Jump to content
Posted 17 April 2009 - 02:53 AM
There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.
Miekiemoes, an expert for malware removal, and an MS-MVP, additionally has a blog post about Virut.
W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)
Posted 21 April 2009 - 01:14 PM
0 members, 0 guests, 0 anonymous users