Analysis by: Adrian Cofreros
ALIASES:

Virus:Win32/Virut.BN(Microsoft),Virus.Win32.Virut.ce(Kaspersky),Virus.Win32.Virut.ce (v)(SunBelt)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware, Infects files

This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It prevents users from visiting antivirus-related websites that contain specific strings.

  TECHNICAL DETAILS

File Size: 256,000 bytes
Memory Resident: Yes
Initial Samples Received Date: 06 Aug 2013
Payload: Compromises system security, Modifies HOSTS file

Arrival Details

This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This file infector adds the following folders:

  • %Windows%\{random number 3}
  • %System%\{random number 5}a
  • %User Profile%\Templates\{random number 8}

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

  • %Windows%\lsass.exe
  • %Windows%\l{random number 1}.exe
  • %Windows%\{random number 2}.exe
  • %Windows%\{random number 3}\smss.exe
  • %Windows%\{random number 3}\system.exe
  • %Windows%\{random number 3}\bb{random number 4}l.com
  • %System%\{random number 5}a\c{ random number 6}.cmd
  • %System%\{random number 7}l.exe
  • %System%\moonlight.scr
  • %User Profile%\Templates\{random number 8}\{random number 9}.exe
  • %User Profile%\Templates\{random number 8}\service.exe
  • %User Profile%\Templates\{random number 8}\winlogon.exe

It drops the following files:

  • %Windows%\MoonLight.txt - contains notes from the malware author

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It injects codes into the following process(es):

  • winlogon.exe

Autostart Technique

This file infector adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random number 10} = "%Windows%\l{random number 1}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random number 11} = "%System%\{random number 7}l.exe"

Other System Modifications

This file infector adds the following registry keys:

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
titta\version

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
untukmu2\version

It adds the following registry entries:

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
titta\version
me = "4"

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
untukmu2\version
me = "4"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
regedit.exe
debugger = "%Windows%\notepad.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
msconfig.exe
debugger = "%Windows%\notepad.exe"

It modifies the following registry entries:

HKEY_CLASSES_ROOT\scrfile
(Default) = "File Folder"

(Note: The default value data of the said registry entry is Screen Saver.)

HKEY_CLASSES_ROOT\exefile
(Default) = "File Folder"

(Note: The default value data of the said registry entry is Application.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
exefile
(Default) = "File Folder"

(Note: The default value data of the said registry entry is Application.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
scrfile
(Default) = "File Folder"

(Note: The default value data of the said registry entry is Screen Saver.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "explorer.exe, "%User Profile%\Templates\{random number 8}\{random number 9}.exe""

(Note: The default value data of the said registry entry is Explorer.exe.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot
AlternateShell = "{random number 7}l.exe"

(Note: The default value data of the said registry entry is cmd.exe.)

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
\??\%System%\winlogon.exe = "\??\%System%\winlogon.exe:*:enabled:@shell32.dll,-1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Windows%\lsass.exe = "%Windows%\lsass.exe:*:Enabled:lsass"

File Infection

This file infector infects the following file types:

  • .EXE
  • .SCR

It avoids infecting files that contain the following strings in their names:

  • OTSP
  • WC32
  • WCUN
  • WINC

It avoids infecting the following files:

  • .DLL files
  • PE Files with _win section name
  • Files with infection marker

Backdoor Routine

This file infector connects to any of the following IRC server(s):

  • ru.{BLOCKED}s.pl
  • core.{BLOCKED}axy.pl

HOSTS File Modification

This file infector adds the following strings to the Windows HOSTS file:

  • 127.0.0.1 jL.{BLOCKED}a.pl
  • 127.0.0.1 www.{BLOCKED}z.pl

Other Details

This file infector prevents users from visiting antivirus-related websites that contain the following strings:

  • rootkit
  • securecomputing
  • sophos
  • spamhaus
  • spyware
  • sunbelt
  • symantec
  • threatexpert
  • trendmicro
  • virus
  • ahnlab
  • arcabit
  • avast
  • avg
  • avira
  • castlecops
  • centralcommand
  • clamav
  • comodo
  • computerassociates
  • cpsecure
  • defender
  • drweb
  • emsisoft
  • esafe
  • eset
  • etrust
  • ewido
  • fortinet
  • f-prot
  • f-secure
  • gdata
  • grisoft
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • malware
  • mcafee
  • networkassociates
  • nod32
  • norman
  • norton
  • panda
  • pctools
  • prevx
  • quickheal
  • rising

NOTES:

It connects to IRC using 8-randomly generated character for its NICK and 1-randomly generated character for its USER.Once connected to the IRC server, it joins a certain channel to receive and execute commands on the affected system.

It infects file with a detection of PE_VIRUX.S-3.

It drops any of the following copies of itself on the shared folders/removable drives:

  • Data {computer name}.exe
  • Foto {computer name}.exe
  • New Folder.exe
  • New Folder{{Number}).exe
  • New Folder.scr
  • {computer name} Porn.exe
  • {random values}.exe

It infects the following files by adding an iframe:

  • asp
  • html
  • htm
  • php

It adds an iframe code to redirect to its C&C server.

It modifies the registry values to enable hiding of hidden files and file extensions

It drops an AUTORUN.INF with the following contents on the removable drives:

[autorun] open={random file and extension}

It drops the following files on the removable drives which pointed by its AUTORUN.INF:

  • {removable drive letter}:\{random file and extension} – detected as PE_VIRUX.S-3

  SOLUTION

Minimum Scan Engine: 9.300
FIRST VSAPI PATTERN FILE: 10.204.07
FIRST VSAPI PATTERN DATE: 08 Aug 2013
VSAPI OPR PATTERN File: 10.205.00
VSAPI OPR PATTERN Date: 09 Aug 2013

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Scan your computer with your Trend Micro product and note files detected as PE_VIRUX.MEO-O

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software
    • VB and VBA Program Settings

Step 5

Search and delete these files

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %Windows%\MoonLight.txt

Step 6

Search and delete this folder

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %Windows%\{random number 3}
  • %System%\{random number 5}a
  • %User Profile%\Templates\{random number 8}

Step 7

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • {random number 10} = "%Windows%\l{random number 1}.exe"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • {random number 11} = "%System%\{random number 7}l.exe"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • \??\%System%\winlogon.exe = "\??\%System%\winlogon.exe:*:enabled:@shell32.dll,-1"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • %Windows%\lsass.exe = "%Windows%\lsass.exe:*:Enabled:lsass"

Step 8

Restore these modified registry values

[ Learn More ]

Important:Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator's help. You may also check out this Microsoft article first before modifying your computer's registry.

  • In HKEY_CLASSES_ROOT\scrfile
    • From: (Default) = "File Folder"
      To: (Default) = Screen Saver
  • In HKEY_CLASSES_ROOT\exefile
    • From: (Default) = "File Folder"
      To: (Default) = Application
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile
    • From: (Default) = "File Folder"
      To: (Default) = Application
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile
    • From: (Default) = "File Folder"
      To: (Default) = Screen Saver
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    • From: Shell = "explorer.exe, "%User Profile%\Templates\{random number 8}\{random number 9}.exe""
      To: Shell = Explorer.exe
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
    • From: AlternateShell = "{random number 7}l.exe"
      To: AlternateShell = cmd.exe

Step 9

Remove these strings added by the malware/grayware/spyware in the HOSTS file

[ Learn More ]
    • 127.0.0.1 www.{BLOCKED}z.pl
    • 127.0.0.1 jL.{BLOCKED}a.pl

Step 10

Restart in normal mode and scan your computer with your Trend Micro product for files detected as PE_VIRUX.MEO-O. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.