Jump to content


Photo

w32.virut.cf/W32/Virut.n/PE_VIRUX.A/Virus.Win32.Virut.ce


  • Please log in to reply
29 replies to this topic

#21 Insomniac

Insomniac

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 200 posts
  • Gender:Male
  • Location:Australia

Posted 22 February 2009 - 01:43 AM

The scariest thought is with the number of people at my school who pirate software, one of them is bound to get this. Couple that with the way it spreads to removable media so fast, and that all the school pc's are networked together, this could make a real mess. And I need to move my usb drive between home and school for homework etc, so hopefully the AV companies will figure out a way to stop it spreading. If I'm gonna be infected by a virus, that is the most likely way I can see it happening.

What exactly is the purpose of this virus? I saw on microsoft's site they said that the only symptom may be your A/V going crazy, so it isn't adware. So what does it do? Log keystrokes, or just mess a system up as much as it can with the additional stuff it will download?

#22 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 22 February 2009 - 01:48 AM

It connects to a remote server to grab passwords, CC#'s and such as far as I can tell, that's the purpose of the trojans. It seems as long as your AV is up to date you'll be protected. Having a firewall on your computers should also keep it from getting in from the network (I'd still turn off file and printer sharing just to be safe, as well as disabling remote connections). It seems to be designed the way it is to increase the likelyhood of infecting other systems.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#23 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 22 February 2009 - 01:52 AM

Check this out, one of the experts posted this in one of the other areas:
http://miekiemoes.bl...s-throwing.html

It's an interesting read.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#24 Insomniac

Insomniac

    Advanced Member

  • Honorary Members
  • PipPipPip
  • 200 posts
  • Gender:Male
  • Location:Australia

Posted 22 February 2009 - 01:57 AM

I suspect the school network allows a fair bit of sharing. Ie, you can log into any computer and still be able to access your documents and print from any printer. I'll give that article a read in a moment. (I'm posting using steam's web browser while playing Portal. Yay multitasking!)

