Analysis of Polymorphic File Infector Virut

By /

Listen to this Post

Featured Image
Viruses like Virut are fascinating examples of self-replicating malware that have persisted for years. This analysis covers key techniques for reverse-engineering Virut, including handling self-modifying code, API resolution, and Ghidra patching.

🔗 Video Tutorial: Malware Analysis – Virut, a Polymorphic File Infector

You Should Know:

1. Dealing with Self-Modifying Code

Virut uses polymorphism to evade detection, meaning its code changes dynamically. To analyze it:
– Use a debugger like x64dbg or OllyDbg to trace execution.
– Set memory breakpoints to catch decryption routines.

 Monitor memory access in GDB (Linux) 
gdb -q ./virut_sample 
(gdb) watch 0x00401000  Break on code modification 
(gdb) continue

2. Creating an API Resolver in Python

Virut resolves APIs dynamically. Emulate this with Python:

import ctypes

Example: Resolving kernel32!CreateFileA 
kernel32 = ctypes.windll.kernel32 
CreateFileA = kernel32.CreateFileA 
CreateFileA.argtypes = [ctypes.c_char_p, ctypes.c_uint32, ctypes.c_uint32, ctypes.c_void_p, ctypes.c_uint32, ctypes.c_uint32, ctypes.c_void_p]

3. Forcing Win10 Execution via Patching

Virut may check OS version. Patch it using HxD or Ghidra:
– Locate `GetVersionExA` calls.
– Modify return values to spoof Windows 10.

4. Ghidra Markup & Database Patching

  • Decompile Virut’s decryption stub in Ghidra.
  • Patch Ghidra’s database if analysis fails: 
 Backup Ghidra project 
cp -r /path/to/project /backup_location

What Undercode Say:

Polymorphic malware like Virut remains a challenge due to its adaptive nature. Key takeaways:
– Dynamic Analysis is Critical: Use debuggers to catch runtime changes.
– API Hooking Helps: Tools like Frida or Detours can intercept Virut’s API calls.
– Ghidra Scripting: Automate decryption logic with Python scripts.

Relevant Commands:

 Linux memory forensics (if Virut infects ELF) 
volatility -f memory_dump.raw --profile=LinuxUbuntu_5x pslist 

 Windows: Check for Virut artifacts 
Get-ChildItem -Path C:\Windows\ -Recurse -Force | Where-Object { $_.Length -gt 10MB }

Expected Output:

A fully unpacked Virut sample with annotated Ghidra disassembly, dynamic API logs, and patched execution path for modern OS compatibility.

🔗 Additional Resources:

References:

Reported By: Karsten Hahn – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: