Multifunctional Virobot malware is not only ransomware

Virobot manages to surprise PC security experts with its numerous functions

Virobot is a multifunctional virus which can act as ransomware, a keylogger, and botnet.

Recently, security researchers discovered new ransomware-type malware called Virobot. Also known as Virobotnet, this dangerous computer virus has one surprising feature helping it to stand out from its “colleagues” and this feature is multitasking. It seems that the cyber threat can perform its hazardous activities not only as a ransomware-type virus, e.g., encrypt victims' data and make them pay the desired ransom. According to reports, malware can also work as a botnet and even a keylogger.

For the first time, the virus was spotted on the 17th of September this year. Virobot virus still seems to be under the development, but it already has features helping it to connect the infected computer system to a spam-related botnet and steal victims' keystrokes.

Main facts related to Virobot's operation as a ransomware

Taking about Virobot's functionality as ransomware, some of its components seem to be unique. This opinion was made and claimed by a security company called Trend Micro^[1]. However, the operating principle of this ransomware does not seem to have any difference from other similar threats as it uses the same techniques to perform its hazardous activity.

Once on the infected system, Virobot virus generates a unique encryption key which is kept on a remote server. The encryption code is related to the RSA cipher^[2] and can lock documents such as DOC, DOCX, TXT, PPT, PPTX, JPG, PNG, ODT, XLS, XLSX, and others. After this activity, the ransomware-type virus displays a particular ransom note which is written in the French language.

This type of message is used to announce about the secret encryption of specific victim's files and demand a particular ransom (usually Bitcoin is urged as the type of currency, but this time the virus is requesting EUR) in exchange for the decryption tool. However, malware experts find the language of the ransom message very interesting choice as the main target of this dangerous virus are US users^[3].

Virobot's French connection seems to hail from PyLocky

Experts have also found some similarities between Virobot and PyLocky ransomware^[4] which also involved a French connection and was discovered in the past month. This dangerous PyLocky virus was created as an imitation of Locky ransomware which was spreading its activity very widely and targeting people living in France. However, Virobot and PyLocky are not related to each other as experts have discovered lately.

The botnet function is strongly developed

Taking about other Virobot's functions, as we have already warned you, it can work as a keylogger and botnet. The keylogger function, according to Trend Micro, was found rather simplistic. However, the botnet function seemed to be way more effective than the keylogger one.

This module allows Virobot to download some dangerous malware from the ransomware's C&C server^[5] and secretly launch it on the infected computer system. Moreover, this function can work as a spam module also. According to malware researchers from Trend Micro, Virobot spreads malicious copies of itself through its C&C server:

The botnet capability is evidenced by its use of an infected machine’s Microsoft Outlook to send spam emails to the user’s contact list. Viro botnet will send a copy of itself or a malicious file downloaded from its C&C server.

Some good news is that the Virobot's server was taken down and the ransomware function of this dangerous cyber threat is useless as it is no longer possible to successfully encrypt files on the infected computer. If Virobot malware infects new victims' computers, it will no longer be able to make attempts against the documents that are stored on the affected PCs.

However, Virobot is not the only one which uses multitasking. There are other similar cyber threats that also include more than one module in its operating principle, for example, LokiBot or XBash. IT experts are making guesses that such “all included” viruses are going to rise again in the nearest future.