I was recently infected with the Virut virus, and I've got to say, this has been the hardest thing to disinfect so far.
It was not detected by the antivirus (NOD32). And proceeded to infect all exe's on all partitions with it's code.
how Virut works: http://securitylabs.websense.com/content/Blogs/3300.aspx
Many aspects of the Virut virus have changed, making newer variants much more effective. The fact that it infects running processes makes it very virulent. If you move a file that matches the requirements in the infected code onto an infected machine, it is instantly infected. The virus also uses the SFC functions to make sure Windows won't pop up an error message if a Windows file is infected. The fact that it infects Web pages makes it even more virulent, as Webmasters could and probably do upload infected htm/asp/php pages, leading to various exploits that target their visitors.
Giveaways:
network card is 100% overloaded -- uses cpu and bandwidth for zombie attacks
unsolicited exe's running in taskmgr with strange cryptic randomized names.
forced ending of said exe's always causes them to reappear.
solution:
-Disconnect network cable and power off immediately
-from uninfected computer, load DrWeb antivirus on a USB stick and scan infected machine via safemode and attempt to repair infected EXE's. Never re-use same USB stick on clean machine as there is a good chance a hidden infected EXE with an autorun.ini has been dropped onto it.
-install COMODO and set antivirus and firewall to maximum protection
It was not detected by the antivirus (NOD32). And proceeded to infect all exe's on all partitions with it's code.
how Virut works: http://securitylabs.websense.com/content/Blogs/3300.aspx
Many aspects of the Virut virus have changed, making newer variants much more effective. The fact that it infects running processes makes it very virulent. If you move a file that matches the requirements in the infected code onto an infected machine, it is instantly infected. The virus also uses the SFC functions to make sure Windows won't pop up an error message if a Windows file is infected. The fact that it infects Web pages makes it even more virulent, as Webmasters could and probably do upload infected htm/asp/php pages, leading to various exploits that target their visitors.
Giveaways:
network card is 100% overloaded -- uses cpu and bandwidth for zombie attacks
unsolicited exe's running in taskmgr with strange cryptic randomized names.
forced ending of said exe's always causes them to reappear.
solution:
-Disconnect network cable and power off immediately
-from uninfected computer, load DrWeb antivirus on a USB stick and scan infected machine via safemode and attempt to repair infected EXE's. Never re-use same USB stick on clean machine as there is a good chance a hidden infected EXE with an autorun.ini has been dropped onto it.
-install COMODO and set antivirus and firewall to maximum protection
Last edited: