New and Incurable PE Trojan

tis Virut.... My Antivir picked it up on download. Ya, you don't want to play around with this one.

Antivirus  	Version  	Last Update  	Result
a-squared	4.0.0.93	2009.02.09	-
AhnLab-V3	5.0.0.2	2009.02.09	-
AntiVir	7.9.0.76	2009.02.09	W32/Virut.Gen
Authentium	5.1.0.4	2009.02.08	W32/Virut.AI
Avast	4.8.1335.0	2009.02.09	-
AVG	8.0.0.229	2009.02.09	-
BitDefender	7.2	2009.02.09	-
CAT-QuickHeal	10.00	2009.02.09	-
ClamAV	0.94.1	2009.02.09	-
Comodo	972	2009.02.09	-
DrWeb	4.44.0.09170	2009.02.09	Win32.Virut.56
eSafe	7.0.17.0	2009.02.09	Suspicious File
eTrust-Vet	31.6.6347	2009.02.09	Win32/Virut.17408
F-Prot	4.4.4.56	2009.02.09	W32/Virut.AI
F-Secure	8.0.14470.0	2009.02.09	Virus.Win32.Virut.ce
Fortinet	3.117.0.0	2009.02.09	-
GData	19	2009.02.09	-
Ikarus	T3.1.1.45.0	2009.02.09	-
K7AntiVirus	7.10.624	2009.02.09	-
Kaspersky	7.0.0.125	2009.02.09	Virus.Win32.Virut.ce
McAfee	5520	2009.02.08	W32/Virut.n
McAfee+Artemis	5520	2009.02.08	W32/Virut.n
Microsoft	1.4306	2009.02.09	Virus:Win32/Virut.BM
NOD32	3839	2009.02.09	Win32/Virut.NBK
Norman	6.00.02	2009.02.09	W32/Virut.BS
nProtect	2009.1.8.0	2009.02.09	-
Panda	9.5.1.2	2009.02.09	-
PCTools	4.4.2.0	2009.02.09	-
Prevx1	V2	2009.02.09	-
Rising	21.15.50.00	2009.02.07	-
SecureWeb-Gateway	6.7.6	2009.02.09	Win32.Virut.Gen
Sophos	4.38.0	2009.02.09	W32/Scribble-A
Sunbelt	3.2.1847.2	2009.02.07	-
Symantec	10	2009.02.09	W32.Virut.CF
TheHacker	6.3.1.5.250	2009.02.09	-
TrendMicro	8.700.0.1004	2009.02.09	PE_VIRUX.A-3
VBA32	3.12.8.12	2009.02.08	Virus.Win32.Virut.5
ViRobot	2009.2.9.1596	2009.02.09	-
VirusBuster	4.5.11.0	2009.02.09	Win32.Virut.Y
Additional information
File size: 71168 bytes
MD5...: 6d1778af8d80bdec5ccbb45d1f92670e
SHA1..: 2dc262d608370eda9caa7c172e721700bd1f2e72
SHA256: 53cb01e012e918041d084848c4c6077f0542d26a63c39f8d447540ee70128dc2
SHA512: 9ab3a8123ebef1242cfad68cc85d6720d525f7176cd6a4503e3a9c3b3a97b6cf
cccc867c8177e2d0077e637c64b4df58cf7a44dcbf45f70bd01ec9ae4577156d
ssdeep: 1536:hh9wvveMLJwTFi3a048okqcOh0QDboELKSkZiJ758svd:h8zsFi3a0akbOh
LgE+SkZz
PEiD..: -
TrID..: File type identification
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
PEInfo: PE Structure information
 
( base data )
entrypointaddress.: 0x551da
timedatestamp.....: 0x45d4597b (Thu Feb 15 13:00:43 2007)
machinetype.......: 0x14c (I386)
 
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x43000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x44000 0xb000 0xae00 7.87 2ee445c9295114c0f7460ea2faf9f9ac
.rsrc 0x4f000 0x7000 0x6400 7.04 13ee9025ae7363ca5e7dc5f12f92d49d
 
( 2 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> MSVBVM60.DLL: -

                                              

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:

I'm not so interested in cleaning the machines as I have already wiped and reloaded.  What I want is for the "security" companies to catch up!

I have removed Virut by replacing the infected files from a clean machine  using an NTFS boot CD on several occasions and, more often than I should have to, use the same CD to delete infected .SYS rootkits.

What is cute is that Windows Defender, AVG, Trend Micro, ComboFix, MalwareBytes, and a few others merrilly passed the sample I submitted right by and it is instant death and destruction if you rename it and run it.

Forget about the cleaning help offered. We could try and I've heard of some success with Dr Web but......the few I've seen recently have totally hosed the machines.

Out of that list you just named....

Windows Defender.....useless in my mind
AVG: As you can see from the report the definitions are not getting it yet
TM: Caught it

Combofix and MBAM are cleaning tools. Neither being designed to clean Virut

That's exactly what is so clever with this; it gets reported as a bunch of older trojans/viruses and they only get part of it.

Do you know of a command line scanner that would do better?

Sorry not quite sure what you mean when you say "get part of it". Are you saying you (or the tools) cannot delete the infected file itself? Once it's let loose and run then.....your done.

What I mean is that, right now, I suspect even the A/V packages you listed earlier that did detect this bad guy would only be able to prevent or cure some of the attack vectors.

