Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.Virut


  • Please log in to reply
13 replies to this topic

#1 iboverkill

iboverkill

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 10 November 2009 - 09:41 PM

So it's been a couple of days since I realized that this virus is tougher than the ones I've dealt with before. I'm currently running a scan/cleanup using Kaspersky rescue disk. (The DrWeb CD turned out to be pretty useless). It seems like a great idea - linux based running of the DVD drive. I'll have to replace the messed up windows OS using the disks but hopefully I will then have a clean system (albeit missing files here and because some have been deleted instead of disinfected).

I am thinking that I may also try to use the "ultimate boot CD" and then download MBAM and combofix as extra precautions (though I am not sure if you can use "ultimate" in this way). The idea here being that I will be able to run windows based programs off the DVD drive, thereby running the additional scans before booting off the actual HD.

That's if it all goes to plan, of course. I am trying to anticipate the unexpected since posts I have seen here and there all seem to converge on one reality about this virus - it is apparently very very elusive and is able to keep returning. The one thing that worries most is the question of a port that this thing opens and utilizes (port 65520 or something like that).

So my questions are threefold:

1. Does anyone have experience of this virus, and do you have any tips/suggestions ?
2. Does anyone here know if I can use the Ultimate Boot CD in the way I havedescribed to boot from DVD and then download and run MBAM + combofix ?
3. Should I worry about this port that the virus apparently uses ? I mean if I clean my system there's no way the thing can find its way back in... Or can it ?

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,989 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:15 AM

Posted 10 November 2009 - 10:21 PM

Hello,

I am shifting this topic to the Am I Infected forum.

About the infection you have, the reason why those system files were deleted is because the infection has corrupted them beyond repair. I'm afraid I have very bad news for you. Virut is a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). The Virux variant is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml ). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is often contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Since virut is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:The best and safest solution is to reformat and do a clean install.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 iboverkill

iboverkill
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 12 November 2009 - 10:20 PM

I have beaten the little sucker, but my system seems a little under the weather. Perhaps I'll be able to repair it, perhaps not. So someone please tell me: Is there any firewall around that would have caught that thing before it landed in my system ?

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:15 AM

Posted 13 November 2009 - 03:28 PM

Hello iboverkill,

First of all, a firewall filters network trafic, an antivirus monitors file modifications.

Its difficult to give a straight answer at your question. If you had a newer virux variant, it might yet have been undetected by any antivirus. Once installed on your system it simply bypasses the firewall. The trick is, NOT to get it on your system in the first place. Two things are needed for that
1. Good security software.
2. Safe surfing.

2. Does anyone here know if I can use the Ultimate Boot CD in the way I havedescribed to boot from DVD and then download and run MBAM + combofix ?

UBCD is linux based. It would be extremely hard to get MBAM to work there.

Running Combofix that way is a certain death sentence for your OS.

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for unsupervised use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


3. Should I worry about this port that the virus apparently uses ? I mean if I clean my system there's no way the thing can find its way back in... Or can it ?

An opened backdoor is an opened backdoor. its a vulnerability that remains on your system. It may or may not be used by anything bad, there's no way to know for sure. And thats exactly the reason why a reformat is the best course of action.


I hope this answered your questions, If not, just let me know :thumbsup:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 iboverkill

iboverkill
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 13 November 2009 - 08:55 PM

Thanks for the feedback, but I had already moved on after my first post. I did try the UBCD and found exactly what you said to be true. In any case it turned out that I didn't really need it. Once I used the Kaspersky LINUX disk and OS re-install (albeit partly messed up), I was able to run the machine in safe mode. This was a major step forward. Then I was able to run MBAM and combofix (ok, I get the thing about how you're not supposed to use it just like that - it just seemed like a desperate enough situation that I just wanted to do it).

About this whole back door thing though... One thing that I can't figure out is whether an external process can use an open port to get in. It seems to me that there's no such danger, and that the only problem may be if a process on the inside uses a port to pull in more mischief. Maybe I'm wrong about that though.

#6 asangarox

asangarox

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 14 November 2009 - 12:14 AM

Hello iboverkill,

I would like to share some of my experiences with you.

One of my client was severely infected with W32.Virut. He couldn't login to the Windows (normal mode) as the logon prompt froze and the system halted.

I used Combofix as my first tool after unplugging the network cable. But combofix itself got deleted saying something like "this system is infected with Virut/file patching virus" (you guessed it right, Virut was trying to patch the Combofix.exe :thumbsup: ).

Combofix failed so my next move was to Symantec Virut Removal Tool. I ran this utility and it started cleaning. Almost all the critical system files (winlogon, logonui etc.) was listed under the Infected List. This list got bigger and bigger and I had to leave the PC for the next day as it was around 5 in the evening.

Next day when I went there the scan was still running! The infected list was HUGE and it was still detecting more and more. When it finished it caught some thousands of virus instances. It could remove almost all of them and then I updated the virus guard (Symantc Corporate Edition v10) using the offline update file. Then it started catching more and more infected files using the real time protection. Then I ran a complete system scan to make sure the virus is gone. At this point of time, it stopped detecting viruses meaning the system could be ASSUMED CLEAN. The PC worked normal thereafter.

So in short, my advice is to try this method if you have lots of time and patience. However the end result MAY NOT BE THAT SATISFACTORY. For a challenge it's the way to take. But if you want a clean system after a Virut infection do a FULL DISK FORMAT (not a full format to the windows partition but to the whole disk after backing up the necessary data) and then do a clean windows installation. Use safe security practices to avoid further infection and of course think twice before copying your backup data back to the restored system. A single undetected Virut can go a long way infecting the whole PC again :flowers:

-Asanga

Edited by asangarox, 14 November 2009 - 08:31 AM.


