Author Topic: Virut on the rise (Read 17277 times)

evilfantasy · « **on:** February 17, 2009, 10:58:08 AM »

I've seen this 6-7 times within the last few days.

Virut spreads through every .exe, .dll and .scr and other critical files on a computer. It's polymorphic, which means it spreads faster than any antivirus can contain it. 99.99% of the time the only solution is a reformat and reinstall. Virut is so aggressive it even re-infects infected files with itself. It's a computer killer...

ll viruses belonging to the Virut family also contain an IRC-based backdoor that provides unauthorized access to infected computers.

In short. There is no solution for this other than a reformat and reinstall.

I edited the Topic Post for spelling...Vitut to Virut.

BC_Programmer · « **Reply #1 on:** February 17, 2009, 11:03:23 AM »

The time wasted cleaning it manually would definitely outweigh the time to backup data, reinstall XP, reinstall programs and restore the backup, by many orders of magnitude. And- without reformatting there is no way to be sure your clean, which is probably the biggest reason to reinstall.

evilfantasy · « **Reply #2 on:** February 17, 2009, 11:14:00 AM »

I tried with one computer. Threw everything I knew at it and still no joy. All of the AV vendors have a Virut removal tool but it's pretty much just a desperation move that fails.

http://www.microsoft.com/security/portal/Entry.aspx?name=Win32%2fVirut

Symptoms: The following symptoms may be indicative of a Virus:Win32/Virut infection:

* Network traffic on TCP port 65520 with connection to IRC server proxima.ircgalaxy.pl, on channel &virtu
* Increase in file size of infected files
* Infected files fail during execution and have a recent modified date property

Here is a Dr. Web log. It says "Cured" but running another scanner finds just as many or more that have been re-infected. It's simply a lost cause.

Notice that these aren't just some random files. Pretty much sums it up...

mcvsrte.exe;c:\program files\mcafee.com\vso;Win32.Virut.56;Cured.;
msmsgs.exe;c:\program files\messenger;Win32.Virut.56;Cured.;
setup50.exe;c:\program files\outlook express;Win32.Virut.56;Cured.;
qttask.exe;c:\program files\quicktime;Win32.Virut.56;Cured.;
motivesb.exe;c:\program files\verizon online\smartbridge;Win32.Virut.56;Cured.;
viewpointservice.exe;c:\program files\viewpoint\common;Win32.Virut.56;Cured.;
wlsetupsvc.exe;c:\program files\windows live\installer;Win32.Virut.56;Cured.;
explorer.exe;c:\windows;Win32.Virut.56;Cured.;
imagination studio.scr;c:\windows;Win32.Virut.56;Cured.;
unregmp2.exe;c:\windows\inf;Win32.Virut.56;Cured.;
xpnetdiag.exe;c:\windows\network diagnostic;Win32.Virut.56;Cured.;
alg.exe;c:\windows\system32;Win32.Virut.56;Cured.;
cisvc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
clipsrv.exe;c:\windows\system32;Win32.Virut.56;Cured.;
ctfmon.exe;c:\windows\system32;Win32.Virut.56;Cured.;
dllhost.exe;c:\windows\system32;Win32.Virut.56;Cured.;
dmadmin.exe;c:\windows\system32;Win32.Virut.56;Cured.;
ndis.sys;c:\windows\system32\drivers;Trojan.NtRootKit.2670;Deleted.;
dsentry.exe;c:\windows\system32;Win32.Virut.56;Cured.;
dumprep.exe;c:\windows\system32;Win32.Virut.56;Cured.;
hpzipm12.exe;c:\windows\system32;Win32.Virut.56;Cured.;
ie4uinit.exe;c:\windows\system32;Win32.Virut.56;Cured.;
imapi.exe;c:\windows\system32;Win32.Virut.56;Cured.;
locator.exe;c:\windows\system32;Win32.Virut.56;Cured.;
logon.scr;c:\windows\system32;Win32.Virut.56;Cured.;
logonui.exe;c:\windows\system32;Win32.Virut.56;Cured.;
mnmsrvc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
msdtc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
msiexec.exe;c:\windows\system32;Win32.Virut.56;Cured.;
netdde.exe;c:\windows\system32;Win32.Virut.56;Cured.;
nmssvc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
ntsd.exe;c:\windows\system32;Win32.Virut.56;Cured.;
nwiz.exe;c:\windows\system32;Win32.Virut.56;Cured.;
regsvr32.exe;c:\windows\system32;Win32.Virut.56;Cured.;
rsvp.exe;c:\windows\system32;Win32.Virut.56;Cured.;
rundll32.exe;c:\windows\system32;Win32.Virut.56;Cured.;
scardsvr.exe;c:\windows\system32;Win32.Virut.56;Cured.;
sessmgr.exe;c:\windows\system32;Win32.Virut.56;Cured.;
shmgrate.exe;c:\windows\system32;Win32.Virut.56;Cured.;
smlogsvc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
spoolsv.exe;c:\windows\system32;Win32.Virut.56;Cured.;
ssmypics.scr;c:\windows\system32;Win32.Virut.56;Cured.;
svchost.exe;c:\windows\system32;Win32.Virut.56;Cured.;
ups.exe;c:\windows\system32;Win32.Virut.56;Cured.;
userinit.exe;c:\windows\system32;Win32.Virut.56;Cured.;
vssvc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
wmiapsrv.exe;c:\windows\system32\wbem;Win32.Virut.56;Cured.;