Well, you're probably right. My experience is that once it gets past the initial scan and gets let loose, you're done. I have Avira running on my VM when I tested it out, and it stopped it in it's tracks before it could do anything. But you're probably right. Many of them don't even have the signature yet. Where did you get the file?

Hi,

Same problem here. A lots of computers are infected (explorer.exe etc..)
We fight with this virus since friday.
Does anybody find a solution ?

We submit files to EVERY AV Vendor. Some of them updates there .DAT.
Detections statistics with McAfee are up to 80 000.
Manual delete, SFC, MBAM, A2, Spybot, McAfee, Symantec, Combofix... nothing works !

Please Help US !

Sorry For My Bad English

rpggamergirl,

I have submitted it to several antivirus sites and worried about posting it here.  Please accept my humble appologies.

IndiGenius,

The PE dropped itself onto a freshly setup XP SP3 box with AVG, WinPatrol, and Windows Defender running when I searched for a solution to why the NVIDIA chipset was reporting the C drive was removable.

Sorry rSafe but Virut is pretty much a non-fix. It's a wipe and clean (from my experience anyway). Both virut and Sality are running wild right now and killing machines all over the place. I have not seen anyone who has been able to repair virut. Don't believe the Norton site either. They claim their product does and that it is a "low risk".....NOT.

DrWeb CureIT does attempt to and may be an option to try, but no promises there.

rSafe,

As near as I can determine, this guy infects the MBR (Master Boot Record), adds itself to executables, and, once running, starts other rootkit .SYS drivers, replaces a few normal drivers (WDMAUD.SYS, NDIS.SYS, as examples), and continuously downloads more infections as fast as it can.

Once it has taken over, the only way I have found to eradicate it is to delete every partition on the system and turn the system off before starting a fresh installation.  It will live right through deleting and recreating the partitions if you don't cycle the power.

@DavisMcCarn
Just out of curiosity, how did it "drop itself" onto the machine? And as you can see from the scan results I posted, AVG did not have their defs updated for that one yet, if that was the file in question. I love WinPatrol but it won't do anything against virut. And I already gave my opinion about Windows Defends Nothing.

30 Servers, 900 workstation, We MUST Find a solution :-(

Are you sure for the MBR ? or is it a suposition ?

If cleaning dllcache, servicepackcache, i386, and restore windows Files after Flushing WFP ? oF course after manual deletion of files, REG, BHO, and cleaning with multiple AV Vendor in Safe Mode ?

If we connect HDD in slave mode for desinfections ?
I want to know if we have ONE chance to get it...

Thank's you ! I'm really impress by the rapidity of your answers !

Again, sorry for my bad english !

rSafe,
I can appreciate your concern here.

First of all, this is DavisMcCarn's thread here. So you will need to start your own.

Let me know when you do this and I'll be happy to help as much as I can. But I've already stated this, if it is true virut your chances are slim at best.

>>>We MUST Find a solution :-(

No solution for virut infection, you just have to be lucky if you notice and remove it on its first day of infection, but the longer it infects the system the only solution is to reformat and reinstall. It's a buggy file infector so it can't be cleaned.
New variant of virut is now infecting .htm and html files so it's getting worse.
The user must not backup any executables, .scr files, downloaded archive .zip or .rar, and htm, html files.

Virut infection is the battle where virus wins and we lose.

Yes, in my attempts to fix it this morning, AVG reported it had infected every HTM(L) file on the system, too and even logging in as the SYSTEM account would not allow terminating the processes to delete the files.

Apparently, I got lucky last Tuesday as I was able to copy the PE infected files (8 total) from a clean system using an NTFS boot CD.  As far as I know that sytem is still fine.

Why I believe it lives through partition deletion and recreation is because it literally did!  After seemingly having cleaned it and installed SP3, I found it roaring back so, from an XP CD, after a clean boot to that CD, I deleted the partition, recreated it, and reinstalled without cycling power.  I always set the network to appear in the system tray and it was running full bore the instant I installed the network drivers.

The third time was a charm as I did not give it the chance to stay ram resident.

Oh, and IndiGenius; it came from a supposedly "safe" site after a Google search for "Nforce reports C drive as removable".  ATF-Cleaner was on the desktop and I noticed its size had changed.

And the report just in from Microsoft:
If you were to scan the files you submitted using Microsoft's Forefront Client Security product, you would see relevant detection information similar to what is displayed below.

 Submitted Files
 =============================================
 ATF-Cleaner.exe.infected [Additional Analysis Required]

Meaning, it isn't detected...........

>>>it came from a supposedly "safe" site after a Google search for "Nforce reports C drive as removable".

Virut(older variants) gets into the system by visiting cracks/keygen sites.
I haven't heard of virut infecting MBR yet.

>>>replaces a few normal drivers (WDMAUD.SYS, <<<
>>>"...it came from a supposedly "safe" site after a Google search for..."<<<
It's very likely that other infections are present in the system as well. the wdmaud.sys and sysaudio.sys in the system32 folder are search engine hijackers. If the virut didn't come from crack/keygen sites then maybe the search engine hijackers brought the user to the legit-looking fake site, either that or the legit site is hacked.

