New Malware 'Virux' Spreading Rampant in US

Dennis Faas's picture

A new strain of malware that can spread rapidly from machine to machine using a variety of infection techniques, including the poisoning of web servers which then go on to contaminate visitors, has reportedly been identified by Security Researchers. (Source: theregister.co.uk)

The malware, dubbed VIRUX by security researchers at Trend Micro, is spreading around the globe, but seems to be propagating faster in the U.S. than anywhere else. (Source: trendmicro.com)

VIRUX appears to be more complex than its cousin VIRUT and has the ability to circumvent Microsoft's Windows Firewall security software. (Source: eweek.com)

Infector Chooses Multiple Infection Styles

The Malware Infectors Choose Any Of The Following Infection Styles:

  • Like a tooth cavity, the virus inserts its code into available spaces within the normal file appending
     
  • The virus inserts its code after the normal file's code prepending
     
  • The virus inserts its code before the normal file's code entry-point, a complex infection technique used to evade immediate detection

Stunned by its effectiveness, a TrendLabs researcher recently wrote, "VIRUX hunts down target files and infects them using more than one infection technique and sometimes more than one encryption routine." (Source: trendmicro.com)

VIRUX can and will infect both .EXE and .SCR files, turning them into variants of VIRUX themselves. Once infected, the infected PC connects to IRC (Internet Relay Chat) servers where it joins a channel to receive and execute commands on the affected PC.

VIRUX Also Infects Script Files

Apart from the routine mentioned above, what sets VIRUX apart from VIRUT is that it also infects script files. For .PHP, .ASP and .HTML files, VIRUX inserts a malicious IFrame code which is automatically loaded when the script files are opened.

If the script files happen to be uploaded to a publicly accessible website, any visitor to the affected sites will be led to the malicious URL embedded in the IFrame code that automatically downloads other malicious files to your PC.

A pretty thorough breakdown of how the virulent virus has changed has been composed by Websense Researcher Nicolas Brulez who concludes:

"Many aspects of the Virut virus have changed, making newer variants much more effective. The fact that it infects running processes makes it very virulent. If you move a file that matches the requirements in the infected code onto an infected machine, it is instantly infected. The virus also uses the SFC (System File Checker) functions to make sure Windows won't pop up an error message if a Windows file is infected. The fact that it infects Web pages makes it even more virulent, as Webmasters could and probably do upload infected HTM/ASP/PHP pages, leading to various exploits that target their visitors." (Source: websense.com)

Microsoft researchers say that once your system is infected, it injects its code into various system processes such as explorer.exe and winlogon.exe and hooks low-level Windows APIs (Application Program Interface) to ensure that it stays in memory. Information regarding Win32/Virut as well as prevention tips are available from Microsoft. (Source: microsoft.com)

Perhaps the safest advice is also the simplest: avoid those sites you don't trust 100%.

Visit Bill's Links and More for more great tips, just like this one!

Rate this article: 
No votes yet