View All Spam

Virut’s Not-So-Obvious Motive

By Rodel Mendrez  •  February 23rd, 2009  •   Spam

Last week, we got a chance to look at a Virut sample which has been spreading in-the-wild since the first week of this month. Virut uses it's own polymorphic engine to infect files and uses entry-point obfuscation technique to avoid anti-virus detection making removal from an infected computer relatively difficult. This malware infects files with .EXE and .SCR file extensions. It is also capable of infecting web document files with .PHP, .ASP and .HTM file extensions by inserting an IFRAME tag that points to an exploit URL.

An example of an infected HTML file with insert of Virut's IFRAME tag
(note: As of this writing, the URL in the IFRAME tag is unaccessible.)

Obfuscated Code

The link points to an obfuscated multiple browser exploit

The IFRAME link points to a website that employs multiple browser exploits that downloads arbitrary files. We observed several types of malware being downloaded, Among those were four different types of spambots including Xarvester, Pushdo/Cutwail, Grum/Tedroo and Gheg/Tofsee, and also a file-infecting Virut variant.

Opening the exploit URL will download and execute the Virut malware:

After which it downloads a downloader/process injector file named VRT1.tmp which opens a new svchost.exe process and injects its code into it:

The process then downloads a bunch of spambots, including Xarvester/Rlsloup and Pushdo/Cutwail

Strings found in the Xarvester malware body are shown below. The HTTP request "POST /bn/comgate.xhtml?name=78 HTTP/1.1" is used to communicate to it's control server.

After awhile, A Grum spambot was also downloaded. However, this Grum has been infected with Virut code, meaning it can also infect .EXE and .SCR files.

On the infected computer, the Grum spambot then proceeded to spam. Here's an example:

To conclude, perhaps the not-so obvious motive of Virut is to build network of computer zombies where cybercriminals can relay spam email to make money out of it.

Comments are closed.