Last night I found hits that this puppy had torn up almost 500 computers in the Houston government and the link below lists entry vectors found on MySpace.  Twice this week, I have been prompted that IE blocked downloading a file from EBay which never downloads files.http://community.ca.com/blogs/securityadvisor/archive/2009/02/09/infectious-virut-on-the-loose.aspx

The system I fought with yesterday morning had been setup with an insane Raid 5 array that the client, luckily, had backed up.  I removed the failing drive, deleted the totally bogus partitions using MS-Dos and Norton's Diskedit, installed XP with SP3 already slipstreamed, added the drivers for the chipset, sound, and video in that order,  added Flash Player 10, Java 6U11, AVG, Windows Defender, WinPatrol, and ERUNT, installed all of the MS updates, and then Googled (which was the homepage) the "Nforce reports C drive as removable".  The results were all labeled as safe by AVG's linkscanner and the link I clicked on was to a major support forum I have visited before.

Bang, it was all over in seconds.........

Windows Defender actually permitted the addition of C:\Windows\Services.exe, AVG went off like the 4th of July, Scotty turned into an incessant stream of new services and programs.

Booting to an NTFS boot CD and running AVG's VIRUT removal tool, manually deleting all of the suspicious files throughout the system, restoring the registry with ERDNT's backup, booting into Safe Mode and doing more cleaning with Autoruns and full scans of several antivirus/antispyware packages failed to eradicate it.  As soon as I let it boot normally, it was off to the races again.

This guy is really ugly and I think it will make CNN today or tomorrow.

I was looking at another thread and the correlation with the machines was a tax software program?

I've also got infected somehow about four days ago.

After that, getting all other mallwares and trojans away, this Virut is only that gave me REAL problems. Most difficult problem was to get infected .exe and .scr files clean. I have multiple files on my computer, and about 20% of all exe files on disk was infected, even I didn't even visited on those folders while system was compromised.

My biggest problem was how to REMOVE that virus part from executables. After trying multiple scanners I did found only one that could CURE and REMOVE infected files.

First Norton was VERY promising. Detected and "cleaned" files, and rescan didn't found nothing.
But virustotal.com told bad story for me. Norton just hide that virus from itself, but didn't removed from file. And everything was same, or even worse.
Many others was even worse... Removed/Quarnized without asking first, even windows system files like explorer.exe ... BAD idea!

But, after all my work I DID find program that works ... Microsoft Windows Live OneCare ... Until this day, I have tought that Microsoft VirusScanner (Defender) is just very big joke that didn't see anything. But this OneCare was ONLY scanner that succesfully removed infections, without removing files!

Maybe it is good to know, that Microsoft would replace OneCare with free scanner (Morro) from at end of the summer.

I have spoken with the Tax software company that was mentioned.  I think it is just a effect of the virus attaching to the .exe for that program, and that it did not, does not, originate from it.

IN the last hour, both Microsoft and AVG have reported that they detect this as VIRUT.BN which it is most definitely not.  That flavor dates from September 2008 and, supposedly, everybody's antivirus will detect it.

If it were VIRUT.BN, why did it take out the Houston City Court network or the Springfield MO government?

Yesterday, AVG ignored the sample I submitted.  Al least today, it does.  Should I get brave and see what happens on a fresh, clean system?

Hey IndiGenius; what tool did you use to provide the products and detection list?

Hi DavisMcCarn,

http://www.virustotal.com/  

I also have used Jotti  

http://virusscan.jotti.org/

Hey thanks.  Virustotal is neat; but, as a note their version of AVG is .229 and I have .234 which makes me suspiciuos of their results. IN AVG's case, it is also the engine version not the definitions.

An interesting set of results appears when you http://www.google.com/search?hl=en&q=www.zief.pl%2Frc !   This is part of the string which our bad guy inserts into the HOSTS file and adds to HTM(L) files.  Some are malware forums; but, many others are infected websites poised to strike unlucky visitors.

Did rSafe start another thread?  I'm curious to see if there will be an answer.....

Of course it is hard to say a PC is 100% clean after any infection, but using a combination of McAfee, with at least DAT5519 (updated to 5522 right now), Malwarebyts, and Combofix.  I have been able to get my customer's PC's to run clean scans.  Also have had to use WinsockXPFix to restore the NIC on several PCs.

Although in most cases I would still say to rebuild, my client said that was not an option.  So I have been on site since Friday, working 12 hour days, sneaker netting to get this resolved.  I have explained I can not guarantee it will not poke it's head up somehow, but so far there have been no reinfections.  

> Of course it is hard to say a PC is 100% clean after any infection

I used very old Kerio Personal Firewall (2.1.5), which I used to block and log all outgoing traffic. It seems that in infected system winlogon.exe tries to connect outside all the time (every 30 seconds).
I've tested winlogon.exe with virustotal.com, and THAT file is not infected, but infected one goes out by using that.
For me, Kerio has been valuable help to discover if I'm infected... Even scanners shows that everything is clear, that maybe not true... As I learned while testing Norton Antivirus 2009, which "cleaned" exe and didn't detected problems. But virustotal.com and outside traffic confirmed infection.

OK, I use WinPatrol.com on all of the systems I service and its continuing prompt to allow C:\Windows\Services.exe was the tip off that the system was still infested.  There was also an executable in C:\Documents and Settings\(Username) which could not be deleted, numerous TMP files in both the Windows and System32 folders, an ACROBAT.BAT file in \Windows and reports of NDIS.SYS + WDMAAUD.SYS being infected.

As of today, it looks as if running a complete scan with an updated TrendMicro Trial version, WinsockFix (to correct the HOSTS file), and deleting this registry entry:
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\ delete this entry:
AuthorizedApplications\List \??\%System%\winlogon.exe = "\??\%System%\winlogon.exe:*:enabled:@shell32.dll,-1"
just may do most of the job.

