Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Variant of W32.virut (aka Zief.pl)

  • Please log in to reply
3 replies to this topic

#1 rokosz1


  • Members
  • 2 posts
  • Local time:05:50 PM

Posted 09 July 2009 - 01:10 PM

I'm getting ready to upload a HJT (to the appropriate forum, oc)

But was wondering in the meantime if you folks here have come across this.

The standard symptoms: HOST file gets redirected with a chura.pl/rc link (which page can't
be displayed via IE6) (And PCT SDAV doesn't intercept).

PCT SDAV does intercept an spontaneous request for sys.zief.pl (this request runs about 4x/minute)

IE6 browsing is blocked for security sites

These 3 things seem very similar to the FEB 2009 start of the W32.virut -- but seem different mostly
because of the chura.pl and "sys." in front of zief.

I haven't seen any <iframe> examples yet
I haven't seen this propagate across machines here yet.
PCTools, so far, is ignoring my requests for help.

I've been attempting to kill this since Monday 6 Jul. I isolated one thread of infection that was in my Eudora 7 (saved folder). After XP reinst I copied the entire contents of that folder back into the new Eudora install.
Start Eudora and bam. IE6 pops up with chura.pl as the address.
I just successfully reinstd XP & eudora, copied my mbx and tocs and ini only. and Voila! no bizarreness. my email is there and the HOSTS file is clean. Sorry I don't have the time isolate a culprit(s) dll or exe (turns out i was copying over the original copy of eudora.exe all those other reinst/copy times. Doh!

There was another file: a Dell driver install.exe for my integrated audio adapter. That's now gone after I had PCTools SDAV quash it. (I'm coming around to the idea manual retrieval of things I can keep and then killing the D: drive. And the J: drive 1.2 tb, sheesh where will I put it all.

If I think this through. The problem seems intransigent. If you get this (family of) virus/rootkit you must lose everything and re-install because by the time the problem arises and your AV is aware of it -- its too late. Because the bug is latent in an exe waiting for execution.

I ran Nortons W32.virut removal tool -- it found nothing on a clean install -- although that infected eudora related file was scanned. I then installed eudora, copied my stuff, ran eudora and bam got hit. then ran the removal tool again
it found 2 thread infections, fixed them,-- but my hosts file was still modified. So the AV folks will have us users running in circles and losing massive amounts of time.

I have run HJT a few times, reviewed but didn't see anything obvious. If I get hit again I will run it&post.
One last weirdness: the HOSTS file. I cleaned it manually. saved it and made it read-only. rebooted.
I still got redirected -- and the hosts file was still clean. Huuh!

Any thoughts on this? anybody seen this (variant)? Any advice.

bye, Bryan

BC AdBot (Login to Remove)


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 36,994 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:50 PM

Posted 10 July 2009 - 01:28 AM

I am moving this to the Am I Infected forum for you.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 rokosz1

  • Topic Starter

  • Members
  • 2 posts
  • Local time:05:50 PM

Posted 10 July 2009 - 10:14 AM

So, maybe being really careful where I put my fingers is keeping me clean right now. Almost 24 hours since I was able to install my email program (see above for why this was suspect) and all is still well. I've reinstalled all necessary software/drivers for daily use successfully. I've executed _no_ exes that were pre-existing on my drivers prior to the infection. all installs were done by downloading fresh copies from the vendor sites.

My thoughts about this kind of infection: Since the infection can lie latent in exes/syss the AV software folks will need to come up with routines that crc exe contents at install time -- then when executed/loaded compare that information and dis/allow as needed. And, ideally, their scans would search exes/syss for corruption -- but that's where it gets thorny. If the latency is pre-existing -- how does AV software know what's legit? Enter a vendor controlled database of crcs or simple size information. But how does the AV software know who to contact. And, Of course, the infector's counter measure would be to usurp the AV request to the vendor by redirection to the infector's own database. "This ok, Joe?" "yeah, its fine" "ok, away we go..."

What will be really interesting is when the infectors learn how to insert code into media files (since so many media viewers/players have "get information about this cd/film/celebrity/porn star from the internet". Then _every_ file will need to be x-checked. At least there's one use for doubling processor speeds, and another argument against the US ISPs throttling bandwidth. The cost of being safe. Its not just for corporeal terrorists anymore.

#4 DaChew


    Visiting Alien

  • Members
  • 10,317 posts
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:50 PM

Posted 10 July 2009 - 10:44 AM

This scanner takes a long time to load but you can scan external drives, in the past I have seen it detect virut infected files very well.
The logs get real long.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


No. Try not. Do... or do not. There is no try.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users