Virut on the rise

[evilfantasy]

I've seen this 6-7 times within the last few days.

Virut spreads through every .exe, .dll and .scr and other critical files on a computer. It's polymorphic, which means it spreads faster than any antivirus can contain it. 99.99% of the time the only solution is a reformat and reinstall. Virut is so aggressive it even re-infects infected files with itself. It's a computer killer...

ll viruses belonging to the Virut family also contain an IRC-based backdoor that provides unauthorized access to infected computers.

In short. There is no solution for this other than a reformat and reinstall.


I edited the Topic Post for spelling...Vitut to Virut.

[BC_Programmer]

The time wasted cleaning it manually would definitely outweigh the time to backup data, reinstall XP, reinstall programs and restore the backup, by many orders of magnitude. And- without reformatting there is no way to be sure your clean, which is probably the biggest reason to reinstall.

[evilfantasy]

I tried with one computer. Threw everything I knew at it and still no joy. All of the AV vendors have a Virut removal tool but it's pretty much just a desperation move that fails.

http://www.microsoft.com/security/portal/Entry.aspx?name=Win32%2fVirut

Symptoms: The following symptoms may be indicative of a Virus:Win32/Virut infection:

    * Network traffic on TCP port 65520 with connection to IRC server proxima.ircgalaxy.pl, on channel &virtu
    * Increase in file size of infected files
    * Infected files fail during execution and have a recent modified date property

Here is a Dr. Web log. It says "Cured" but running another scanner finds just as many or more that have been re-infected. It's simply a lost cause.

Notice that these aren't just some random files. Pretty much sums it up...

mcvsrte.exe;c:\program files\mcafee.com\vso;Win32.Virut.56;Cured.;
msmsgs.exe;c:\program files\messenger;Win32.Virut.56;Cured.;
setup50.exe;c:\program files\outlook express;Win32.Virut.56;Cured.;
qttask.exe;c:\program files\quicktime;Win32.Virut.56;Cured.;
motivesb.exe;c:\program files\verizon online\smartbridge;Win32.Virut.56;Cured.;
viewpointservice.exe;c:\program files\viewpoint\common;Win32.Virut.56;Cured.;
wlsetupsvc.exe;c:\program files\windows live\installer;Win32.Virut.56;Cured.;
explorer.exe;c:\windows;Win32.Virut.56;Cured.;
imagination studio.scr;c:\windows;Win32.Virut.56;Cured.;
unregmp2.exe;c:\windows\inf;Win32.Virut.56;Cured.;
xpnetdiag.exe;c:\windows\network diagnostic;Win32.Virut.56;Cured.;
alg.exe;c:\windows\system32;Win32.Virut.56;Cured.;
cisvc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
clipsrv.exe;c:\windows\system32;Win32.Virut.56;Cured.;
ctfmon.exe;c:\windows\system32;Win32.Virut.56;Cured.;
dllhost.exe;c:\windows\system32;Win32.Virut.56;Cured.;
dmadmin.exe;c:\windows\system32;Win32.Virut.56;Cured.;
ndis.sys;c:\windows\system32\drivers;Trojan.NtRootKit.2670;Deleted.;
dsentry.exe;c:\windows\system32;Win32.Virut.56;Cured.;
dumprep.exe;c:\windows\system32;Win32.Virut.56;Cured.;
hpzipm12.exe;c:\windows\system32;Win32.Virut.56;Cured.;
ie4uinit.exe;c:\windows\system32;Win32.Virut.56;Cured.;
imapi.exe;c:\windows\system32;Win32.Virut.56;Cured.;
locator.exe;c:\windows\system32;Win32.Virut.56;Cured.;
logon.scr;c:\windows\system32;Win32.Virut.56;Cured.;
logonui.exe;c:\windows\system32;Win32.Virut.56;Cured.;
mnmsrvc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
msdtc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
msiexec.exe;c:\windows\system32;Win32.Virut.56;Cured.;
netdde.exe;c:\windows\system32;Win32.Virut.56;Cured.;
nmssvc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
ntsd.exe;c:\windows\system32;Win32.Virut.56;Cured.;
nwiz.exe;c:\windows\system32;Win32.Virut.56;Cured.;
regsvr32.exe;c:\windows\system32;Win32.Virut.56;Cured.;
rsvp.exe;c:\windows\system32;Win32.Virut.56;Cured.;
rundll32.exe;c:\windows\system32;Win32.Virut.56;Cured.;
scardsvr.exe;c:\windows\system32;Win32.Virut.56;Cured.;
sessmgr.exe;c:\windows\system32;Win32.Virut.56;Cured.;
shmgrate.exe;c:\windows\system32;Win32.Virut.56;Cured.;
smlogsvc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
spoolsv.exe;c:\windows\system32;Win32.Virut.56;Cured.;
ssmypics.scr;c:\windows\system32;Win32.Virut.56;Cured.;
svchost.exe;c:\windows\system32;Win32.Virut.56;Cured.;
ups.exe;c:\windows\system32;Win32.Virut.56;Cured.;
userinit.exe;c:\windows\system32;Win32.Virut.56;Cured.;
vssvc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
wmiapsrv.exe;c:\windows\system32\wbem;Win32.Virut.56;Cured.;

