29 replies to this topic

[rdmtech]

I've been battling this malware for almost a week now. It goes by the following names:


* W32.Virut.CF [Symantec]
* Virus.Win32.Virut.ce [Kaspersky Lab]
* W32/Virut.n [McAfee]
* PE_VIRUX.A [Trend Micro]
* W32/Scribble-A [Sophos]
* Virus:Win32/Virut.BM [Microsoft]
* Trojan.Win32.Patched [Ikarus]

ThreatExpert Report

Has anyone run into this piece of malware and can you provide some information on cleaning the workstations. We have hundreds of workstations infected and I would prefer to disinfect rather than reload.

Thanks in advanced!

[Lusitano]

This is not the right place. Anyway, that virus, it's an append virus, like old DOS viruses. It appends its code to executables. Most AV software can disinfect it.

[danf0x]

Lusitano, on Feb 11 2009, 06:33 AM, said:

This is not the right place. Anyway, that virus, it's an append virus, like old DOS viruses. It appends its code to executables. Most AV software can disinfect it.

I hate to break it to you but that is not all this virus does. To help the OP my company has opened a ticket with kaspersky to find out how the virus replicates as we redid a machine and it wasn't on the network and has a fresh install of windows yet it still picked up the virus. I know for sure no one accidentally put it on the network because the network card is not even installed. We also contacted trend micro and mcafee and no one has a solution for this virus yet.

[Kythos]

danf0x, on Feb 11 2009, 09:01 PM, said:

I hate to break it to you but that is not all this virus does. To help the OP my company has opened a ticket with kaspersky to find out how the virus replicates as we redid a machine and it wasn't on the network and has a fresh install of windows yet it still picked up the virus. I know for sure no one accidentally put it on the network because the network card is not even installed. We also contacted trend micro and mcafee and no one has a solution for this virus yet.

Hey there,

We have been battling this virus on a few different pc's in the past few days so to add to this the virus will propogate to any available removable media, further information has been gathered here

http://www.publicsafety.gc.ca/prg/em/ccirc...09-007-eng.aspx

we have cleaned this virus off of 2 machines successfully but failed on 2 others, it seems that if the infection malfunctions and starts corrupting files, recovery of the system without a re & re currently seems unlikely until further information about the infection has been discovered

a download to the ms patch mentioned in the previous article can be found here

http://www.microsoft.com/downloads/details...;displaylang=en

Hope this helps move this thread along

[Kythos]

danf0x, on Feb 11 2009, 09:01 PM, said:

I hate to break it to you but that is not all this virus does. To help the OP my company has opened a ticket with kaspersky to find out how the virus replicates as we redid a machine and it wasn't on the network and has a fresh install of windows yet it still picked up the virus. I know for sure no one accidentally put it on the network because the network card is not even installed. We also contacted trend micro and mcafee and no one has a solution for this virus yet.

As an amendment to my previous post these instructions have been created by symantec

http://www.precisese...ats/w32virutcf/

whether they actually help out or not has yet to be decided

[Rent@Geek]

Kythos, on Feb 11 2009, 03:06 PM, said:

As an amendment to my previous post these instructions have been created by symantec

http://www.precisese...ats/w32virutcf/

whether they actually help out or not has yet to be decided

I have been working on a removal strategy overnight and what I have come up with is this:

This bugger propagates FAST! It moves through network shares and infects thumdrives instantly injecting its code into the autorun.inf file so that if you move a key from machine to machine you are spreading this virus.
The ONLY technique that I have had any success with is to make a UBCD with Dr Web cure IT on it and boot to the UBCD. Run Cure IT with the latest definitions (it seems like this program is the one that will cure the infected files not delete them) Many antivirus and antimalware programs will detect and delete the infected file, but since Virut infects tons of .exe files, deleting them will leave you with a non running system. An important thing to note is that this virus will remain in memory between reboots so make sure you are shutting the system down completely between passes. After the first pass of Cure IT, shut the machine down completely and after 5 minutes or so boot to ubcd again and run cure it again. If it is clean shut the machine down, make sure you are disconnected from the internet and start the machine up. Install Avast and run a pre-boot scan. This should come up fairly clean provided that the machine was not infected for too long. If that seems fine then install and run Malwarebytes Antimalware and Spybot making sure to immunize with spybot. If you are still running congrats - you may have beaten the virut infection, make sure you have all of your windows updates and, with any luck, you should be virut free.

