Details
HighName: Win32.Virtob.Gen
Type: Worm
How it spreads: Malicious Applications
Affected operating: All versions of the Windows® Operating System
Aliases:
Date of surface: Apr 30 2006 12:00AM
Virus Information
Summary
Prevalence: High
Name: Win32.Virtob.Gen
Type: Worm
How it spreads: Malicious Applications
Affected operating: All versions of the Windows® Operating System
Aliases:
Date of surface: Apr 30 2006 12:00AM
HighName: Win32.Virtob.Gen
Type: Worm
How it spreads: Malicious Applications
Affected operating: All versions of the Windows® Operating System
Aliases:
Date of surface: Apr 30 2006 12:00AM
Description
Symptoms:
Increased size in executable files by approximately 8K
Increased system activity (net traffic and processor usage)
Description:
The virus is written in assembly language.
It infects ‘exe’ and ‘scr’ files when files when opened (the usage of tools that show file icons is very harmful in this situation). When infecting a file, the virus appends itself at the end of the file as a crypted body. It does not infect DLL files or file names that start with ‘winc’, ‘wcun’, ‘wc32’, ‘psto’. It hides its process by injecting viral code in other processes in the system.
The virus is continuously trying to connect to an IRC (proxima.irc[removed]) server on port 65520 and receives commands to download a file. It can interpret 2 different commands:
a ‘check if connected’ command
a PRIV command which can contain a link to a possible virus
The default file which is being downloaded from the IRC server is ‘VT100.exe’ (which moves itself in ‘%windir%/system32’ directory and acts as a backdoor program).
Increased size in executable files by approximately 8K
Increased system activity (net traffic and processor usage)
Description:
The virus is written in assembly language.
It infects ‘exe’ and ‘scr’ files when files when opened (the usage of tools that show file icons is very harmful in this situation). When infecting a file, the virus appends itself at the end of the file as a crypted body. It does not infect DLL files or file names that start with ‘winc’, ‘wcun’, ‘wc32’, ‘psto’. It hides its process by injecting viral code in other processes in the system.
The virus is continuously trying to connect to an IRC (proxima.irc[removed]) server on port 65520 and receives commands to download a file. It can interpret 2 different commands:
a ‘check if connected’ command
a PRIV command which can contain a link to a possible virus
The default file which is being downloaded from the IRC server is ‘VT100.exe’ (which moves itself in ‘%windir%/system32’ directory and acts as a backdoor program).
Recovery
For disinfection, download and run our free eScan Anti-Virus Toolkit. The utility checks your computer, system registry, and running processes for malicious programs, illegal dialers, and sniffer tools. Note: This tool does not protect your PC in real time.
You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site > http://www.escanav.com/english/content/products/MWAV/escan_mwav.asp
Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities. You can download and install the product from our eScan download page > http://www.escanav.com/english/content/products/generic_eScan/eScan.asp
You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site > http://www.escanav.com/english/content/products/MWAV/escan_mwav.asp
Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities. You can download and install the product from our eScan download page > http://www.escanav.com/english/content/products/generic_eScan/eScan.asp
