Fun with win32.Virut.56

H

hardc0re

Gawd
Joined
Sep 19, 2006
Messages
869
I was recently infected with the Virut virus, and I've got to say, this has been the hardest thing to disinfect so far.
It was not detected by the antivirus (NOD32). And proceeded to infect all exe's on all partitions with it's code.

how Virut works: http://securitylabs.websense.com/content/Blogs/3300.aspx

Many aspects of the Virut virus have changed, making newer variants much more effective. The fact that it infects running processes makes it very virulent. If you move a file that matches the requirements in the infected code onto an infected machine, it is instantly infected. The virus also uses the SFC functions to make sure Windows won't pop up an error message if a Windows file is infected. The fact that it infects Web pages makes it even more virulent, as Webmasters could and probably do upload infected htm/asp/php pages, leading to various exploits that target their visitors.
Giveaways:

network card is 100% overloaded -- uses cpu and bandwidth for zombie attacks
unsolicited exe's running in taskmgr with strange cryptic randomized names.
forced ending of said exe's always causes them to reappear.

solution:
-Disconnect network cable and power off immediately
-from uninfected computer, load DrWeb antivirus on a USB stick and scan infected machine via safemode and attempt to repair infected EXE's. Never re-use same USB stick on clean machine as there is a good chance a hidden infected EXE with an autorun.ini has been dropped onto it.
-install COMODO and set antivirus and firewall to maximum protection
 
Last edited:
Sorry to hear this! Any idea how you got infected? It's a pretty old virus and though this variant is newer i would think that an up to date AV scanner would have picked this up.
 
I ran a seemingly safe .EXE. I was also under the impression that it is an older variant, however NOD32 didnt even flinch...
 
Do you still have a copy of that .EXE or know where it can be downloaded from? I'd like to see what MSE thinks about it? Thanks!
 
unfortunately, no. So good luck if you ever get infected, I wouldn't wish this on my worst enemy.
 
That blows. Some people like the challenge of removing shit like this on their machines but I don't. I've had my share of it with client machines. Fortunately I haven't had to remove stuff on my machine in eons because i've had no reason to.

Anyway, always create backup images. There's many good reasons to make backup images so it's good practice either way. If you get pummeled by a virus like this it takes 5 minutes to reimage(from a clean image) and be up and running again.
 
Last edited:
I too got hit with this virus and NOD32 didn't react. This is the second time now that it's missed a virus in a short time period. Thankfully the computer was just isolated to a subnet with systems on it that I didn't give a damn about and I just deployed clean images.
 
Download MalwareBytes and Spybot S&D. Install both. During S&D installation choose to run 'teatimer' which basically locks the registry. Update both tools. Run Spybot first and clean. If you see a registry edit pop up, only Allow it if the source is Spybot. Some Malware try to reinstall themselves. Then run Malwarebytes and do the same with the registry editor. Once it's cleaned, if you want to keep Spybot on, go into the settings and uncheck teatimer so it doesn't run all the time.
 
bigdogchris, I would recomend you read the writeup link I posted.

This isn't a simple malware... It ate nod32, comodo and avg antiviruses for breakfast. Anything that is an .exe file on the host machine will be corrupted, unless the antivirus is good enough to pick up the infection BEFORE it hits a single file.

Once the infection begins, your OS is pretty much toast because extensive registry changes are made, important system files are corrupted and replaced with dummy files that only serve the virus. Manually fixing the infection is futile, however disinfecting the infected drives and partitions and reinstalling the OS does the trick. To illustrate the damage done in a simple analogy, take a bucket of sh*t and toss it everywhere in your home and rub it in the carpets and furniture, then try to clean it out with a toothbrush... tough luck.

I was able to boot into the infected OS fine, however it was very unstalble, due to the amount of system files that were "Cleaned" by Dr Web. It was later rendered unbootable, straight BSOD in safemode and regular boot after fiddling with some of the installed software on the drive, which led me to a complete re-install of the OS. Any .EXE you download off the internet could potentially be infected without the knowledge of the file host due to the stealth method of operability of this virus.
 
heatlesssun: Windows XP SP3

I wouldn't depend too much on MSE... the possibility of mutations and different variations of this menace are too much... It even has a built-in encryption engine to help it hide better.

Another note worth mentioning: Virut removal tools by symantec and other security companies are completely and utterly useless. Do not even bother using those. Only Dr Web is effective at removing it from memory and disk.
 
