Updated Virut Detection

Several months it became silent around W32/Virut – yet another file infector virus that was very active and widespread in the past. All of a sudden, new instances of the W32/Virut family surfaced a short time ago.

The malware author has further refined the polymorphic engine of W32/Virut to make it harder to detect. It infects executable files it finds on the harddisk with several methods, for example some different Entry Point obfuscation techniques. Also, it uses different complex encryptions – sometimes one layer, sometimes even two.

Another remarkable property of W32/Virut is the anti-emulation and anti-debugging tricks used within. This is meant to make the analysis more difficult. After system infection, the malware injects amongst other things Iframes into HTML-files. It seems to try to download further malware that way. With our update from last friday, Avira AntiVir products detect all currently known new samples of W32/Virut again.

Dirk Knop
Technical Editor