SonicALERT
Search

Sonicwall Signatures

 

Go to All Categories list.


  Virut.CE_79
Virut.CE_79 is a polymorphic file infector virus that target Microsoft Windows operating systems. It is known to infect files with .exe and .scr extensions on local drives, removable media, and network shares.

          Process Related Changes
          It injects malicious code into the following process(es):
          • "C:\Windows\system32\UI0Detect.exe"
          • "C:\Windows\system32\Dwm.exe"
          • "C:\Windows\system32\csrss.exe"
          • "C:\Windows\system32\psxss.exe"
          • "C:\Windows\System32\tcpsvcs.exe"
          • "c:\windows\system32\tlntsrv.exe"
          • "C:\Windows\system32\wininit.exe"
          • "C:\Windows\System32\spoolsv.exe"
          • "C:\Windows\system32\taskhost.exe"
          • "C:\Windows\system32\nfsclnt.exe"
          • "C:\Windows\system32\lsass.exe"
          • "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
          • "C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe"
          • "C:\Windows\system32\SearchIndexer.exe"
          • "C:\Windows\system32\inetsrv\inetinfo.exe"
          • "C:\Windows\system32\lsm.exe"

          Network Activity
          We observed the following DNS query/queries:
          • ilo.brenz.pl

          It attempts to connect to the following remote servers:
          • ilo.brenz.pl:80 (148.81.xxxxxx)


          Relevant Information