Virut, with its hybrid capabilities, can come in many shapes, through many vectors. Meanwhile, Waledac continued to build their [...]
This little virus is a thing of destructive beauty akin to a volcano. Its destructive power is awesome to watch as long as you’re not standing in front of it. Congratulations must go to the author, as it is a truly magnificent virus. As an IT consultant whose work partially consists of removing said infection I must say that after 12 years in the industry this baby ranks in my top 3. If you’re looking for a removal method I’d recommend a reformat. Pull the drive, copy your data and move on please, there is nothing to see here! There may well be a removal tool for this baby, but NATM.
Well, I hope with all the analysis from the great analysts around the world could create a great VACCINE for this virus. This one is totally difficult to eradicate if you don’t want to format all your partition.
So, we hope there’s a better vaccine than any antivirus/antimalware/antispyware who had claimed can resolve this virus but totally bullshit.
Good luck to all who participate making the analysis and vaccine !!!
[...] After a year long battle, W32/Virut.A finally lands in top spot – surpassing Netsky. This parasitic file infector proves to be quite virulent, and has generated enough activity to land in our malware top 10 for twelve solid months. On top of infecting multiple local files on a PC, the virus can spread through file shares and/or removable media such as USB thumb drives. Additionally, it has a rather unique capability to propagate through other worms in a hybrid form – read here for more info. [...]
That is fascinating!
Unintended consequences..
Thank you for the article and the analysis.