Virut.A_1115 is a polymorphic file infector virus that target Microsoft Windows operating systems. It is known to infect files with .exe and .scr extensions on local drives, removable media, and network shares.
File Related Changes
It drops the following file(s) on the system:
- "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf"
Process Related Changes
It creates the following mutex(es):
- eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-21-1078081533-842925246-854245398-1003"
- CTF.TimListCache.FMPDefaultS-1-5-21-1078081533-842925246-854245398-1003MUTEX.DefaultS-1-5-21-1078081533-842925246-854245398-1003"
- MPSWabDataAccessMutex"
- c:!documents and settings!admin!local settings!history!history.ie5!"
- CTF.TMD.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- MPSWABOlkStoreNotifyMutex"
- CTF.Asm.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CTF.Compart.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- MSCTF.Shared.MUTEX.MPC"
- SHIMLIB_LOG_MUTEX"
- CTF.Layouts.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- c:!documents and settings!admin!local settings!temporary internet files!content.ie5!"
- shqq"
- MSIdent Logon"
- CTF.LBES.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
- CONF.EXE"
- c:!documents and settings!admin!cookies!"
It creates the following process(es): - C:\WINDOWS\system32\rundll32.exe
- C:\PROGRA1\NETMEE1\conf.exe
- C:\WINDOWS\Temp\aa42e9928cd9964db6d2db8900e3f77a.exe [ \c:\windows\temp\aa42e9928cd9964db6d2db8900e3f77a.exe ]
It injects malicious code into the following process(es): - "C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe"
- "C:\WINDOWS\system32\svchost.exe"
- "C:\WINDOWS\system32\tlntsrv.exe"
- "C:\WINDOWS\system32\winlogon.exe"
- "C:\WINDOWS\system32\rundll32.exe"
- "C:\PROGRA1\NETMEE1\conf.exe"
- "C:\WINDOWS\system32\ctfmon.exe"
- "C:\WINDOWS\system32\wbem\wmiprvse.exe"
- "C:\WINDOWS\explorer.exe"
- "C:\WINDOWS\system32\services.exe"
- "C:\WINDOWS\system32\alg.exe"
- "C:\WINDOWS\system32\lsass.exe"
- "C:\Program Files\Java\jre6\bin\jqs.exe"
- "C:\WINDOWS\system32\spoolsv.exe"
Network Activity
We observed the following DNS query/queries:
It attempts to connect to the following remote servers: - 148.81.xxxxxx:65520
- 127.xxxxxx:1030
Registry Related Changes
It makes the following registry modifications to ensure infection after system reboot: - HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce\= g
- HKLM\system\CurrentControlSet\Services\= g
- HKLM\system\CurrentControlSet\Services\sharedaccess\epoch\= g
- HKLM\software\microsoft\windowsnt\currentversion\drivers32\= g
- HKLM\system\CurrentControlSet\Services\tcpip\parameters\= g
|
