Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

Skip to main content



Also known as: Win32/Virut, Win32.Virtob, Win32.Virut, PE_VIRUT, Virus:W32/Virut, Virus.Win32.Virut

Category: Malware

Type: Virus

Platform: Windows

Variants: W32/Virut.AI!Generic, Win32.Virtob.Gen, Win32/Virut.NBP, Virus:Win32/Virut.BN, , Virut.Gen, W32/Virut.Gen, W32/Virut.AJ, W32/Virut.rem.E, PE_VIRUT.GEN, Virus:Win32/Virut.E, Win32/Virut.D, Virus.Win32.Virut.n, W32/Virut.L, Win32/Virut.Y, Win32.Virtob.3.Gen, Virus.Win32.Virut.f, W32/Virutas.gen,, W32/Vetor-A, Virus.Win32.Virut.b, PE_VIRUT.WY-1

Damage potential: Malware distribution, file corruption and loss, stolen keystrokes, system performance issues, network connectivity problems, unauthorized access, data theft


Virut is a polymorphic virus able to change itself to avoid detection. It is designed to help criminals expand their botnet, a network of “zombie” computers used in large-scale cyberattacks. After infiltrating a system, the virus connects to pre-defined IRC channels and stays dormant until it gets orders from a hacker.

Possible symptoms

Due to its many forms, Virut can affect the system differently. Some symptoms include sluggish performance, crashes, increased network traffic, and unexplained changes in system settings and configurations. However, while Virut is waiting to be activated by its owner, you may experience no changes to your system.

Sources of the infection

As is often the case, the malware usually gets onto a device as an email attachment, an infected link, or an infected file through a P2P network. From there, Virut will likely establish itself inside a system in one of the three ways:

  • The virus puts its code into an infected file and takes over once the file is launched. Then, the code unlocks a small part of the virus, which is added to the end of the file to conceal it. The virus then passes the control to the newly unlocked part.
  • Or, it can work the opposite way. First, Virut adds its code to the end of the file to avoid detection and then changes the starting point of the original file.
  • Similarly, it can find an empty space at the end of the original file, insert its code there, and redirect the program’s starting point to the malicious code. When the infected file is opened, the virus takes control, decrypts a small part of itself, and passes the control to the newly unlocked part of the virus. Lastly, the main decryptor takes over, decrypts the rest of the virus.


Due to its polymorphic nature, Virut can be challenging to detect and remove. The virus can change its code and avoid traditional detection techniques such as an antivirus scan. Virut also possesses rootkit capabilities, helping it hide itself inside the system. However, if you keep your antivirus software up to date, you’re likely to receive an alert and catch it before it reaches your device.

Other protection measures include:

  • If you suspect your device has been infected, disconnect your computer from the internet to prevent Virut from spreading itself to other devices.

  • Be careful with instant messages and emails that contain attachments you weren’t expecting. Especially, if the message does not clearly explain what was attached.

  • Enable NordVPN’s Threat Protection. It scans files for malware before they’re downloaded and can prevent Virut from ever reaching your device.

Ultimate digital security