Thanks for the info. I've been researching this a bit and I', not finding a lot. It's been so long that I've actually bee hit with a virus personally that I just don't worry about them and I just wanted to gage just how vulnerable I am. All Windows 7 x64 rigs now with MSE for AV.
 
number69 said:
That blows. Some people like the challenge of removing shit like this on their machines but I don't. I've had my share of it with client machines. Fortunately I haven't had to remove stuff on my machine in eons because i've had no reason to.
Click to expand...

This is why it's hilarious when people claim that there is no need to run an AV program because they use "common sense" when surfing the web. Apparently if you are "safe" and "reasonable" in your internet usage you will never have anything to worry about, even when using XP.

I belonged to that group of people as well, until my work system was screwed by a seemingly safe attachment that was forwared to me by a fellow employee. Now I run MSE and UAC at max settings. I can't say that it has hampered my computing ability much...and I certainly feel safer by doing so. Even now I know I'm not immune to everything but it's better than not taking any precautions at all.
 
Well, I'm pretty sure MSE would detect and clean it. But since I only test Virut infection on a daily basis, I could be wrong...

Yes, file infectors are always hard to remove, and Virut does take the cake for tricks to make it harder to clean, but it is possible. I would still advise a clean image, because Virut can corrupt files when trying to infect them.

The problem with most of the one off cleaning tools, is it's hard to clean an infection without kernel mode blocking to keep it from reinfecting while cleaning the threat. Most of the AV companies try however, including Microsoft. (Obviously, MSE doesn't have this problem, since it has proper kernel protection.)

This posting is provided "AS IS" with no warranties, and confers no rights.
 
hardc0re said:
bigdogchris, I would recomend you read the writeup link I posted.
Click to expand...
I've dealt with cleaning malware that won't let OS start etc. I just pull the drive and sweep it on another system.
vsboxerboy said:
Can you just put this in your sig, it's kind of annoying that you add this to EVERY post you make - or is that just me?
Click to expand...

SlowCobra said:
No it isn't just you.
Click to expand...
It's called a disclaimer. You can't just 'put it in the sig'. Hell, it could be 20 lines long and I wouldn't care because he provides great information for us.
 
I REALLY would like to see MSE responds to this
Click to expand...

I tried looking for the virus to download, so i could test it in MSE, but came up with nothing. A worrying thing is, that i downloaded quite a few other virii along the way whilst looking for it (delibrately downloaded them, but didnt run them), and MSE didnt detect nothing at all. Although Kasperskys file scanner did

Trojan.Win32.Chifrax.d

Was just one of the trojans MSE didnt see.
 
Toytown said:
I tried looking for the virus to download, so i could test it in MSE, but came up with nothing. A worrying thing is, that i downloaded quite a few other virii along the way whilst looking for it (delibrately downloaded them, but didnt run them), and MSE didnt detect nothing at all. Although Kasperskys file scanner did

Trojan.Win32.Chifrax.d

Was just one of the trojans MSE didnt see.
Click to expand...

Really? This virus is listed in Microsoft's malware encyclopedia as TrojanDropper:Win32/Vtimrun.B :http://www.microsoft.com/security/p...Entry.aspx?Name=TrojanDropper:Win32/Vtimrun.B. The entry being updated just two days ago and showing MSE as being aware of this virus since May 18, 2009.

Do you have any links to test sites? Thanks!
 
It wasnt a test site, but a place i know is full of virii (a newsgroup full of it). There was several other people reporting that the file in question had a virus so downloaded it, Unrar'd it and MSE which was updated today, didnt do anything (it should have detected it during the read/write process), i even bought up the properties of the file, so that it definetely did read it, finally i right clicked the file and told MSE to scan it......again nothing.

I uploaded it to kaspersky's file checker (there original online scanner is currently unavailable) and it correctly detected the virus in several of the files, same for 1-2 other anti virus places i checked.

EDIT - I just went and got another well known virus file, MSE shows no problems, with the virus definitions 1.69.690.0 dated today. Whilst almost every other anti-virus detects it correctly as malware. Hmm, not too confident in the application anymore.

 
Last edited:
I legally cannot add it to my sig. I have already asked, sorry. (As to why it bothers people, I don't understand.)

As to the other concerns, I'll take a look at that file on Monday. I can say that we hold the Advanced+ rating from Av-Comparitives.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Toytown said:
It wasnt a test site, but a place i know is full of virii (a newsgroup full of it). There was several other people reporting that the file in question had a virus so downloaded it, Unrar'd it and MSE which was updated today, didnt do anything (it should have detected it during the read/write process), i even bought up the properties of the file, so that it definetely did read it, finally i right clicked the file and told MSE to scan it......again nothing.

