With Conficker still fresh on our minds, a new potential menace has emerged. The remote access capability of a Trojan that spreads like a Virus - W32.Virut.CF (Symantec) or W32/Scribble-A (Sophos) is poised to wreak havoc on networks over the coming days. Embedding itself deep within infected machines, the Trojan will make it difficult to clean up. It is also reportedly breaking some critical business applications as it attaches itself to them. The sample I have contains a keylogger but it has not yet transmitted any data to a remote host.
There have been multiple reports of wide spread impact within the enterprise. Typical starting point is via Web-borne malware (Figure 1). Once it enters the company’s network, it uses open shares to continue spreading. It also reaches out to multiple URLs to download additional malware, reportedly impacting overall network performance while spreading.
Source: threatexpert.com
Like Conficker, earlier versions of W32.Virut.CF back in February - March also used USB thumb drives as a vehicle for spreading the infection and took advantage of users that had not installed the patch for MS08-067 to allow an un-authenticated attacker to compromise a PC. The current variation is polymorphic and uses a packer as well as multiple levels of encryption to evade detection by AV products. It’s known to dig in deep by modifying the victim host file to block access to security related websites. The virus modifies .exe and .scr files as well as .htm, .html, .php, and .asp with an infected iFrame. It also opens a backdoor across IRC using two different addresses and appears to have an embedded key logger.
Some of the URLs it reaches out to include:
www.bb3s.cn
http://www.rdnovel.com/xs.htm
http://www.cslaoc.com.cn
http://www.e68film.cn/index.html
http://www.kugosou.cn/index.html
http://www.992film.cn/index.html
http://www.913youku.cn/index.html
http://youku83.cn
http://www.boboo5.com
http://s12.wgy9.cn
http://E.MOTOBANG.CN
http://vod.ke98.com/ad
http://www.qovd18.cn
http://www.shijue18.cn
http://www.fengchengtv.cn
http://www.zhuguangsp.cn
http://www.xtdxw.cn
http://www.qovdsp.cn
http://www.hudie18.cn
http://www.leledh.cn
http://www.hongmeiyingshi.cn
IT administrators should block the above URLs at the gateway as well as ports 1035, 1057 and 1058, unless you have a business case to keep them open. See below.
IRC backdoor addresses:
irc.zief.pl on TCP port 80
proxim.ircgalaxy.pl on TCP port 80
Businesses running application control whitelisting should breathe a sigh of relief as this particular virus is unable to execute on the protected host by default.