Bear in mind that we should still have an issue with System File Protection being turned off, numerous permissions issues, uncleaned .SYS files, AND whatever effects the secondary infestations cause.  Isn't it clever of them to have generated a random link to their server so different systems get different malware?

BTW, IndiGenius and rpggamergirl; several other forums now have users reporting that it lived through a format and reinstall.

I have a few that McAfee still hits on winlogon.exe on ever scan.  It seems to be a variant of the virus that is loaded to memory W32/Virut.n!mem.  Those machines are getting rebuilt.  Along with the formating the hard drive I am formatting the MBR.  I have not seen any sign of this virus living through that.

ComboFix took care of the TMP files and any files I was unable to delete by other means.  Check for C:\Avenger\ndisio.sys.

I've loaded Active Ports 1.4 on several PCs to monitor connections, and have not seen an suspect traffic yet.  

I believe you should check the registry entry from my last post.

Thank you Davis for the info. I had a client get hit with this on Tuesday and I've been freaking out trying to figure out what in the world is going on. I feel a little better at least having a clue at this point.

I MUST correct myself. Today I ran scan+clean with Norton AntiVirus 2009 from clean system, to infected partition. And I'm glad to inform that cleaning seems to be working.

Cleaning with Norton or OneCare does not return files to exact state before infection, and it seems that infection+cleaning will left some 'signatures' that would trigger some other AV programs.
I'm not sure if you can call these as 'false-positive', but my system seems to be running just fine, without problems. (Now I have also outgoing firewall, so I can see if there is unknown traffic from my system).

I worry that files are not in the "exact state before infection" and would caution you that this is a morphing trojan that infects different EXE's in different ways.

But: if it seems clean after a week of use (with daily scans), installing SP3 ( http://www.microsoft.com/DownLoads/details.aspx?FamilyID=5b33b5a8-5e76-401f-be08-1e1555d4f3d4&displaylang=en ) should replace most of Windows leaving the new files clean.

You may also want to run Dial-A-Fix to remove any policies left behind and its repair permissions function (click on the hammer icon) http://www.majorgeeks.com/download4899.html

After almost giving up on this last night, I saw the MS post about it:

http://www.microsoft.com/security/portal/Entry.aspx?Name=Virus%3aWin32%2fVirut.BM

And gave their online scanner a try with the drive slaved to a clean PC.  It seemed to do the trick, but did leave me with a lot of exe corruption.  WFP seems to be fixing things back up, and System File Repair on MSERD 5 got that started.

Still don't have a final verdict, but it's better then it looked 24hrs ago.

I was successful (I think) at removing Virut.56 with  DrWeb, version 2009-02-11. it certainly seems clean now at any rate, with no oddball entries in Hijackthis.

Infected XP drive was removed, and slaved in test machine also running XP with fresh DrWeb installed. Complete scan performed, with infected files set to be cured where possible, deleted where not. Was able to cure all important infected files, there may possibly be some program files that need to be reinstalled, but for now the operating system seems intact. I did catch this machine fairly early in the process, can't say if it would work like this in another instance.

I'll be monitoring this machine for some time.

Yeah. Looks like the cavalry is starting to arrive. I've been testing with Symantec Corporate 9 AV. Tuesday it was only able to quarantine affected files. As of last night, it claims it is able to clean the files and leave them in place. I am only doing this with test files so I don't know if the exe files in questions are trully cleaned and intact. I've already had my fun with this bug so I'm not going to try and run these exe's and see if they are trully clean but I am heartened that the security response seems to increasingly effective on this atrocious bug.

"I worry that files are not in the "exact state before infection" and would caution you that this is a morphing trojan that infects different EXE's in different ways."

After McAfee has ran clean several times, I have run tools from several other vendors, Sophos, Fsecure, MS OneCare.  They all seem to find at least one more infection.  The date modified, on the file Fsecure's online scan found, was what it should have been (2008) and not on or around the date of infection.  

Not sure what to make of that, but hope it is just a false alarm.  I have not seen any suspicious activity yet.

I can't remember who posted this: http://blog.trendmicro.com/virux-cases-escalate/ but thanks for the link.

Anyone else see devices created under Network Adapters in Device manager from this virus?  Actually I think it was due to a rootkit that was installed once the virus connected to an IRC server, but I just can seem to shake this part of the puzzle.  Winsockxpfix repairs it for a little while but never gets rid of the bogus devices and the NIC stops working after a while (maybe after reboot).

Sophos has identified this as W32/SCRIBBLEA and identified it as a new derivative of VIRUT: http://www.sophos.com/security/analyses/viruses-and-spyware/w32scribblea.html

They also have a command line tool to remove it: http://www.sophos.com/support/disinfection/pedis.html

I believe, at this point, that the MBR and Downadup infections that I have seen personally are secondary and result dependant on the specific page the VIRUT/SCRIBBLEA connects to with IRC.

Yes, I too saw the network adapter issue and attempted uninstalling the drivers, deleting the registry entries, and reinstalling the network to cure it.  I'll bet your NDIS.SYS is infected and you may have NDISIO.SYS (which is not a legitimate file) as well.  You still need to remove the PE as it is still extand and probably replace NDIS.SYS, too.

Tell me if the Sophos tool works, OK?

Alas... back to square one.
Trying the Sophos tool.

