{
	"id": "14383ff3-0f37-4fb0-81b1-73be1885cad5",
	"created_at": "2026-04-06T01:30:06.454362Z",
	"updated_at": "2026-04-10T03:30:32.965485Z",
	"deleted_at": null,
	"sha1_hash": "2b5758720e94a2fdfbfa52766c9daf4ac60d8df7",
	"title": "Malware | Cooperative Efforts To Shut Down Virut Botnet | Spamhaus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44759,
	"plain_text": "Malware | Cooperative Efforts To Shut Down Virut Botnet |\r\nSpamhaus\r\nArchived: 2026-04-06 01:12:55 UTC\r\nIntroduction\r\nDuring the past few weeks, Spamhaus has worked hard to shut down a botnet called \"Virut\".\r\nVirut take down\r\nVirut is a worm that spreads through removable drives such as USB sticks and network shares, but it also has file\r\ninfection capabilities it uses to spread itself. Virut was first detected in 2006 and became a serious threat with an\r\nestimated size of more than 300,000 compromised computers. Cybercriminals are using several dozen domain\r\nnames, mainly within the .pl ccTLD (Poland), but also within the .ru ccTLD (Russia) and the .at ccTLD (Austria).\r\nThese domains are registered by the operators of Virut to control the botnet. In the past few months, Virut has\r\nstarted to drop ZeuS (ebanking Trojan) and Kehlios (Spambot) onto computers infected with Virut as part of their\r\nPay Per Install business model (PPI).\r\nDue to Virut's persistence, there have already been a couple of take down efforts in the past. However, none of\r\nthose efforts have been successful thus far. The most recent take down effort was in December 2012, wherein\r\nSpamhaus managed to have suspended all the Virut domain names registered through various Polish registrars\r\nwithin the .pl ccTLD. Unfortunately, the Virut botnet gang managed to get the malicious botnet domain names\r\nmoved to a new registrar called home.pl quickly.\r\nIn past few days, Spamhaus has been in close contact with the sponsoring registrar (home.pl), the Polish\r\nComputer Emergency Response Team (CERT.pl) to get the domain names suspended. In cooperation with the\r\nPolish CERT and the registrar home.pl, we managed to get all the Virut domain names within the .pl ccTLD\r\nsinkholed.\r\nIn addition, Spamhaus reached out to the Austrian CERT and the Russian based Company Group-IB CERT-GIB to\r\nshut down the remaining Virut domains within the .at and .ru ccTLDs. In cooperation with Spamhaus, and due to\r\nthe evidence and intelligence provided by Spamhaus, CERT-GIB was able to shut down all the Virut domains\r\nwithin the .ru ccTLD within a few hours.\r\nThe last remaining stronghold for the Virut C\u0026C domains is the .at ccTLD. Having alerted both nic.at and the\r\nAustrian CERT multiple times about this issue we hope that they can soon follow the examples set by the work\r\ndone with .pl and .ru.\r\nThe important role of registries and registrars The Virut takedown effort clearly illustrates the important and\r\nmeaningful role registries and registrars can play in the fight against cybercrime in general. Domains often are a\r\ncritical part of malicious infrastructure and by being proactive their efforts can contribute a lot to online safety. We\r\nhttps://www.spamhaus.org/news/article/690/cooperative-efforts-to-shut-down-virut-botnet\r\nPage 1 of 2\n\ntherefor urge registries and registrars to add clauses to the registration contracts that allow them to take action in\r\ncases where the domains involved are clearly only used for bad purposes.\r\nInternational cooperation to address cyber-threats\r\nHow long the shut-down of Virut will last this time is unknown. However, we remain committed to continue the\r\nfight against cyber threats. The recent Virut take down is a good model for the future: the internet has no borders,\r\nand the community can only fight cybercrime successfully with international cooperation and coordination.\r\nSpamhaus will continue to work with its partners around the globe to follow its mission, protecting internet users\r\nfrom cyber threats.\r\nFurther reading\r\nCERT.pl: NASK shuts down dangerous Virut botnet domains\r\nSymantec: Snapshot of Virut Botnet After Interruption\r\nSymantec: W32.Virut\r\nMicrosoft: Win32/Virut\r\nSource: https://www.spamhaus.org/news/article/690/cooperative-efforts-to-shut-down-virut-botnet\r\nhttps://www.spamhaus.org/news/article/690/cooperative-efforts-to-shut-down-virut-botnet\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.spamhaus.org/news/article/690/cooperative-efforts-to-shut-down-virut-botnet"
	],
	"report_names": [
		"cooperative-efforts-to-shut-down-virut-botnet"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439006,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2b5758720e94a2fdfbfa52766c9daf4ac60d8df7.pdf",
		"text": "https://archive.orkl.eu/2b5758720e94a2fdfbfa52766c9daf4ac60d8df7.txt",
		"img": "https://archive.orkl.eu/2b5758720e94a2fdfbfa52766c9daf4ac60d8df7.jpg"
	}
}