BC_Programmer · « **Reply #3 on:** February 17, 2009, 11:46:53 AM »

basically the only way is to delete and copy all infected files (somehow, ALL at once, too) from the install media. Only way to really do that is to reinstall; as you say any other method os not only not worth the effort but a lost cause.

evilfantasy · « **Reply #4 on:** February 19, 2009, 11:05:46 AM »

I've seen more than one reference now that this new outbreak is coming from a torrent, probably hosted on multiple file sharing sites. More fuel for my P2P rants...

Wefro_froyas · « **Reply #5 on:** February 19, 2009, 01:07:34 PM »

I use torrent programs will it effect every torrent file? Like all of the websites?

BC_Programmer · « **Reply #6 on:** February 19, 2009, 01:09:03 PM »

Quote from: Wefro_froyas on February 19, 2009, 01:07:34 PM

I use torrent programs will it effect every torrent file? Like all of the websites?

No. But somebody has placed the trojan into a torrent... Probably more then one.

Likely a "Crack" program, seems to be a recurring theme with the victims.

Wefro_froyas · « **Reply #7 on:** February 19, 2009, 01:13:39 PM »

oh well I scan my files before use.

kpac · « **Reply #8 on:** February 20, 2009, 02:06:28 AM »

Quote from: Wefro_froyas on February 19, 2009, 01:13:39 PM

oh well I scan my files before use.

That won't do much!

patio · « **Reply #9 on:** February 20, 2009, 01:49:43 PM »

Quote from: Wefro_froyas on February 19, 2009, 01:13:39 PM

oh well I scan my files before use.

We'll seeya in the Virus and Spyware section sometime soon...

Wefro_froyas · « **Reply #10 on:** February 20, 2009, 02:50:36 PM »

Quote from: patio on February 20, 2009, 01:49:43 PM

Quote from: Wefro_froyas on February 19, 2009, 01:13:39 PM
oh well I scan my files before use.

We'll seeya in the Virus and Spyware section sometime soon...

Sure Hopenot : X

evilfantasy · « **Reply #11 on:** February 21, 2009, 09:36:58 AM »

I know it's definitely coming from p2p now. One site is saying they are at about 40% of their users infected with Virut right now in the malware forum. Since it also spreads via IRC the longer they wait to wipe the drive the more users there are getting infected. Shared folders....

Waiting or trying to clean it just gives it that much longer to infect others.

If you see one file infected with Virut immediately disconnect from the Internet and start reformatting then reinstall. This probably won't go away any time soon.

centrusst · « **Reply #12 on:** February 21, 2009, 11:57:49 AM »

I'm with EvilFantasy on this one- Got this on a machine at work...spend two days working on it. There is essetially no hope...and even if you thought you got all of it...would you still trust your system?