#25 cTreamer

cTreamer

    New Member

  • Members
  • Pip
  • 3 posts
  • Gender:Female

Posted 24 February 2009 - 11:26 AM

Who Sad that??? I have successfully cleaned up my System with any Symantec Product. One thing that I've find out is it was an older version of W32.Virus.CF called W32.Virut.U. This was first detected Juny-July 2007 exactly at this time I've got mine first Symptoms but didn't knew about this threat. After some months of fighting I've gave up because I was not understanding the Mechanism how is it downloading all that files. In the middle of 2007 I've shouted down my Computer until October 2008 with hopping that maybe it's gone from itself after some Months of Pause. In October 2008 I've putted some new Hard Disc 500Gb and downloaded some files just as usual nothing special or illeagal. After some weeks I saw that there is something going on. I thaught "Oh God not again this thing form 2007" but it was exactly same thing that has infected also some new files on Brand New Hard Disc. With AnVir Task Manager Pro I've find out that in TCP&UDP Connection Section Microsoft's winlogon.exe was connected to IP's in Hong Kong and downloads all that crap. So at first now I've understood why I was not able in Microsoft Own Task Manager to see and Investigate all that, cause of its very poor functions I couldn't beat this threat already back in Summer 2007. After installing Symantecs Software I was able to clean almost 1000 .EXE and SETUP files even drivers Intel Chipset,Nvidia Forceware, Logitech Mouse&Tastatur was also infected you know. But the Main Question was still Remaining "Where was on my System that Main file which was already Injected in some to me very known Software Setup,Msi,Exe or Dll" ??? Ha Ha Ha finally after DESTROYING-DEFEATING this thing and no more connecting of winlogon.exe I have reconstructed in mine Brain what has I downloaded from Internet that had this BOT-NET Server binary injected in it. I think going back to Summer 2007 I have downloaded from some sites(Legal + No Legal) very different versions of ALWIL Avast Anti Virus Pro. This AntiVirus has very simple Setup.exe so everybody could Manipulate it and put some BAD files inside of it , and there was this BOT-NET Server binary file inside of it. So After installing Avast 4.7 Pro it told me "Restart your Computer Please" so I have restared. Just immediatly after restart on Windows XP "Welcome Screen" I see some Dangerous Meassage Box telling me "Avast AntiVirus has detected that ashupsrv.exe and other Avast files are infected and manipulated so if you further execute this files it could be Dangerous for your Computer, do you wanna execute Avast Anit Virus after Login into your Windows???". Of caurse I was stupid and have executed that file, this was very Big Mistake at this Point because exactly this Moment has W32.Virut.U infected and manipulated lot of other EXE's and DLL's on mine System. I've done it more times and always same Dangerous Meassage Box without understanding what is going on behind all this Theatre. So at first I've deleted all this Avast Folders and Directories on mine all old Partitions, to making sure that it is not again infecting all newly downloaded files on mine new Partitions+Hard Discs. Second step taht I've done is installing Norton 360 v2.0.0.424 and scanning with it, so after some Hour of scanning it has found allone on 1 old Partition over 500 Injected-Manipulated EXE's,SETUP's,MSI's. And on the Second old Pertition also over 500+ files even Borland C++ Builder Professional .EXE and SETUP files were also Infected with that Virus. So after doing 1 and 2 Steps I've last week Installed my Win XP Pro nLite CD again and what I see in AnVir Task Manager Pro the Original Microsoft winlogon.exe is no more connecting to Hong Kong and downloading all that final files. So I was very happy that I've resolve this Problem with Symantecs Norton 360 Suite, but I wanted to be sure you know. So I've again with Norton 360 scanned all mine 3 Partitions (not a C:\) and it has found nothing just as usual only False Positives that was a Great Feeling. But I've sad wait a moment !!! what is about mine Windows C:\ Partition and that Win XP Pro SlipStreamed ISO Images files ???
So that for I've additionally scanned the C:\ and Norton 360 has found some 3 small .exe files with W32.Virut.U inside of it, I thought when C:\ was infected there must be also whole Win XP Pro ISO Images that I've made my own also be Infected and Manipulated. So I've with WinRAR v3.80 German just Unpacked all that ISO Images into noraml file folders cause I could scan it with Norton 360. I have scan all these ISO Images and "Bingo" the Norton 360 has founded exactly same 3 .exe files as just like on the C:\ but these were packed Microsoft Original EX_,DL_ files. So that means that my Win XP Pro CD Image was already Manipulated before it was even burned onto CD. I've deleted the last Sources of Infections Rest all that Win XP Pro SP3.iso CD Images and now my Computer is clean. I've also deleted that Original Microsoft 3 .exe files in C:\ to be sure when now I make again mine own ISO Image that these 3 files are not again infecting back and destroy all mine hard working. At moment I've deinstalled Norton AntiVirus and downloading some files, there is nothing happening or infecting my System. My Computer is finally clean and all you have got the newer version of this BOT-NET Server binary called Polymorphic Permutated W32.Virus.CF or W32.Virut.N. I've tried with Kaspersky,NOD32,Avast Pro they are all detecting and destroying as well as Symantecs Corporate AntiVirus,Endpoint Protection,Norton Antivirus 2008-2009,Internet Security 2008-2009,Norton 360 v2.0. So you can try with any of this you gonna have success in anyway just like me, because older one compared with newer Virus has not changed lot same Method of infecting. I making now in Peace again my own Windows CD Image with lot of Tweaks,AddonPacks,UpdatePacks,Tuning&Co hope does not happen nothing after installing Windows from that CD-DVD. So Good Luck and Visit my Thread on www.msfn.org maybe can help you !!!

Greetings
cTreamer

Screenshot of winlogon.exe:

Attached File  Microsoft_winlogon.exe_Screenschots_1.png   119.52KB   49 downloads

#26 Raj

Raj

    New Member

  • Members
  • Pip
  • 20 posts

Posted 25 February 2009 - 01:56 PM

I had a second PC which may have been infected with this virus, I had Symantec Client Security with Symantec Antivirus 10.5.1.5000 installed, it picked the infection but it coulod not completely remove the viruses even after 6 scans + 5 reboot.

I believe the infection was caused by I accidentally executing a install.exe and setup.exe which I now believe were executable purely written for spreading this virus i.e. they could be generic source.

I did investigate via looking into the registry and found reader_s.exe seems to be the rough spreader. Unfortunately after removing these entries from Registry. It seems to come back again and again.

