The most polymorphic virus around today
10 Jun 2010
Kaspersky Lab announces the publication of an article titled ‘A Review of Virus.Win32.Virut.ce’ by Vyacheslav Zakorzhevsky, a Senior Virus Analyst with Kaspersky Lab. This is the first of a number of such articles from the recently launched Complex malicious programs series.
The ‘ce’ variant of the polymorphic Virus.Win32.Virut is the second most prolific of all viruses of the Virus.Win32.*.* class and is one of the most widely detected pieces of malware to be found on users’ computers today. The virus works by infecting executable files.
In recent years, malicious programs that infect executable files have lost their popularity with malware writers as they didn’t stand up at all well to emulation-based detection techniques. However, the creators of Virut.ce were not put off by this and developed complex methods for avoiding detection by using anti-emulation techniques and polymorphism.
“The Virut.ce variant is interesting for the variety of file infection mechanisms that it uses, as well as for its polymorphism and obfuscation techniques,” writes the article’s author. “However, its malicious payload is quite commonplace. This version of Virut was the first to combine all of the aforementioned malicious techniques into a single piece of malware. Some malicious programs may be heavily obfuscated, others may employ a wide range of anti-emulation techniques, but Virut.ce combines all of these in one virus.”
The Virut.ce code changes each time the virus infects a file by using an integrated mutation mechanism. Additionally, its creators have been known to release new variants as often as once a week, thus circumventing successful detection. Virut.ce is the fastest-mutating virus known. It is not just the virus body that mutates, but the decryptors as well.
Virut.ce employs the Entry Point Obscuring technique to block detection of the point at which the jump to the virus body is made. Each time an executable file is infected, obfuscation is used and this makes the detection problem far more complex.
Despite the malware’s obvious versatility, all of Kaspersky Lab’s products can successfully detect and remove Virus.Win32.Virut.ce from infected computers.
For a full version of the article, please visit www.securelist.com/en.