Published:
February 09 2009, 05:29 PM
by
Methusela Cebrian Ferrer
CA ISBU asks that users stay alert to the latest Win32/Virut variant in-the-wild, which we detect as Win32/Virut.17408.
Win32/Virut.17408 is a polymorphic cavity “space filler” virus. Its entry point obscuring technique ensures that each file is infected in a unique way, which often complicates creation of detection and cure.
Aside from infecting executable files, Virut also targets HTML files, as highlighted in this image:
The HTML file is modified to include this small piece of code:
Examining the URL, we discovered yet another level to Virut’s attack and distribution vector. The image below represents the attack sequence that leads to installation and execution of a Win32/Virut variant once a user executes a Virut-infected HTML file or visits a compromised website:
The malicious script invokes a different attack routine that exploits known vulnerabilities such as:
Win32/Virut then links to the malicious URL and downloads its executable by using the legitimate objects XMLHttpRequest, MSXML2.ServerXMLHTTP, and MSXML2.XMLHTTP. These objects are uniquely identified in the system registry with the following CLSIDs:
- 0006F033-0000-0000-C000-000000000046
- 0006F03A-0000-0000-C000-000000000046
- 06723E09-F4C2-43C8-8358-09FCD1DB0766
- 639F725F-1B2D-4831-A9FD-874847682010
- 6414512B-B978-451D-A0D8-FCFDF33E833C
- 6E32070A-766D-4EE6-879C-DC1FA91D2FC3
- 7F5B7F63-F06F-4331-8A26-339E03C0AE3D
- AB9BCEDD-EC7E-47E1-9322-D4A210617116
- BA018599-1DB3-44F9-83B4-461454C84BF8
- BD96C556-65A3-11D0-983A-00C04FC29E30
- BD96C556-65A3-11D0-983A-00C04FC29E36
- D0C07D56-7C69-43F1-B4A0-25F5A11FAB19
- E8CCCDDF-CA28-496B-B050-6C07C962476B
Once successful, Virut downloads an executable with a random filename and saves it in the %Temp% folder, as indicated in this URL string:
hxxp://www.zief.pl/rc/load.php?id<string>=&spl=<string>
Note: %Temp% is a variable location and refers to the directory designated for temporary files. The malware determines the location of the current Temp folder by querying the operating system. A typical path is "C:\Documents and Settings\<username>\Local Settings\Temp", or "C:\WINDOWS\TEMP".
It also uses “ADODB.Stream” and “Shell.Application” objects to transfer the malicious file via the user’s browser. If none of these attacks are successful, the virus invokes its PDF function as indicated in this URL string:
hxxp://www.zief.pl/rc/pdf.php?id=<generated ID>
This generates an exploited PDF file which contains malicious JavaScript that also leads to installation and execution of the Virut variant.
Wondering how it’s luring victims on the Internet? We searched through Google and found a couple of MySpace user pages carrying the malicious Virut URL.
Unfortunately, this URL points to the file “Iraq.jpg”, which directs users to malicious JavaScript. The JavaScript leads to a series of browser attacks, and thereafter to successful execution of the malware.
To keep your computer/network safe from this threat, it is very important to regularly check and apply security updates; make sure your security scanner’s real-time option is turned “ON”; and ensure your security software is up-to-date with the latest signature release.
Stay safe, stay informed!