This is a nasty bugger that most AV & Malware scanner do not even pick up...even after being infected over 4 days ago. Dr Web Scanner did the best, along with a scan by Avast upon reboot. Creating a boot disk with the lastest AV scanner is about the only way to go- I'm only trying to get the computer clean so I can get some needed files off-

The next time I connect this computer to the network will be after a total wipe and rebuild.

This infected a firewalled machine with the lastest Windows updates and a full AV/Spyware package installed and running. User clicked on a bad web link....got the infamous blue screen of death- Upon restart, the system was infected and trying to spew TCP traffic all over. Firewall was still a problem because it infects system files that most firewalls allow on the net by default.

Bad mojo.

evilfantasy · « **Reply #13 on:** February 21, 2009, 12:55:05 PM »

I'm seeing more and more chatter about this every day now.

Quote

Discovered: April 11, 2007

Latest Rapid Release version February 10, 2009 revision 024

It had over 600 Houston City computers offline for several days.

Most major AV vendors have supposedly updated their software to prevent this new version. Doesn't do much for anyone already infected though.

Wefro_froyas · « **Reply #14 on:** February 21, 2009, 06:55:40 PM »

U guyz better Download Al yer Warez, Mp3's and pronz before Virut gets yah.

Wefro_froyas · « **Reply #15 on:** February 21, 2009, 07:41:10 PM »

bye any chance evil fantasy is it possible to contract the virus bye going to IRC channel?

evilfantasy · « **Reply #16 on:** February 21, 2009, 07:59:40 PM »

Possibly. If you visit a page which injects code through your browser then it's completely possible.

See here: Under the Hood: Virut. I love the first line. "Virut is a weird freak amongst malware."

Oh and an update from the first post. This new version is also infecting every mp3, doc, dll and on and on... $:-\$

Wefro_froyas · « **Reply #17 on:** February 21, 2009, 08:04:00 PM »

should No script stop that?

evilfantasy · « **Reply #18 on:** February 21, 2009, 08:07:48 PM »

That would be a good start as far as the browser is concerned.

BC_Programmer · « **Reply #19 on:** February 21, 2009, 08:46:28 PM »

Quote from: evilfantasy on February 21, 2009, 07:59:40 PM

"Virut is a weird freak amongst malware."

That actually isn't 100% true- there have been a few file infecting viruses with IRC and networking capabilities built in- in fact the author of a book studying viruses and how they work had one as an example.

Interestingly enough, he submitted all his virus code to anti-malware authors/companies, in the hopes that they would add his virus signatures to prevent anybody doing anything malicious with them- it took most vendors over a year after publication before the AVs were catching them

Obviously none have been as widespread.

evilfantasy · « **Reply #20 on:** February 21, 2009, 09:05:08 PM »

The explosion of p2p use has a lot to do with how rapid and widespread virus are now. People and antivirus vendors caught on to email/chat attachments pretty fast so many are able to avoid the malware spread through such means. With p2p all it takes is uploading the latest cracked version of a hot game, movie or CD to a single host site and it takes off like wild fire throughout the rest of the torrent sites and ultimately to the user.

patio · « **Reply #21 on:** February 21, 2009, 11:52:51 PM »

IM is the new horizon for infections.

BC_Programmer · « **Reply #22 on:** February 22, 2009, 09:29:05 AM »

Quote from: patio on February 21, 2009, 11:52:51 PM

IM is the new horizon for infections.

which brings up an interesting story.

yesterday somebody added me to MSN, so I figured, alright, I'll give them a chance.

Immediately they sign in and ask for "help with VB" or something, and attach a zip.

So I transfer it, unzip it... and it's an EXE file.

they claimed it was their visual basic program. Can't remember exactly what they said was "wrong" with it, but I found a few things interesting when I opened the file with dependency viewer.

In that is wasn't dependent on any vb runtime. This was a very strange VB program indeed! additionally viewing the resources revealed some untyped date that looked to be some sort of executable (in that it started with MZ.)

but I decided to play along with them(I didn't run the program I'm just messing with them. great fun)...
<Names are changed to protect the innocent>

Them:"Did you open it?"

Me:"Yeah. It just opened a command window, and then closed."

