There are an increasing number of reports from several countries about a complex file infector with several infection routines. Arriving via the Internet, this new strain bypasses the Windows Firewall, infects using various infection types and using more than one layer of encryption. The US seems to be the most affected amongst all other regions as of this writing.
Typical file infectors choose any of the following infection styles:
- cavity – the virus inserts its code into available spaces within the normal file
- appending – the virus inserts its code after the normal file’s code
- prepending – the virus inserts its code before the normal file’s code
- entry-point obscuring – a complex infection technique used to evade immediate detection
The VIRUX strain, however, uses the following infection schema:
Figure 1. PE_VIRUX hunts down target files and infects them using more than one infection technique and sometimes more than one encryption routine
It can and will infect both .EXE and .SCR files using the above scheme, turning them into PE_VIRUX variants themselves. The ultimate payload might explain the pains that the cybercriminals took to make cleaning PCs of this infection difficult: this file infector connects to IRC servers, after which it joins a channel to receive and execute commands on the affected PC. It is “anything goes” from there.
PE_VIRUX.A also connects to websites to download files. A little earlier this week it was downloading TROJ_INJECTOR.AR, however, a few hours after that the URL began downloading another PE_VIRUX variant.
Apart from the above routine, PE_VIRUX also infects script files. For script files (.PHP, .ASP, and .HTML), PE_VIRUX inserts a malicious IFrame code, which is automatically loaded when the script files are opened. Trend Micro detects infected scripts as HTML_IFRAME.NV. This catapults the possibility of spreading even farther; if the script files happen to be uploaded to a publicly accessible website, any visitor to the affected sites will be led to the URL embedded in the iFrame code. Undoubtedly malicious, the said URL automatically downloads HTML_XPLOIT.V onto the system, which in turn downloads PE_VIRUT.BO.
PE_VIRUT.BO, on the other hand, when cleaned, becomes TROJ_VIRUX.A. This Trojan connects to websites, which, as of this writing, are inaccessible, but may go live any time.
PE_VIRUX variants also infects files of similar file types located in all of the infected PC’s physical drives, folders and subfolders.
Figure 2. PE_VIRUX Infection Diagram
Readers may recall a file infector of a similar name, PE_VIRUT, which likewise wreaked havoc due to its nasty infection routines. See the following blog entries discussing this threat:
- Woody Allen is Dead Says PE VIRUT
- Bogus Microsoft Update Delivers Nasty File Infectors
- Adobe Reader Vulnerability Actively Being Exploited
While we are careful in noting the similarities between the two, TrendLabs engineers are quick to point out that VIRUX is indeed a notch higher than VIRUT in terms of complexity (which is the cybercriminals’ bid for malware persistence and increasing likelihood of reinfection).
TrendLabs engineers are working on an in-depth analysis of this malware. Trend Micro Smart Protection Network blocks all URLs related to this entire attack, ensuring users are protected from ever accessing them. See the complete malware description of PE_VIRUX.A at its Virus Encyclopedia entry.