Until there is a clean removal method, I am reformatting.

#27 Thermalix

Thermalix

    New Member

  • Members
  • Pip
  • 1 posts

Posted 04 March 2009 - 10:02 PM

Without a network connection after format C:/ & XP installation, the virus compared again! In the future, to be sure of the imposibility for recall/recover
this interesting virus, the only way is to erese completly the MFT table; for exemple using KillDisk ( all versions work good ).
It's strong but the sure ( and some times the shorter ) solution.

Note:

If You decide to go on this way, Before begin You will be need the computer of a friend
for Your data recovery.

If You have an external, use start Your PC whit BartPE cd.

Forget "*.exe" & "*.dll" files.

Sorry for this english!

Regards

#28 Andrew Jack

Andrew Jack

    New Member

  • Members
  • Pip
  • 6 posts

Posted 10 May 2009 - 11:20 PM

Hello All.
Let me put my two cents in here. I have recently come across A LOT of the new virut infections lately. This little b@$t@rd is nothing to shrug at. It infects SCR, EXE, and HTM/HTML files, and it spreads like butter. You MUST, and i mean MUST remove the infected machine from a live internet connection ASAP. remove or disable ALL active network adapters. make sure, if you are using USB or flash devices that they are NOT inserted into the infected machine. This nasty bugger can, and WILL spread via "autorun" on ANY removable writable media.

If you can catch the infection immediately, yes, it is very easy to remove, you use malwarebytes, and boom, it's gone. But that's what tech-minded people would do. normal everyday users will continue to use it, until it becomes so slow that they finally bring it to you. I had my own brothers pc and it had corrupted 640 something files. I had to use a host of different tools to get it completely removed. The one that finally did it, and i am only posting it here for the sake of SAFE computing, is Kasperskys AVP tool. Of course, this is after running MBAM 6 times, and running Spybot S&D about 4 times.

I identified some key points of this particular virus. Using GMER, i found out that the virus was communicating with an IP address in AUstralia, 122.224.5.189. the file IS hosted on that computer, and the exe is called LMN_Setup.exe. I have the full UNC path name, bt it's at work, and unavailable to me right now. it's worth a try to attempt to find the file on your computer if it's infected. I found it under "C:\windows\system32\lmn_setup.exe" it's most likely hidden. One of the steps i took to stop the computer from talking back to the server was adding 122.224.5.189 to the hosts file and redirecting it to 127.0.0.1 (loopback). Not positive how effective that was, but I was successful in cleaning it off anyway, atleast it seems that way. Some other files that were created as soon as I was infected were autochk.dll, and protect.dll. These two along with possibly the installer are the FIRST files that will be present upon infection.

I cannot stress enough, if you are not 100% confident that the machine is clean, DO NOT put it back on a LAN, or live internet connection, because if there is even a small chance that there is even ONE corrupt file left, it might be enough to enable the virus to communicate with that web address and re-download the missing pieces. I have informed the FBI's Special division for cyber crimes the "Internet Crime and Complaint Center",m and have provided them with the ip address and the UNC path to the file I mentioned. It was still live the day before i phoned it in, so hopefully they have the power to shut it down.

Again, this is one bad @$$ virus, and has the ability to cripple netwirks all over the globe, so lets all help each other squish this thing before it gets any worse!

#29 Serious

Serious

    Advanced Member

  • Members
  • PipPipPip
  • 189 posts
  • Gender:Male

Posted 17 July 2009 - 07:49 AM

Run Dr.Web Bootable CD and cure as many files as you can, the longer the virus is active, the more chance of a reformat comming up.

#30 Andrew Jack

Andrew Jack

    New Member

  • Members
  • Pip
  • 6 posts

Posted 01 August 2009 - 07:02 PM

I have seen a pretty consistent file size in the wild. It seems to be 53,760 BYTES. I also might have identified some filenames. I just noticed these that are new (on my damned USB stick nonetheless! TASKMGR.EXE,EXPLORER.EXE,RVSEZM.EXE,MSIEXEC.EXE, and RUNDLL32.exe. Also, according to threat expert.com, the hosts file will be overwritten, and a loopback address pointing to jL.chura.pl will exist. go to http://www.threatexp...f700d28b7054203 for more information.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users