Looking further into the phantom network hardware, I saw references to MS_PASSTHRU so I went to HKLM\SYSTEM\CurrentControlSet\Enum\Root and removed the MS_PASSTHRUMP key, it listed both of the phantom devices there.  I have to give Everyone permission on the key to delete it, but after that and a reboot, they are gone.

I found a few references online to MS_PASSTHRU and it's referenced in a CA bulletin for the AV 2010 malware program.


Still investigating though.

Well I can confirm that the Sophos tool does detect as Scribble.A and *claims* to be able to disinfect the file. I'm still too terrified to run one of the claimed clean exe files. It would be very nice to hear from those that are using the tool to try and disinfect a system that they are trying to keep alive.

I should also add that AVG can detect under generic Virut designation but is still unable to clean the file.

All here: please see my post where I beat this thing down once. Hopefully the steps I took will help someone else.  I'm on my second system down with it now..

http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/Q_24118925.html

AVG didn't detect squat when I slaved the hard drive to another computer with AVG a few hours ago.

Looks like JerrytheGreat found the MS_PASSTHRUMP before me, sorry I hadn't found your thread sooner.

The infected PC I was working on is now fine after 2 days, this was a fun challenge.

I can confirm that the eval version of CA 2009 does clean 90% of the files, and quarantines the rest. I have my sick pc's hard drive slaved off another computer to do the cleaning--dangerous, but I have another XP SP3 computer to replace any files, so my fingers are crossed it will be bootable and stable enought to repair after the virus is out.

@JerryTheGreat: Weird on the AVG. Where I've encountered this version of Virut, AVG was able to detect it (just not do anything about it, heh....).

Another scanner you might want to run on the slaved drive is the Kaspersky online scanner. It won't actually perform any actions but it will tell you what files are infected and then you can, of course, go nuke the the files yourself.

I've currently got this client's drive in a USB carrier and have hit it with the Sophos command line scanner, AVG and Kaspersky. Every scanner has found some straggling infections that the other ones missed. Currently I am whacking it with Symantec Security Check scanner to see what it gets. I guess I should also mention that this system/hard drive is not in a recoverable state due to overwhelming infection (SDfix deleted the entire System32 folder when I ran it so that was pretty much that). I just want to make sure no bugs are in the data I'm going to copy off before rebuilding the system.

Blinkity blank malware. Grrrr....

I have to still say, although I've never used it prior to this, the online MS OneCare scan found and repaired all but one file.  After that, neither CA nor AVG found anything, but NIS 2009 did find one file.

Then an SFC /scannow and a reinstall of SP3 did most of the fix.  I did have to do the regedit for the phantom network stuff.

And prior to all of this I removed the spyware infecting the PC, but that was the easy part with the MSERD.

So far, I got the system bootable after slaving, and replaced the system32 files quarantined by CA. Unfortunately, Norton took a stab at it and deleted a few thing without logging it, so its not all that happy yet--still working on it...

Windows repair installation in progress....

One care did not pick up anything but I'm not sure that it scanned the removable drive. There did not seem to be any option to specifically point it to the external (I didn't look very hard, it was late and I was pretty glazed over by that point).

Symantec Security Response found yet another straggling Virut element and a few other bits of malware. At this point I have reformatted and resinstalled the OS and returned the computer to the client.

How is everyone else doing?

Well, still bashing away at this.. running a Drweb live cd scan right now.

Pretty well had enough of this. If this scan doesn't fix, going to pull as much clean data as i can and start fresh installation on different hard drive.

Yeah, this bug is like a giant wad of chewing gum thrown right into the middle of the cogs of the machine. While you can painstakingly (emphasis on PAIN) clean every square millimiter of the the cogs with Q-tips, the likely better answer is just to pull the cogs and rebuild the machine. Depending on the user though, the process of getting back to where they were (a the little rarely used but vital apps, complicated phone sync setups and on and on...) can take weeks or trully even months before they are back to where they should be. All for no better reason than some horrid person developed and lobbed this bug into the wild.

I would so like 5 minutes alone with the developer of this variant.....

My reinstall was successfull, but it looked like Norton 2006 (had up-to-date defs) broke too many things trying to battle the virus.

I formatted, scanned and cleaned the backed up data with CA 2009, and then brought the data back in to a fresh install.

Client is happy; I'm not.--thats 1 for 2 for me with this virus.

Now the question is, what to protect it with now that its clean....My current plan is to leave the eval of CA for a week, then put SEP11 on it.

Hey, McAfee recognized its existence today; but, their page still doesn't have the method of infection or exactly what it does......

It, BTW, uses iFrames on infected HTM(L) pages to launch itself at anyone unlucky enough to view that page.  I searched on Google and got hits on several newspaper archives and geneology pages.

The latest unlucky recipients were two county school systems in South Carolina.

I'm tempted to copy all the EXE's and SYS files from a couple of my systems onto a CD to carry around.

I keep wondering why we don't hunt these kind of folks down and sue them!

Well, the DrWeb Live CD scan ran and showed the presence of numerous offbeat dll files and an ini file in the system32 directory, so I rebooted with a BartPE disc and manually removed or renamed those files. Ran a DrWeb scan, which found and cured all infected exe's. all again with Virut.56, but nothing else. Rebooted and ran another scan, which came up clean.

not sure why the Live CD scan didn't cure the files initially, as it took 48 hrs to perform.. but that was the first time I'd used it so likely had a setting wrong. Live and learn.

Next, going to manually check the registry for any reference to the files I deleted/renamed.
None found.