I uploaded it to kaspersky's file checker (there original online scanner is currently unavailable) and it correctly detected the virus in several of the files, same for 1-2 other anti virus places i checked.

EDIT - I just went and got another well known virus file, MSE shows no problems, with the virus definitions 1.69.690.0 dated today. Whilst almost every other anti-virus detects it correctly as malware. Hmm, not too confident in the application anymore.

Click to expand...

Did you try uploading the file to virustotal.com? I'm curious to see which AV's pick it up. I don't have the same balls as you to go fishing around trying to find infected .exe files to see test my AV.
 
Ranma_Sao said:
I legally cannot add it to my sig. I have already asked, sorry. (As to why it bothers people, I don't understand.)

As to the other concerns, I'll take a look at that file on Monday. I can say that we hold the Advanced+ rating from Av-Comparitives.

This posting is provided "AS IS" with no warranties, and confers no rights.
Click to expand...

Maybe i'm missing something but the latest report at AV Comparatives is from August '09. The only MS AV I see listed on the Aug. 09 report is MS One Care and it got a standard rating.

The following got Advanced +

Avast
Bit Defender
eScan
F-Secure
G Data
NOD32
Norton.
 
Salorian,
I had to reinstall the OS due to extensive system file and registry corruption, but in no way was going to format all my partitions and lose a terabyte of data.
 
Last edited:
number69 said:
Maybe i'm missing something but the latest report at AV Comparatives is from August '09. The only MS AV I see listed on the Aug. 09 report is MS One Care and it got a standard rating.

The following got Advanced +

Avast
Bit Defender
eScan
F-Secure
G Data
NOD32
Norton.
Click to expand...

I can't link to the site, but if you look at the latest removal tests, Microsoft Security Essentials got an Advanced+ rating.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Ranma_Sao said:
I can't link to the site, but if you look at the latest removal tests, Microsoft Security Essentials got an Advanced+ rating.

This posting is provided "AS IS" with no warranties, and confers no rights.
Click to expand...

I got ya.
 
Toytown said:
It sure can :), i finally found it at last.

Click to expand...

So why didn't others get this result? Of course without everyone comparing the same files and definitions its a pointless argument. I wish there was a simple catalog of malware samples out there. Of course that would be very dangerous for most people.
 
So why didn't others get this result?
Click to expand...

I dont know, but remember that my MSE is updated to the latest and the website i was using with the multiple checkers was also using the very latest virus definitions.

Whilst looking for virii with some fairly new files on the internet, MSE was unable to detect about half that i actually bothered to test with, albeit a small sample. Below are the results i managed to pick out from my browser history, for the following MSE didnt find anything at all, and some of the other anti-virus vendors didnt exactly do brilliant detecting them either, with NO antivirus picking them all up :(

Trojan-Dropper.Win32.VB.aexk
Trojan.Win32.VB.ujq
Win9x.CIH
TR/Agent.rsh.11
Gen:Trojan.Heur
Trojan-Dropper.Win32.Mudrop.fgp
 
Toytown said:
I dont know, but remember that my MSE is updated to the latest and the website i was using with the multiple checkers was also using the very latest virus definitions.

Whilst looking for virii with some fairly new files on the internet, MSE was unable to detect about half that i actually bothered to test with, albeit a small sample. Below are the results i managed to pick out from my browser history, for the following MSE didnt find anything at all, and some of the other anti-virus vendors didnt exactly do brilliant detecting them either.

Trojan-Dropper.Win32.VB.aexk
Trojan.Win32.VB.ujq
Win9x.CIH
TR/Agent.rsh.11
Gen:Trojan.Heur
Trojan-Dropper.Win32.Mudrop.fgp
Click to expand...

Thanks for the info. Just wanted to see if this was some type of bad outbreak but it doesn't look like anything out of the ordinary. It's been so long since I got a virus on any of my personal systems that I have to fight complacency because I just really don't understand how this stuff gets around.

I download a fair amount of software but nothing pirated and the I get is from pretty well used sites so I just figure that stuff like this gets spotted pretty quickly.
 
how did you end up finding it? And all those other virii? share it with us please!

I'm surprised NOD32 is so bad at detecting, I use to think it was the best anti virus.
 
how did you end up finding it? And all those other virii? share it with us please!
Click to expand...

For virut, i just searched for it using google by putting "virut torrent" in the search and going through maybe 10-12 pages, until i found people commenting on a torrent for an app telling others to beware as it was a virus called Virut. Download torrent, voila.

For the others i just looked in several places in newsgroups etc.
 
You must log in or register to reply here.
Back
Top