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:15 AM

Posted 14 November 2009 - 05:46 AM

Thanks for sharing asangarox. :thumbsup:

Again I want to point at the danger of running Combofix unsupervised (yes I know it becomes annoying, and yes I still am posting it because I still keep seeing ppl with unbootable computers after running it).

You are completely right with your statements about Virut. The problem is not even that the injected code can't be removed from the files. The problem is that the code is buggy. It sometimes overwrites existing code in a file and when the virut code is removed, it leaves the file without a piece of its own code. This creates corrupted files and all problems that brings with it for the OS.

Prevention is better than cure!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 iboverkill

iboverkill
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 14 November 2009 - 08:06 AM

My experience has been much like that described by asangarox. The virus can't be outmanoevered as long as it is in memory. I finally beat it using a different approach, but with pretty much the same end result.

I had hoped someone would recommend a firewall that would keep this pest out in future, but it seems like that's not going to happen,

Elise (or anyone else for that matter): Just for my edification, I would like to know what is the "correct" way of using combofix. I have used it a couple of times now quite casually. I can understand that when a program is rummaging and changing things in the system files, registry etc you can end up with some damage. The thing is that who would be qualified to use it then ? Is there a specific "safe" way of using it ?

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:15 AM

Posted 14 November 2009 - 08:33 AM

Hi again :thumbsup:

I had hoped someone would recommend a firewall that would keep this pest out in future, but it seems like that's not going to happen,

Unfortunately there is no 'ideal' security product. Malware developpers do everything they can to make their stuff harder to detect.

Just for my edification, I would like to know what is the "correct" way of using combofix. I have used it a couple of times now quite casually. I can understand that when a program is rummaging and changing things in the system files, registry etc you can end up with some damage. The thing is that who would be qualified to use it then ? Is there a specific "safe" way of using it ?

The 'correct' way of using it is when instructed by a qualified helper.

The developper of Combofix doesn't want to discuss the way his tool works, except for qualified helpers and at BC (and other malware removal forums) that decision is respected. The consequence is that, if you are not properly trained, you have no idea what (or what not) Combofix is capable of.

In this case a qualified helper is someone who has been trained at one of the several Malware removal schools (here at BC or at other boards like malwareremoval.com, geekstogo.com, techsupportforum.com, to name a few).

Please read also the information below Source

Understand something--Combofix is not nor will it ever be an AV and shouldn't be used as one. It should never be run in any sort of casual way--in other words you can run your AV scan at any time if you want, or an antispyware/malware, even on a whim.

Running ComboFix by yourself is like performing open heart surgery on yourself--the scalpel and other surgical tools that is ComboFix is meant to be wielded by a highly trained surgeon only in emergencies or dire circumstances. When the surgeon is thru s/he leaves the room. So combofix should be removed from a system once it has accomplished its job, unlike an AV that is there to protect you from future infections.

Some of the tools ComboFix uses can also sometimes be used by bad guys, so yeah an AV (and McAfee is particularly bad about this) will sometimes flag some tools as potential threats. But since you don't need surgical tools around if you don't need surgery, this won't happen if you remove ComboFix or leave it off your system as recommended in the first place. Another reason is that CF does make some alterations to your system if you run it. Even if you had no malware removed and run the uninstall command, some things may be different now on your system. I can tell you that one thing is that all your restore points will be flushed out and a new one created. There is a good reason to do that when you have a severe infection--but if you aren't infected you might need those restore points.

Read and abide by the disclaimer people. It's there for a reason. Stick to running and protecting yourself with a good AV and firewall and an anti-malware scanner or two. If you feel you need a second opinion, try running online scans. If you feel you might need surgery, come here to BC and ask for help--that is what we're here for.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 iboverkill

iboverkill
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 15 November 2009 - 12:17 PM

I guess that all means that I shouldn't use combofix unless I am exchanging information via this website with an expert. That is pretty inconvenient. I will probably forget about this until the next time I get hit by a virus. Then I will probably get desperate enough that I will just use it anyway. I will try to remember to use every other alternative first of course. But chances are that when the chips are down I will use it without expert advice. And if it screws up my system, that will just be the price for being careless enought to get the virus in the first place.

In the meantime, does anyone know how I can fix this one remaining annoying error message regarding "ViewMgr" ? It comes up as I am logging in. I see the usual "Send / Don't Send" dialog. I am poking around for answers on this but haven't come across anything useful just yet...

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:15 AM

Posted 15 November 2009 - 12:42 PM

Its impossible to say what is causing that ViewMgr error message. It can be caused by any corrupted windows file thats associated with the running of ViewManager.

Any file that was infected, can be corrupted, its just a case of guessing exactly which one is causing this problem. You could try a windows repair installation. This will roll back windows to its state as it would be after installing it from the CD. You would need to re-install all windows updates after that.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 asangarox

asangarox

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 15 November 2009 - 09:41 PM

Hello iboverkill,

It's related to Viewpoint Media Player. (http://www.liutilities.com/products/wintaskspro/processlibrary/ViewMgr/)

If you have it installed, uninstall it and re-install the latest version. Should fix the problem.

-Asanga

Edited by asangarox, 15 November 2009 - 09:47 PM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,404 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:15 AM

Posted 15 November 2009 - 11:24 PM

As stated in post 2.
With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 iboverkill

iboverkill
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 15 November 2009 - 11:29 PM

Thanks for that informaton asangarox. I think that has fixed it. I have to say this whole post-infection mess cleaning exercise may be a good argument for just doing the reformat (or even better, taking care to avoid infection to begin with).




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users