[BC_Programmer]

basically the only way is to delete and copy all infected files (somehow, ALL at once, too) from the install media. Only way to really do that is to reinstall; as you say any other method os not only not worth the effort but a lost cause.

[evilfantasy]

I've seen more than one reference now that this new outbreak is coming from a torrent, probably hosted on multiple file sharing sites. More fuel for my P2P rants...

[Wefro_froyas]

I use torrent programs will it effect every torrent file? Like all of the websites?

[BC_Programmer]

I use torrent programs will it effect every torrent file? Like all of the websites?

No. But somebody has placed the trojan into a torrent... Probably more then one.

Likely a "Crack" program, seems to be a recurring theme with the victims.

[Wefro_froyas]

oh well I scan my files before use.

[kpac]

oh well I scan my files before use.

That won't do much!

[patio]

oh well I scan my files before use.

We'll seeya in the Virus and Spyware section sometime soon...

[Wefro_froyas]

oh well I scan my files before use.

We'll seeya in the Virus and Spyware section sometime soon...

Sure Hopenot : X

[evilfantasy]

I know it's definitely coming from p2p now. One site is saying they are at about 40% of their users infected with Virut right now in the malware forum. Since it also spreads via IRC the longer they wait to wipe the drive the more users there are getting infected. Shared folders....

Waiting or trying to clean it just gives it that much longer to infect others.

If you see one file infected with Virut immediately disconnect from the Internet and start reformatting then reinstall. This probably won't go away any time soon.

[centrusst]

I'm with EvilFantasy on this one-  Got this on a machine at work...spend two days working on it.  There is essetially no hope...and even if you thought you got all of it...would you still trust your system?

This is a nasty bugger that most AV & Malware scanner do not even pick up...even after being infected over 4 days ago.   Dr Web Scanner did the best, along with a scan by Avast upon reboot.   Creating a boot disk with the lastest AV scanner is about the only way to go-  I'm only trying to get the computer clean so I can get some needed files off- 

The next time I connect this computer to the network will be after a total wipe and rebuild.

This infected a firewalled machine with the lastest Windows updates and a full AV/Spyware package installed and running.   User clicked on a bad web link....got the infamous blue screen of death-  Upon restart, the system was infected and trying to spew TCP traffic all over.   Firewall was still a problem because it infects system files that most firewalls allow on the net by default.

Bad mojo.

[evilfantasy]

I'm seeing more and more chatter about this every day now.

Discovered: April 11, 2007

Latest Rapid Release version February 10, 2009 revision 024

It had over 600 Houston City computers offline for several days.

Most major AV vendors have supposedly updated their software to prevent this new version. Doesn't do much for anyone already infected though.

[Wefro_froyas]

U guyz better Download Al yer Warez, Mp3's and pronz before Virut gets yah.