Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vicious Virus


  • Please log in to reply
20 replies to this topic

#1 DTech

DTech

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 05 February 2009 - 08:08 AM

More info on the virus: http://www.threatexpert.com/report.aspx?md...1e038a5529199fb

I had a computer getting VRT*.tmp files in the Task Manager. So I looked into it and also saw the winlogon.exe was attached to an external IP.

I used netstat -b to find the IP.

This virus writes your HOSTS file and adds the to the top line. 127.0.0.1 zief.pl

Then it opens up to and IRC for hackers to take it away.

Our Boss and 2 Sales computers had this, as of Midnight last night there was no cure so I saved what data I could and blew them out and reinstalled.

If I find out more I will Post, but just a FYI.

BC AdBot (Login to Remove)

 


#2 E-werd

E-werd

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Location:North of Pittsburgh, PA
  • Local time:08:55 AM

Posted 05 February 2009 - 11:38 PM

So its like a rootkit and/or trojan. Yay. I suppose I will need to watch out for this one.

#3 AndrewSaysHello

AndrewSaysHello

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 09 February 2009 - 12:27 PM

yea, ive got a machine im working on that has this problem.... and im at a loss as to how to fix this one :thumbsup:

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 09 February 2009 - 06:34 PM

Hello.

yea, ive got a machine im working on that has this problem.... and im at a loss as to how to fix this one :thumbsup:

You could post it in the HJT-Malware Removal forum for assistance. Read the preparation guide over here if you are going to start a topic.

Also this is a nasty infection, also known as a rootkit. Your computer is probably already compromised by now and the best option would be to format and reinstall your computer.

To be more specfic this infection is well know infection called "W32/Virut". More information over here. As you said it injects threads into winlogon.exe

Posted ImageVirut File Infector Warning
Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 DavisMcCarn

DavisMcCarn

  • Members
  • 788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 09 February 2009 - 10:22 PM

The latest flavor of this attack attaches code to EXE files, infects every HTM(L) file, .SCR file, downloads and installs numerous rootkits including, for the first time I have seen, legitimate and necessary files such as NDIS.SYS and WDMAUD.SYS. Further, it survived booting to an XP CD, deleting the partition, and then recreating it without cycling power. This occured on a fresh XP Pro SP3 with all updates, the latest Java and Flash, AVG, Windows Defender, and Winpatrol all less than 12 hours old and as the result of clicking on a well known forum link to fix an NForce driver issue.
It is not VIRUT; but, rather a newly morphed flavor that is partially detected by numerous anti-bad guy apps though none of them is complete nor can they effect a cure!
Computer dinosaur, servicing PC's since 1976

#6 DTech

DTech
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 09 February 2009 - 11:05 PM

Ok we had 3 Server get this file as well. Here is the cure that we used.

Norton has a Fix for it now. W32.Virut.CF

Use Nortons Fix... Make Sure you edit your HOSTS File, "127.0.0.1 zief.pl " NEEDS TO BE DELETED.

Use Nortons INF... you will need to replace all your Windows and System32 EXE's... so be ready for a mess.



http://www.symantec.com/security_response/...-020411-2802-99

Edited by DTech, 09 February 2009 - 11:07 PM.


#7 brew78

brew78

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 10 February 2009 - 04:32 PM

This is definitely one of the infections thats been plaguing me for days at work now.

The computer had to have been keylogged since it kept getting infected even after a format/reinstall. I've since changed usernames/passwords and checked network configuration settings, but a new infection still occasionally pops up.

Haven't had any new ones yet today, and as far as I can tell the computer is clean, but I'm frankly too paranoid to plug the network cable back in!

#8 DavisMcCarn

DavisMcCarn

  • Members
  • 788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 10 February 2009 - 05:47 PM

A server O/S may be a whole different ballgame; but, as I said in my first post, the only sure cure is to boot the XP CD, delete the partitions, exit, and then power down the system. It remains memory resident and infects the new MBR if you format and reinstall. Turning the system OFF with no partitions created prevents it from being resident and installing XP afterwards is golden.
This guy has taken out Houston's court division, Springfield Missouri, and a campus in Idaho since Friday.
Wow! At least Symantec has updated their pages. Microsoft just told me it was VIRUT.BM which is from last September and should not have been a problem.

As another note, this guy can be caught by simply viewing an infected webpage which invokes an IFrame and launches the attack. Pages have been found on Facebook and EBay and they are splattered all over the place.
Computer dinosaur, servicing PC's since 1976

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 10 February 2009 - 05:56 PM

Hello.

The latest flavor of this attack attaches code to EXE files, infects every HTM(L) file, .SCR file, downloads and installs numerous rootkits including, for the first time I have seen, legitimate and necessary files such as NDIS.SYS and WDMAUD.SYS.

Yes, that is correct, I have seen this infection around too a few times. Wdmaud.sys in the Windows\system32 directory is a bad file, that causes the frequent Google redirects, but it is not a rootkit.

If you do a full reinstall then format, the infection should be gone unless somehow you got re-infected again...

It is not VIRUT; but, rather a newly morphed flavor that is partially detected by numerous anti-bad guy apps though none of them is complete nor can they effect a cure!

Links? Information on this?

Infections such as these, are not simple to deal with. Using some of the most common tools to remove this infection will not work. It will require some special tools to deal with it and sometimes even wtih those tools it may be difficult.