[Jaxryley]

Rent@Geek, on Feb 12 2009, 09:12 AM, said:

The ONLY technique that I have had any success with is to make a UBCD with Dr Web cure IT on it and boot to the UBCD.

As a sidenote Dr Web do offer a free boot cd that may help?
Dr Web LiveCD

[Rent@Geek]

Jaxryley, on Feb 11 2009, 05:50 PM, said:

As a sidenote Dr Web do offer a free boot cd that may help?
Dr Web LiveCD

I have run the Dr Web Bootable CD and it doesn't seem to detect or remove it. Running it from UBCD is the only method that seems to work. Oh and one more thing, some machines will allow you to run the Cure IT within windows, DON'T BE FOOLED!!, it will "say" the files are cured but upon rebooting you will find that all infected files are reinfected or still infected. Please let me know if you have any other thoughts. I appreciate the feedback.

[Jaxryley]

I have made a Dr Web livecd but haven't used it as yet.
I think it is able to use latest defs by downloading them so in effect should have the same detections as Cureit.

Quote

There are 2 ways to scan the computer using Dr.Web LiveCD. You can either select Start Dr.Web Scanner to start scanning the hard drive, or select Start XOrg to launch the graphical user interface version of the scanner. Before scanning, I’d suggest you to update the virus signature first by selecting Start Dr.Web Update from Start Menu.

Raymond Blog

You could also have a look at Flash Disinfector which can help in certain autorun.inf instances?

Quote

What will Flash Disinfector Do
- Clean up junks created by flash malwares
- Deletes autorun.inf from every root folder
- Fix back damages done to your system
- Creates an autorun.inf folder in the root of your system drives

[danf0x]

So far none of have helped. I have had some programmers take a look at it and they said it is now has memory residence capabilities so rebooting machine is not enough, gotta take the power out once you have removed. I have heard various reports that the new microsoft scanner will do a better job of repairing files corrupted instead of the others which will just delete them.
First thing though is you need to stop file and printer sharing on the machine this is the way it spreads so by doing that you contain it to one machine. I am going to load up a UBD with every antivir that people have "said" works and see if I have any luck. I can tell you this though, the company I am working on cleaning has had this for a couple days and are as infected as can be so if I am able to successfully clean one of their machines then everyone should be able to get cleaned.

[cTreamer]

Hi at first to all. So I've opened some Big discussion about this Mysterious Malware on the : www.msfn.org. For over three Months I have discovered this Problem as fist user on this Planet. In this time here in Germany nobody didn't know about this New very Aggressive threat called-BOT-NET Server binary.With some users together we have maked Panic to AntiVirus&Co Manufactures.So that for as first has Mc Afee USA made some EXTRA.DAT files for recogniseing that, and just immediatly after that also Symantec has made some steps for updating Virus Deffinitions. Just read mine Thread and you gonna understand how to get out some Injected-Manipulated files with BOT-NET Server binary inside of it. So here is Link to my Thread:

http://www.msfn.org/...howtopic=128757

Greetings
cTreamer

[cTreamer]

Oh I am sorry I didn't want it as twice Posting. Admins&Mods why is not Possible in this Forum to Edit some mistakes. I am missing the "Edit" function of other Forums. So I've tried to edit my Post and happend this my Appologise.

[danf0x]

cTreamer, on Feb 12 2009, 01:10 PM, said:

Oh I am sorry I didn't want it as twice Posting. Admins&Mods why is not Possible in this Forum to Edit some mistakes. I am missing the "Edit" function of other Forums. So I've tried to edit my Post and happend this my Appologise.

Thanks that was helpful. I am going to try and remove this tomorrow from my customer as I don't know how many tools these people have loaded on their machines but I know after multiple scans there were thousands of problems and it meant windows had to be repaired and then other files copied just to get the machine in a state it could log in.

[HoustonsBestTech]

This is a nasty virus. My first user was infected on Feb 2 and on the 4th, half of my systems were infected. By the 6th I was clean on the network, but I had irreparable damage to several machines. If you think you have this virus, turn off that computer until you are ready to take the effort to recover it.

To fix this using Symantec/Norton: remove all known infected machines from your network. This machines OS's are gone, but the data can be salvaged. On the remaining machines, make sure you have latest virus definitions, turn off all shares (even admin shares), Isolate all of the machines, and run full virus scans. For now, make sure your virus protection software is set to "leave alone" if it cannot repair the file. Scan continually until all runs clean. Verify the registry is clean (look in run and winlogon keys for each user and delete the garbage lines). After this, the network portion will be clean.

