Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Virut.NBK is a polymorphic file infector. The virus connects to the IRC network. It can be controlled remotely.
Installation
The virus creates and runs a new thread with its own program code within the following processes:
  • winlogon.exe
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\
    AuthorizedApplications\List]
    "\??\%system%\winlogon.exe" = "\??\%system%\
    winlogon.exe:*:enabled:@shell32.dll,-1"
The performed data entry creates an exception in the Windows Firewall program.
Executable files infection
The virus searches for executables with one of the following extensions:
  • .exe
  • .scr
Executables are infected by appending the code of the virus to the last section.

The host file is modified in a way that causes the virus to be executed prior to running the original code.

It avoids those with any of the following strings in their names:
  • WINC
  • WCUN
  • WC32
  • OTSP
Infects the following files:
  • *.htm
  • *.php
  • *.asp
  • *.html
The virus inserts an IFrame element with an URL link into the file.
Other information
The virus is sent data and commands from a remote computer or the Internet.

It communicates with the following servers using IRC protocol:
  • irc.zief.pl
  • proxim.ircgalaxy.pl
It can execute the following operations:
  • download files from a remote computer and/or Internet
  • run executable files
The following file is modified:
  • %system%\drivers\etc\hosts
The virus writes the following entries to the file:
  • 127.0.0.1 ZieF.pl