I have recently seen a log where 4 very important system files were damaged and was almost impossible to clean up. Those included: svchost.exe, explorer.exe, userinit.exe and another system file that I forgot... It was difficult to cure this because there were no clean copies of those files in the system. The best option would be to reinstall it as that clears up the system files. Then a format will definitely wipe the rest of the infection out.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 slypspeed

slypspeed

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 10 February 2009 - 07:10 PM

Yes this virus does seem to be spreading fast. I uploaded an infected file to virus-total today, 15 of 39 programs detected it.

#11 DesolataX

DesolataX

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 10 February 2009 - 10:41 PM

Yes, this does seem to be a flavor of Virut, but it's extremely nasty. It leaped on to one of the USB keys we use in shop, spread to 5 computers on the bench.
Just uploaded a few infected files to virustotal.com, 20/39 detected it as being malicious software.

I have noticed that it does use a rootkit, because I've ran an external scan with AVG and Avast, then ran combofix, unhackme, and malwarebytes in safe mode, and it still keeps getting reinfected.

Noticeable signs of infection:
- Network connections corrupted, unable to get IP address, Installed protocol check boxes grayed out. See image below.
- Randomly named executables in User folders (C:\Documents and Settings\User)
- 127.0.0.1 ZieF.pl added to hosts file.
- Welcome screen no longer shows up on boot, shows the terminal login screen only.
- Explorer.exe (Desktop screen) not loading, opening via task manager says either you don't have permission or file not found. Duplicating it does and running copy of explorer.exe will bring up file explorer
- Multiple windows core system files infected, such as explorer.exe, logonui.exe, cmd.exe
- Folder options in file explorer disappearing.
- CMD.exe is closed by windows using Data Execution Prevention.

Posted Image

As for removing it, Combofix, unhackme, SDfix, Malwarebytes, AVG, Avast, Norton, and kaspersky have removed files, but not the whole infection. After reboot, it's back in, infecting even more files and loading more trojans (noticed that AV2009 was loaded on magically after about 2 hours of working on one PC).

So, has anyone else had any success removing it? Other than doing a backup and fresh?

Edited by DesolataX, 10 February 2009 - 10:42 PM.


#12 DTech

DTech
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 10 February 2009 - 11:54 PM

I know I had this Virus and I got rid of it... Here are my steps Exactly.

I burned a ERD (Emergency Repair Disk) Microsoft flavor.

Booted to the ERD, then Changed the HOSTS File. ( You can copy a good HOSTS file over instead of editing )

Copied over all Windows and System32 EXE's ( This will allow you to boot into Safe Mode if Virus infected all your EXE's )

Downloaded the Newest Definitions from Symatec as well as the INF fix for the Regestry. ( Now Be Careful, If you use a USB Drive and use a EXE to excute a program... it is now infected... so after every time you use it, scan if on another computer with updated Definitions or Format it and start with NEW good EXE's )

Then I booted into Safe Mode No Networking or Command line.

Executed the INF, Installed the newest Definitions, Ran Symantec AV... ( You can Execute the INF without it getting infected, THIS Virus doesnt attack INF's )

Took note of all EXE's deleted or Quarantined

Copied those EXE's from a safe computer then Booted to ERD once again, Copied the EXE's over to the respected Directories and now I am fixed.

Booted into Safe Mode one last time to do a Full System Scan, and found nothing.

If you do this you should be ok....

Edited by DTech, 10 February 2009 - 11:59 PM.


#13 DavisMcCarn

DavisMcCarn

  • Members
  • 788 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 11 February 2009 - 07:15 AM

As of today, it looks as if running a complete scan with an updated TrendMicro Trial version, WinsockFix (to correct the HOSTS file and LSP's), and deleting this registry entry:
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\
delete this entry:
AuthorizedApplications\List \??\%System%\winlogon.exe = "\??\%System%\winlogon.exe:*:enabled:@shell32.dll,-1"
just may do most of the job.

Bear in mind that we should still have an issue with System File Protection being turned off, numerous permissions issues, uncleaned .SYS files, AND whatever effects the secondary infestations cause. Isn't it clever of them to have generated a random link to their server so different systems get different malware?
Computer dinosaur, servicing PC's since 1976

#14 buddy215

buddy215

  • Moderator
  • 13,124 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:55 AM

Posted 11 February 2009 - 11:28 AM

http://www.click2houston.com/news/18673501/detail.html

Municipal Courts Closed 2 More Days

POSTED: Monday, February 9, 2009
UPDATED: 5:10 pm CST February 9, 2009
HOUSTON -- A computer virus will shut down Houston municipal courts for two more days, KPRC Local 2 reported Monday.

According to city officials, workers began seeing computer problems in the middle of last week. The virus affected all six city of Houston municipal courthouses that serve between 6,000 and 8,000 workers each day.

City officials recently identified the problem as the Virut virus and said it hit about 475 computers. Now that it knows which virus it is dealing with, the city's information technology department can start getting rid of it............................
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 11 February 2009 - 12:52 PM

Hello.

Just want to point something out here. This forum is for the following purposes only:

Breaking Virus & Security News
Only the latest news about Virus and Security issues.
Forum Led by: Global Moderator, Moderator, harrywaldron


If you require help removing this infection, you could either start a topic in the AM I Infected forum or the HJT-Malware Removal forum. If you think you may be infected, post it in the Am I Infected forum.

This topic is not for removing infections but to alert or note others about new infections that are coming out these days.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users