Virus Profile: W32/Virut.h

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/28/2007
Date Added: 8/28/2007
Origin: N/A
Length: Varies
Type: Virus
Subtype: Win32
DAT Required: 5107
Removal Instructions


W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.

It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either: 

  • Immediately before the encrypted code at the end of the last section
  • At the end of the code section of the infected host in 'slack-space' (assuming there is any)
  • At the original entry point of the host (overwriting the original host code)

The decryptor will either receive control directly or an API call within the host code body will be overwritten to point to it (EPO technique). In all cases where host code is overwritten by the virus the original bytes are stored within the encrypted virus body, and are restored before transfering control back to the host. This virus may also infect the files multiple times.

Indication of Infection

  • Modified executable files (increase in the size of exe files)
  • DNS queries to and IRC related network traffic

Methods of Infection

W32/Virut.h is a file infecting virus. Infection starts with manual execution of the binary. Executables in network shares may also get infected if accessed by the compromised machine.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files. In those cases of misinfection in which repair data is present within the virus body, and has not been miscalculated by it, the current DAT set will repair the virus as per the non-corrupted case. However, unfortunately, some W32/Virut.h infections are corrupted beyond repair.


W32.Virut.R (Symantec)

Virus Characteristics

When W32/Virut.h is executed it injects its code into running processes.

W32/Virut.h opens up backdoor on the compromised machine at port 80 (HTTP) but uses it for IRC communication.

This virus tries to connect to IRC server located at :


And joins the channel named: virtu

It can then receive commands to download and execute other malware on the infected machine. Though the download location in the commands can change, at the time of writing, the virus tried to download malware executables from: 

  • https://85.114.[REMOVED]/~grander/[MALWARE].exe





All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!