Installed CCleaner to tidy up registry, no strange references found.

Ran rmvirut from Grisoft for a final check, all good.

the difference this time was the manual check thru the windows32 folder. One of those files -had- to be the culprit that was keeping the code alive and was continually getting missed by the scans. Not sure why, and I didn't keep a copy of the files.

New AV installed, as well as firewall program.

Not going to make any money on this one, but learned a lot. Put me on the list to personally interview the maker of this variant.

Hi Guys,

A lot of good information here. I also just found this link to some info. with a good technical analysis.

http://securitylabs.websense.com/content/Blogs/3300.aspx

Just blogged about my muses with the original sample that was given (very non-technical).

My stance stays the same......wipe and load on Virut. While I was able to get the machine (apparently) clean (thanks to DrWeb and combofix for killing the rootkits and drivers), it blew away the network. Could probably fix with a repair install but.....

While I still say we can clean more than 98% of all malware infected machines, Virut should fall into the 2%.

Regards,
Dave

Until the repair tool people get a better handle on this, I concur--even If I can clean it

Those of us that are outside service companies lose money on the job with the time it takes with a 50% success rate at best for the effort--you just can't bill a customer for 6 hours labor on a virus repair!!!

Heh... you're likely correct.

 I'd be a lot quicker on the next fix, assuming I fixed it at all.

That's what I thought...

A few more humbling moments like that, and I'll have to change my name...

So, we have restore 30 Server from the last backup before the 2 February in a "clean" vlan.
Then check registry and files and lauch quick scan with DcWeb CureIT.
After we do all the updates and install "monitoring" tools, we put them in the infested network.
Everything is ok since friday but for 4 of them we haven some difficulty to clean the other data disk.

For client computer the we have restore a lot of them, but since friday we have clean many machines directly on the corrupted vlan and everything look's good.

During our test we notice a lot of things. I tried to resume:

First, Block the maximum IP and DNS used by Virut.
Then, clean the infected files in safe mode. If system files are infected, use DcWeb or other bootable cleaner.
Third, reboot directly in Safe mode and:
- Deleted all registry keys use by virut. (HiJack and Autorun can help.. but don't forget service and "ghost" lan or wlan adapter, also the winlogon firewall configuration post in this thread.)
- Clean ALL temporary files, in all user profiles, delete all the content of "temporary internet Files"
- Clean the RECYCLER folder, in ALL partition.
Four, On some machine, Windows Files protection is corrupted or desactivate. So Clean ALL Cache forlder: dllcache, servicepackfiles, i386 (if present and set has sourcepath).
Five, check manually windows and system32 folder. (dll, xx.exe etc.....)
Six, fix in deep every windows part manually or with your favorite tool/script
Then do all the microsoft updates. (and/or SFC if your a sure that all "cache" folder are empty...)
That work for us, on some computer something was wrong but now it's fix. I think i locate a new "dropper".
Check on Virustotal: result= 0/39. I saw him when virut reinfected a monitored computer.
I upload file  to AV editor and come back to keep you inform and eventually give more details.
With a minimum of organisation we past at least 2 hours to clean one computer. But you can fixmore computer simultaneously. Friday ~8pc per technicians in one day. Now we approache 25.
It's not done, we wish it continue like that since we finish the process...
Good luck all !
Sorry for my bad english

Good explanation of your process rSafe, those were basically the steps I stumbled upon but didn't write down here. with the exception of the blocking of the network connections, as I didn't have the unit connected to a network until after I felt it was clean.

My customer felt sorry for the amount of effort I'd put in, he stopped in with 2 bottles of scotch!! I told him to bring the machine back anytime. :D

rsafe or elemcom,  could you give clearer instructions..  What exacly do you mean by clean,  Delete every file?  or as I am doing cleaning with DrWeb

OK, for the moment, it seems as if ZIEF.PL (58.65.236.18) has been taken offline; but, given that they existed for 2 years. recurring as yet another component of VIRUT, how long will they stay incommunicado?
Along with that, I have scoured the net for a way to block all traffic from their domain/IP and, without installing new software, the only way I have found is to implement an IP Security Policy which blocks all traffic.  It is difficult to test it as ZIEF.PL is now inaccessible.

Going further, ZIEF.PL is hosted by HOSTFRESH.COM so I decided to block the entire range owned by Hostfresh which includes ZIEF.  It is unfair to the innocents also using Hostfresh; but, if this were employed as a tactic on any large scale, it would surely make the hosting companies which allow this kind of activity to get their act together, huh?

BTW, our wonderful bad guy knocked out 6,000 computers in two county school systems in SC on the 16th, a week after I started this thread and reported it to Microsoft.

On Monday, the 23rd, I setup a security policy to block the ip address range used by ZIEF.PL; but, when I went to test it prior to protecting my clients, discovered it had been taken offline and was not responding to pings.  As of this moment (7:00 A.M.), it is back online at a completely new ip ( 61.235.117.80 )  Hold onto your hats, folks, here we go again!

Thank's you Davis !
Also good to know:
The latest version of cure it also clean html files.

90% of our computer are now clean.
But, but we have the same problem with 50% of windows 2000 SP4 computer:
COM+ component are damage and we can't fix it with the microsoft "process".
So, with have malfunctions with some services and Microsoft Updates refuse to work.
Dial a Fix did nothing, the problem is link with this COM+ issue.
I work on this this night.

