Skip navigation.
Home

NEW Virut strain (carries no payload?)

|

Hello All:

Just ran into a (new to me) Virut strain that appears to be selective in what files it chooses to infect. Like the other Virut strains, this one is an active file infector....but appears to be selective in what files it infects.

As an example: Older strains (poorly written) would just mass infect all .EXE .SCR and .HTML files it could touch. An entry with a .PL site would be added to the HOSTS file.

As the Explorer.exe file (and other) OS files became rapidly infected, it was pretty easy to figure out you had acquired a Virut infection. This new beast, however, seems to be a bit smarter. It only seems to target some OS files (not all) and does not add a payload to the existing file, increasing it's size (a sure indicator of infection)The tell tale .PL site was still added to the HOSTS file as well.

Since I just ran into this today, I expect we will see more of it soon. ;(
As soon as I can isolate it and upload samples I will do so