Updated Virut Detection
Several months it became silent around W32/Virut – yet another file infector virus that was very active and widespread in the past. All of a sudden, new instances of the W32/Virut family surfaced a short time ago.
The malware author has further refined the polymorphic engine of W32/Virut to make it harder to detect. It infects executable files it finds on the harddisk with several methods, for example some different Entry Point obfuscation techniques. Also, it uses different complex encryptions – sometimes one layer, sometimes even two.
Another remarkable property of W32/Virut is the anti-emulation and anti-debugging tricks used within. This is meant to make the analysis more difficult. After system infection, the malware injects amongst other things Iframes into HTML-files. It seems to try to download further malware that way. With our update from last friday, Avira AntiVir products detect all currently known new samples of W32/Virut again.
Dirk Knop
Technical Editor
File viruses, the outbreak goes on | Sir Arthur's Den:
[...] eye. The new W32/Virut variants were discovered (among the others) by Avira, that in these weeks updated AntiVir that now should be able to identify all the several iterations of the [...]
February 24, 2009, 6:26 pmFile virus, l’epidemia continua | Sir Arthur's Den:
[...] varianti di W32/Virut sono state individuate (tra gli altri) da Avira, che in queste settimane ha aggiornato AntiVir che ora dovrebbe essere in grado di riconoscere tutte le diverse iterazioni del [...]
February 24, 2009, 6:42 pmAvira - TechBlog » Blog Archive » Malware threats in the first half of 2009:
[...] predicted that the use of polymorphic file infectors will increase again. This became true: W32/Virut, W32/Sality and W32/Almanahe are celebrating a comeback. The authors spread new variants of their [...]
June 19, 2009, 10:26 amAvira – TechBlog » Blog Archive » Hindering debugging – by doing nothing:
[...] “random” junk code that doesn’t really do anything useful. One example is the W32/Virut family. Despite already being a couple of years old, it is still one of the most active file [...]
July 22, 2009, 9:41 am