I had 2 more XP PCs come in this week with Virut infections.  After slaving the drives and cleaning them with CA 2009 (making sure no critical files got quarantined), neither would boot into windows explorer. I tried everything including SP3 reinstall and a manual registry restore.  I ended up backing up data and format-reinstalled both. Anyone have better luck removing this and repairing Windows without wiping the system?

PS one had the latest version of AVG; the other had an older version of Norton with updated defs.

If it was any day but Friday, they were old infections that the owners sat on hoping they would hatch.....  (ZIEF.PL was down until Friday)

The other complication with VIRUT-2009 (it ain't the older ones!) is that each system links to a randomly generated remote and starts downloading secondary infections that are different, based upon that page.

Oh great!  We have a new flavor reported yesterday which not only connects to the still operative ZIEF.PL; but, also to kn0cturnal.no-ip.biz

http://www.threatexpert.com/report.aspx?md5=86129b9095b008eb871de4b4db8819ec

Hi

I have been infected by this yesterday, I'm the IT guy, and it was only my machine that got infected.  Made me look like a right fool. :)

I certainly did not visit any naughty sites.. I did leave my PC all night though, without locking it.  I think that some of the factory staff have been using my machine.  Still, this won't happen again.  Anyway, I digress.

I immediately isolated my machine - then run scans on all other machines on our network using AVG.  Anyhoo - once a machine is infected, can it infect other machines on the LAN ?  

I have taken out the offending HD and added it as a Slave, I would like to now run some online scans but am very worried about connecting it to our network (so i can get internet access).

Is it safe to connect.  I dread to think what could have happened if this virus had gone through out network.  There would be about 40 people made redundant - there is no way we could afford installing a new server OS, MIS..
Thanks

Disconnect that drive, install XP, all updates, and your various trojan/ antivirus tools before yo connect that drive back to the system.

One of its possible secondary infections is an MBR trojan that will let it loose on your network.  If you don't have that flavor, .SCR, .EXE, & .HTM(L) files are off limits until you are clean.

Spencer, since you already added the drive to a computer, you may have infected that as well. Find a 3rd computer, perhaps a laptop if you have a usb chassis you can put your drive in. Regardless if you use usb or connect it as a slave:

Before connecting the drive install either Mcaffee, or CA 2009 trial, update, and then connect the drive and scan. The other experts here may add other apps known to properly id and clean this thing. As a matter of Fact, I'd love to get someone to make a current list--e.g, is AVG now able to clean this? How about NAV2009?  SEP 11.4? Webroot AV? Avast? Can these apps really clean it, or just quarantine infected exe files?

Hi Jerry - thanks for helping out here.  And sorry for sort-of hijacking this thread.  Should I make my own?

Anyway, I scanned the slave drive and found 3568 viruses - these were of course all the .exe files within windows, and my programs.

When I first found out I had the virus I scanned using AVG - downloaded espcially (as our network McAfee AV did not discover the virus) it discoverd the virus but then removed them when it healed them.  So I could not longer access Windows.

So I put the drive in a clean system, then scaned using CA - that found the 3568 problems listed above.   Now I'm sure the slave drive is clean, so I have copied the Documents and Settings folder, with only my sub-folder to the spare drive (not the primary drive) on the clean PC.

So, as Jerry has recommened I will install XP - then CA - WinPat - Malware Bytes - and then finally hookup the computer to the network, to gain internet access to install the XP updates via Windows Update.

My only concern that is that the virus stays after I do the reformat - and that the files I will transfer back over (from Documents and Settings) still have the virus, which will then infect the new PC - and possible the network.

I'm still shaking thinking of how close our business come to closing down.. I mean, if this virus got on our network (server, internal data captures, print ready machines, meta machines) our business would be dead..  I'm not that experienced, yet, therefore we would have to get an IT company in to install our OS/MIS/IDC - every comp would need reinstalling - damn, don't think they have the CD's even.   We are running Windows Server 2000, our swtich is failing - wires are hanging up with tape - and my boss does not want to spend.

I think I'm going to insist now every user has FF + No script addon.  I'm going to install WinPat on every PC..  

So it is sooo important that there is no chance this virus gets on our network.. Could mean that 40+ people are out of a job (our busines is suffereing at the moment, we could not afford to spend £1000, let alone 10K) if I get this wrong..

Hi Davis - firstly, thanks for making this post.  It has been very helpful indeed.

My virus is named Win/Virut - and that is it, so I do not think this is the strain that infects MBR's.. Although, one cannot be entirely sure.  This is one damn nasty virus.  In some regards I respect, or admire the intelligence to create such a beast, on the other hand Id like maker, or makers to be dealt with!

I infected my Laptop 10 days ago, and cleaned it in 2 days. Only solution - by my opinion is Dr.Web LiveCd with updated antivirus. You can download this ISO file - it's free and 64mb - burn it on CD, put computer to boot from cd - load Linux as it is not affected - start scan all HD Drives with optinos to Cure exe if it finds it, and if it can't cure it - to delete it. After runing this scan Twice, a recovered most of my exes and I'm now typing this answer from that laptop - and there was no need for reinstalation. But, because I used bitdefender as antivirus it deleted lot of important system files and I only do repairing windows and everything was ok.

Spencer,
If there are any HTM(L) files in your Docs folder, I think you should inspect them with Notepad (Right-click, then Open With) to see if they have the inserted references to zief.pl.  VIRUT adds an iFrame to HTM(L) pages which can sit there waiting for an unlucky person to double click on it.

