" Since its inception, Virut (aka Virtu) has caused much trouble to network administrators and anti-virus companies alike: while the first were frequently driven into painful 'clean-up-the-mess' operations after infections, the latter have certainly been busy for some time making sure they detect every Virut life form and have a chance for an elusive VB100 award. But above all, the first victims are of course users (home users and corportations alike): recent research suggests that Virut is deeply involved in botnet operations and driven by money-making schemes such as pay-per-install, thereby acting as a multiple malware loader/installer, which is likely to transform the infected machine into a chimera of modules for credentials-stealing, keystroke-spying, search-results poisoning, spambots, rootkits and whatnot. While a lot has been said on its behaviour, complete and detailed analysis are lacking. This paper will attempt to bridge that gap and dissect this nasty piece of highly polymorphic malware, from its infection routine to its network communication protocol. Along the way, the strategies it has employed to evade AV detection consistently for years (including anti-RE tricks, polymorphic engines, entry-point obscuring techniques) will be exposed, and practical reverse engineering tips to analyse it will be detailed. Then, challenges in detecting Virut-infected generations will be discussed, and an 'alternative' detection algorithm will be presented, along with a comparison of its effectiveness against other traditional techniques (cryptanalysis/X-ray, emulation, custom decryption). Finally, we will have a glimpse into the underground business driven by Virut, showing how, to our minds, the gang behind it makes a very reasonable amount of money thanks to their nasty creation. Attack vectors will be discussed, highlighting Virut's relationships with other major botnets/malware (eg. Grum/Tedroo, Pushdo/Cutwail, Xarvester, CoreFlood, etc). We hope that this comprehensive study of the Virut 'phenomenon' will enlighten the reader on the reasons why this is not your typical file infector, why it's the most prevalent one today, why it will stay on top for the next several years, and why it is bound to become the most active file infector in virus history. "