Polymorphic Virut Malware

W32/Virut.ce is one of the most widespread pieces of malware which can be found on infected computers. This file infector gets massively spread bundled with illegal software (warez). The virus is infecting executable files using latest techniques which make detecting and treating those files particularly difficult.

On the current threat landscape we see more server-side polymorphic malware, infecting executable files is not as popular as a few years ago. During the last years emulation techniques have become better which makes detection of polymorphic malware much easier. The authors of the virus weren’t put off by the difficulties they faced in trying to infected executable files. But W32/Virut.ce is not only infecting executable files, the virus also includes a backdoor using the IRC protocol. This allows attackers to download and run further malware from the Internet which can as example steal information. The server to which the malware connects is a pre-defined IRC server, the channel is called “virtu”.

We made a deeper analysis of this file in our Viruslab and created a document to share our detailed information which can be downloaded here: Analysis_W32.Virut.ce (PDF, 1 Mbyte).

Liviu Serban
Virus Researcher

The techniques used inside Virut reflects latest methods used to write malware using anti-emulation techniques, anti-debugging tools and calling of multiple fake API functions. In our Virus Lab