Posted 22 February 2009 - 01:43 AM
What exactly is the purpose of this virus? I saw on microsoft's site they said that the only symptom may be your A/V going crazy, so it isn't adware. So what does it do? Log keystrokes, or just mess a system up as much as it can with the additional stuff it will download?
Posted 22 February 2009 - 01:48 AM
Posted 22 February 2009 - 01:52 AM
It's an interesting read.
Posted 22 February 2009 - 01:57 AM
Posted 24 February 2009 - 11:26 AM
So that for I've additionally scanned the C:\ and Norton 360 has found some 3 small .exe files with W32.Virut.U inside of it, I thought when C:\ was infected there must be also whole Win XP Pro ISO Images that I've made my own also be Infected and Manipulated. So I've with WinRAR v3.80 German just Unpacked all that ISO Images into noraml file folders cause I could scan it with Norton 360. I have scan all these ISO Images and "Bingo" the Norton 360 has founded exactly same 3 .exe files as just like on the C:\ but these were packed Microsoft Original EX_,DL_ files. So that means that my Win XP Pro CD Image was already Manipulated before it was even burned onto CD. I've deleted the last Sources of Infections Rest all that Win XP Pro SP3.iso CD Images and now my Computer is clean. I've also deleted that Original Microsoft 3 .exe files in C:\ to be sure when now I make again mine own ISO Image that these 3 files are not again infecting back and destroy all mine hard working. At moment I've deinstalled Norton AntiVirus and downloading some files, there is nothing happening or infecting my System. My Computer is finally clean and all you have got the newer version of this BOT-NET Server binary called Polymorphic Permutated W32.Virus.CF or W32.Virut.N. I've tried with Kaspersky,NOD32,Avast Pro they are all detecting and destroying as well as Symantecs Corporate AntiVirus,Endpoint Protection,Norton Antivirus 2008-2009,Internet Security 2008-2009,Norton 360 v2.0. So you can try with any of this you gonna have success in anyway just like me, because older one compared with newer Virus has not changed lot same Method of infecting. I making now in Peace again my own Windows CD Image with lot of Tweaks,AddonPacks,UpdatePacks,Tuning&Co hope does not happen nothing after installing Windows from that CD-DVD. So Good Luck and Visit my Thread on www.msfn.org maybe can help you !!!
Screenshot of winlogon.exe:
Microsoft_winlogon.exe_Screenschots_1.png 119.52KB 49 downloads
Posted 25 February 2009 - 01:56 PM
I believe the infection was caused by I accidentally executing a install.exe and setup.exe which I now believe were executable purely written for spreading this virus i.e. they could be generic source.
I did investigate via looking into the registry and found reader_s.exe seems to be the rough spreader. Unfortunately after removing these entries from Registry. It seems to come back again and again.
Until there is a clean removal method, I am reformatting.
Posted 04 March 2009 - 10:02 PM
this interesting virus, the only way is to erese completly the MFT table; for exemple using KillDisk ( all versions work good ).
It's strong but the sure ( and some times the shorter ) solution.
If You decide to go on this way, Before begin You will be need the computer of a friend
for Your data recovery.
If You have an external, use start Your PC whit BartPE cd.
Forget "*.exe" & "*.dll" files.
Sorry for this english!
Posted 10 May 2009 - 11:20 PM
Let me put my two cents in here. I have recently come across A LOT of the new virut infections lately. This little b@$t@rd is nothing to shrug at. It infects SCR, EXE, and HTM/HTML files, and it spreads like butter. You MUST, and i mean MUST remove the infected machine from a live internet connection ASAP. remove or disable ALL active network adapters. make sure, if you are using USB or flash devices that they are NOT inserted into the infected machine. This nasty bugger can, and WILL spread via "autorun" on ANY removable writable media.
If you can catch the infection immediately, yes, it is very easy to remove, you use malwarebytes, and boom, it's gone. But that's what tech-minded people would do. normal everyday users will continue to use it, until it becomes so slow that they finally bring it to you. I had my own brothers pc and it had corrupted 640 something files. I had to use a host of different tools to get it completely removed. The one that finally did it, and i am only posting it here for the sake of SAFE computing, is Kasperskys AVP tool. Of course, this is after running MBAM 6 times, and running Spybot S&D about 4 times.
I identified some key points of this particular virus. Using GMER, i found out that the virus was communicating with an IP address in AUstralia, 220.127.116.11. the file IS hosted on that computer, and the exe is called LMN_Setup.exe. I have the full UNC path name, bt it's at work, and unavailable to me right now. it's worth a try to attempt to find the file on your computer if it's infected. I found it under "C:\windows\system32\lmn_setup.exe" it's most likely hidden. One of the steps i took to stop the computer from talking back to the server was adding 18.104.22.168 to the hosts file and redirecting it to 127.0.0.1 (loopback). Not positive how effective that was, but I was successful in cleaning it off anyway, atleast it seems that way. Some other files that were created as soon as I was infected were autochk.dll, and protect.dll. These two along with possibly the installer are the FIRST files that will be present upon infection.
I cannot stress enough, if you are not 100% confident that the machine is clean, DO NOT put it back on a LAN, or live internet connection, because if there is even a small chance that there is even ONE corrupt file left, it might be enough to enable the virus to communicate with that web address and re-download the missing pieces. I have informed the FBI's Special division for cyber crimes the "Internet Crime and Complaint Center",m and have provided them with the ip address and the UNC path to the file I mentioned. It was still live the day before i phoned it in, so hopefully they have the power to shut it down.
Again, this is one bad @$$ virus, and has the ability to cripple netwirks all over the globe, so lets all help each other squish this thing before it gets any worse!
Posted 17 July 2009 - 07:49 AM
Posted 01 August 2009 - 07:02 PM
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users