To salvage your workstations: If you can boot into safe mode, load new virus definitions and scan - this takes a long time. Whether or not, afterwards boot with UBCD and move all of your data off to an external drive. Without being connected to a network or the internet, format your drive and reinstall your operating system. Install your anti-virus software with latest definitions, connect to the internet and run Windows update. Next, plug in your external drive and scan it immediately. You are now ready to load your programs and move on to the next infected machine.

I found that the majority of the damage that I received was not from the virus itself, but the way the anti-virus software responded to the threat making my systems unbootable. This took over 2 weeks for me to get completely past this virus, and the support I received from Symantec in the beginning was amateurish at best. It was not until day 3 (about 15 hours on the phone later) that I felt I was getting somewhere with this. This did not come in through email, but came from the web and it appears that it came from a link from a well known news site.

Good luck and I hope this helps those still battling this. Today, we are virus free. Tomorrow...who knows?

[Fatdcuk]

Ok Folks heres the news that you really dont want to be hearing if a system is infected with the recent evo's of Virut PE infector then no software will be able to clean it sucessfully if run from the infected system.

In short there is no quick 1 hit recovery from Virut...if any one claims to do this then they are misleading you.
Please bear in mind just because the AV's know the signature of a Virus it does not equate automatically to them being able to remove it from an active infection.
These most recent PE infectors are really driving that point home but some of you will have been experiencing this first hand


Right can the most recent Virut strains be removed,yes is the answer but inorder to achieve this then the amount of time and effort+tools that will need to be invested then it would be better to reformat and reinstall the computer from scratch.
This is my standard advice to anyone who is wrestling with a Virut infection currently.... full blooded R&R time!!!

That said some will still want to know how it can be done so here comes the current working solution and short explaination for actions.

You need either a live CD such as BartPE/Ultimate Boot to boot from or a 2nd pc to slave the infected pc to.
If you have niether then it's a no go folks.Virut will reinstall as quick as you can eradicate it when attempting removal from within the same OS.

When you have your 2nd enviroment to work from available.Run Dr Web Cure-IT(updated to most recent database).

You will need Cure-IT to scan every last thing on the infected PC so you will have to configure it to do so because running by default settings it will only run a quick scan(limited coverage).

Every last PE file will need to be disinfected so full scan is the only option!

Once this has been encomplished you will need to run an OS repair install to get OS integrity restored.

And the final bits of TLC,all installed software will need to be uninstalled and then reinstalled inorder to restore total software integrity.

This is an absolutely massive amount of work to be done there folks unfortunetly but it is possible.....but seriously tho reformat and reinstall is so much quicker!

[exile360]

Check out the new variant, new and improved: http://blog.trendmic...cases-escalate/

[jrodriguez786]

rdmtech, on Feb 10 2009, 08:06 PM, said:

I've been battling this malware for almost a week now. It goes by the following names:


* W32.Virut.CF [Symantec]
* Virus.Win32.Virut.ce [Kaspersky Lab]
* W32/Virut.n [McAfee]
* PE_VIRUX.A [Trend Micro]
* W32/Scribble-A [Sophos]
* Virus:Win32/Virut.BM [Microsoft]
* Trojan.Win32.Patched [Ikarus]

ThreatExpert Report

Has anyone run into this piece of malware and can you provide some information on cleaning the workstations. We have hundreds of workstations infected and I would prefer to disinfect rather than reload.

Thanks in advanced!

I have done research on this new Virut virus, but have not been able to find a solution to the infection, even though my computer is not infected, but better be prepared than sorry later on. My findings on this virus is that there is no fix as of yet, there are ways to slow it down and prevent it from getting onto someones computer, but a solution to the infection has not been found. The following are the findings that i have found regarding this virus:

Also Known As:

Win32/Virut.NBK (ESET)
W32/Scribble-A (Sophos)

Summary

Virus:Win32/Virut.BM is a polymorphic file infector that targets .EXE and .SCR files. This virus also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and execute arbitrary files on the infected computer.

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed Antivirus software may be the only symptom(s).