Me:"hmm. looks like I got infected somehow."

Them:"PWNED"

Me:"how?"

Them:"It was my trojan >

"

Me:"Oh, it's a good thing I didn't run it then. I kind of figured out it wasn't a VB program like you claimed."

Them:"I'm kidding I really need help with C++. Can you run it and check for me"

Me:F---- off.

(deletes contact)

So, all in all, I got some entertainment for a few minutes anyway.

Wefro_froyas · « **Reply #23 on:** February 22, 2009, 11:12:52 AM »

Quote from: BC_Programmer on February 22, 2009, 09:29:05 AM

Quote from: patio on February 21, 2009, 11:52:51 PM
IM is the new horizon for infections.

which brings up an interesting story.

yesterday somebody added me to MSN, so I figured, alright, I'll give them a chance.

Immediately they sign in and ask for "help with VB" or something, and attach a zip.

So I transfer it, unzip it... and it's an EXE file.

they claimed it was their visual basic program. Can't remember exactly what they said was "wrong" with it, but I found a few things interesting when I opened the file with dependency viewer.

In that is wasn't dependent on any vb runtime. This was a very strange VB program indeed! additionally viewing the resources revealed some untyped date that looked to be some sort of executable (in that it started with MZ.)

but I decided to play along with them(I didn't run the program I'm just messing with them. great fun)...
<Names are changed to protect the innocent>

Them:"Did you open it?"

Me:"Yeah. It just opened a command window, and then closed."

Me:"hmm. looks like I got infected somehow."

Them:"PWNED"

Me:"how?"

Them:"It was my trojan >"

Me:"Oh, it's a good thing I didn't run it then. I kind of figured out it wasn't a VB program like you claimed."

Them:"I'm kidding I really need help with C++. Can you run it and check for me"

Me:F---- off.

(deletes contact)

So, all in all, I got some entertainment for a few minutes anyway.

Lol nice I wish that kind of stuff would happen to me.

kizza1645 · « **Reply #24 on:** February 25, 2009, 02:05:19 AM »

How do i get a copy of this so called virut?

Just want to test one out on my virtual pc.
See if i can stop it.

BC_Programmer · « **Reply #25 on:** February 25, 2009, 03:06:48 AM »

Quote from: kizza1645 on February 25, 2009, 02:05:19 AM

How do i get a copy of this so called virut?

Just want to test one out on my virtual pc.
See if i can stop it.

see if you can stop it. yeah using your "hacker skills" which probably pretty much end at being able to show hidden files/folders.

How would you stop it? There is no feasible attack vector to stop it.

If EvilFantasy says a reformat/reinstall is required- your wasting your time.

kizza1645 · « **Reply #26 on:** February 25, 2009, 11:51:52 PM »

Quote from: BC_Programmer on February 25, 2009, 03:06:48 AM

Quote from: kizza1645 on February 25, 2009, 02:05:19 AM
How do i get a copy of this so called virut?

Just want to test one out on my virtual pc.
See if i can stop it.

see if you can stop it. yeah using your "hacker skills" which probably pretty much end at being able to show hidden files/folders.

How would you stop it? There is no feasible attack vector to stop it.

If EvilFantasy says a reformat/reinstall is required- your wasting your time.

well i at least want to watch what happens.....

evilfantasy · « **Reply #27 on:** February 26, 2009, 09:32:11 AM »

Quote from: kizza1645 on February 25, 2009, 11:51:52 PM

well i at least want to watch what happens.....

See here: Under the Hood: Virut.

Computer Hope Forum

News:

Author Topic: Virut on the rise (Read 17277 times)

evilfantasy

BC_Programmer

evilfantasy

BC_Programmer

evilfantasy

Wefro_froyas

BC_Programmer

Wefro_froyas

kpac

patio

Wefro_froyas

evilfantasy

centrusst

evilfantasy

Wefro_froyas

Wefro_froyas

evilfantasy

Wefro_froyas

evilfantasy

BC_Programmer

evilfantasy

patio

BC_Programmer

Wefro_froyas

kizza1645

BC_Programmer

kizza1645

evilfantasy