Characteristics

W32/Virut.n will first inject threads into the Winlogon.exe process. When successful, it will cause the process to download and run the following file:
• %WINDOWS%\TEMP\VRT7.tmp

This file will launch a new svchost.exe process and proceed to inject threads into the process. The svchost process create the following files in %WINDOWS\System32 folder and delete the previous VRT7.tmp file.

• 8.tmp (data file)
• 9.tmp

Spreads Via…

Executable File Infection

Win32/Virut.BM disables Windows System File Protection (SFP) by injecting code into WINLOGON.EXE. The injected code patches sfc_os.dll in memory which in turn allows the virus to infect files protected by SFP. The virus infects .EXE and .SCR files on access, hence actions such as copying or viewing files with Explorer, including on shares (with write access) will result in files being infected, and the virus spreading from machine to machine. The virus injects its own code into a system process such as explorer.exe or winlogon.exe, and hooks low-level (NTDLL layer) Windows API calls in order to stay in memory. It hooks the following functions in each running process (NTDLL.DLL):

NtCreateFile
NtOpenFile
NtCreateProcess
NtCreateProcessEx

Thus, every time an infected process calls one of these functions, execution control is passed to the virus.

The detection for this hooking is currently detected as Generic.dx!rootkit

Besides executables, W32/Virut.n also infects HTML Files. HTML files on the system are injected with an iFrame pointing to malicious domain such as ZieF.pl. Together with the modification in the HOSTS file, this will allow W32/Virut.n to infect clean machines accessing the infected HTML pages, while at the same time. preventing an infected machine from connecting and getting reinfected. This is possibly done to prevent the Virut server from being overloaded by infected machines.

The following registry entry is modified to allow firewall access for Winlogon.exe:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

The following registry entry is added:

• HKEY_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UpdateHost

But I'm still researching the issue and hopefully someone will post a solution to this virus and/ or a removal process apart from having to re-image a computer. Good Luck!!

[B-boy/StyLe/]

I have successfully kick his butt with following actions. (I was asked to do not use format)

First - fight with Usb Service 2.0 (Trojan.Win32.Agent2.dbi [Kaspersky Lab]), and some nasty files like wt.exe (Trojan.Win32.VB.gyh [Kaspersky Lab]) etc...(CFScript.txt kill them all)

1. Using Avira Rescue CD to rename infected files (xxx extension)

2. Ran an OS repair install to get OS integrity restored.

3. userinit.exe restoration.Why? After Log on, next log off automatically (Repair install do not fix that)

expand userinit.ex_ c:\windows\system32

C:\Windows\system32 copy userinit.exe wsaupdater.exe

4. All installed programs have been reinstalled...

5. Fresh AVIRA installation to clean all remaining infections (this include renamed xxx files as well).

By the way (Avira was completely destroyed from Virut with all security settings turned on, Avira GUARD too)



=>>>





*Self-defense doesn't work well => Avira processes can be terminated using Task Manager as well (I do not wanna think what can be done with software like DiamondCD Advanced Process Termination)

*Avira doesn't have module that can unload active infected files.(One example : I was trying to submit one infected archive to VirusTotal and at the same time i ran scan with Avira...Avira detect the file and showed me a message that the file is deleted.The file was still there. When i close Mozilla Firefox, and i ran the scan again, the file was deleted completely).

*Avira for Windows Vista x64 doesn't have anti-rootkit module (You must use GMER or Rootkit Unhooker)

*Avira for Windows Vista x64 doesn't have Protect Processes setting.



*Avira personal classic doesn't have anti-spy module (Use MBAM, SAS, Spybot S & D as well)

*Avira generate too many fps (especially this week)



I'll inform Avira support team...

[Insomniac]

Ergh, this looks like one nasty bit of work. Does this exploit any specific vulerability (Ie, is a fully patched version of windows likely to be infected) or is there currently no effective way to prevent yourself from getting infected (other than being careful about what you run on your pc)

It would suck to have my thumbdrive infected via a school computer (lots of students plugging thumbdrives into them), and then have that transfer it onto this pc.

Does it affect both xp and Vista?

[exile360]

It gets dropped by trojans, but has been spreading rampant via P2P apps due to the way it infects .exe files. All a user need do is accidentally download tainted software and try to run an infected exe and bang. Once it gets in it downloads several other trojans to the system. It will infect other PC's on a network if it can get into them, including Vista (at least 32bit, not sure about 64bit). I've seen it mess with the NIC's on Vista machines here in the forums, but I haven't seen any files infected (at least so far).