Again; though, too (!!!), VIRUT infects EXE, SCR, & HTM(L) files directly; but, also opens an IRC channel with a randomly generated endpoint that then downloads other, secondary nasties which can be radically different from system to system.

I would suggest taking any "cleaned" machine offline for several days, then updating your antivirus and scanning again.

I'm also dismayed that McAfee did not catch it a full month after its initial release and wonder why the world hasn't blocked ZIEF.PL  & the NO-IP.BIZ on every DNS server on the planet!

I knew it wouldn't stay down!  A new round of VIRUT has appeared:

http://www.khou.com/news/local/houstonmetro/stories/khou090415_mp_dps-computer-virus.db0b8a7f.html

http://www.echannelline.com/usa/story.cfm?item=24424

Yeah, I forgot to mention here that I say virut on a client's laptop week before last. (I think he picked it up April 13th or 14th). I so do hate seeing that bug. I'm afraid of even letting other computers get physically near a virut infected computer for fear that the atrocious bug has developed an airborne variant!

And ZIEF.PL is alive and well at a new ip address!  (Isn't there somebody or some way to permanently block them on everybody's DNS servers, GEEZE!)

Nor does there seem to be a good way to block IRC traffic without crippling the computer.

I'm now having a very high success rate removing virut by slaving/usb attaching the HDD of the infected computer and scanning it.  One last thing I must consistently do is replace the userinit.exe file--It seems to get damaged every time--causes the computer to immediately log off when you try to log on.

@JTG: With what scanner(s)?

Any up-to-date AV seems to work for me.  Basically, whatever is already installed on the other computer. Currently Kaspersky or SEP 11, but I would speculate any AV will now catch Virut and its variants.

I got excited about the Dr Web CD, but could not get it to take the updated defs from my flash drive, so I went back to slaving.

AVG has a removal tool that works on the February version of VIRUT
http://www.avg.com/us.virus-removal.ndi-67762

What I really don't like is we are still cleaning up afterwards rather than stopping it beforehand.

I wonder if they updated this removal tool. This tool was able to detect and *remove* the infected files back in February but it was not able to *clean* them. Is this one able to actually strip the virus code out?

As for blocking it altogether, I hear you. ICANN has been much lauded for helping with containing Conficker. While I understand why they don't want to be in the business of blocking every last little spambot in the world, Conficker's damage to date has been next to nothing. Virut's damage has been extensive and brutal. Pretty much seems a no brainer on blocking the known sites it is using you would think.

Its still out there, seemingly impossible to stop, and this time it took out Tuscan's PD: http://www.spamfighter.com/News-12388-Virus-Infiltrates-Computers-at-Tuscan-Police-Department.htm

Yup, I just cleaned it off yet another PC last week. This time I had to replace 4 critical system files to get it back up after  slave-cleaning. I had to use process of eleminitation, as my tech did not save the scan log.

Tolomir,

The saga of VIRUT continues and there is still no effective cure short of deleting all partitions, cycling power, and then truly starting from scratch.  It also seems to have the ability morph enough to prevent effective detection and prevention.

Some users have been very lucky in catching VIRUT before is has embedded itself  too deeply and they can (sort of) "fix" things by replacing the infested files with clean copies.  Because VIRUT downloads secondary infestations using IRC, I worry this method is not thorough enough to prevent further activity.

If the question needs to be closed, which I can understand, the true answer is that there is no answer; wipe the system, reload, and be suspicious of every file kept (music, html, etc.)

While there is no real "answer" to removing viruses, I think the community would benefit from flagging this as resolved with a  split amongst the postings that specified solutions.  From a quick review, mtw77, Ubertech99, elemcom, rsafe and myself all provided recommended (tested) ways to effectively remove this Virut variant MOST of the time without having to wipe everything.

Furthermore, most new versions of antivirus now incorporate browser protection, which eliminates the entry vector "hole" that virut variants use to infect machines.

That is not a cure; but, it is for now, the only real answer.

Well. I have few times touch with Virut.

As solution I used is to use Dr.Web Live CD with option to Cure and Delete incurable files. After complete scan all partitions, it cleaned most of infection, and what didn't - it deleted files. so Repair windows after cleaning with Dr.Web is highly recomanded. After that - everything works fine.

Also - I recomand using Kaspersky Internet Security 2009, as it can't fight Virut, but can contain it and slow it down when comp is infected.

I, too, have recovered a few systems which were infected with VIRUT; but, several more had such extensive damage that it was a lost cause.

VIRUT is still listed as one of the top 10 most prevalent malware infections, mostly in Asia and, since it uses an IRC to add more, is often virtually impossible to eradicate.  One system I worked on had an MBR Trojan that survived FDisk and a reinstall.

ZIEF.PL, btw, is back online yet again and, as far as I know, there is no mechanism to block specific IRC hosts without disabling IRC, altogether.

So, IF you are very lucky, VIRUT can be cleaned when it is caught in the very early stages.  If; however, it has infected more than, say 10, Windoze files, the only sure answer is to delete all of the partitions on the system, cycle power to clear any possible ram resident components, and then truly (!!!) start from scratch.  If you choose to backup the users files, be sure to scan them before attempting to open any.

I don't know virut but it might be a good start to also reset MBR on that hard disk:

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/bootcons_fixmbr.mspx?mfr=true

http://cino.optus.nu/07/27/my-computer-keeps-coming-up-with-a-virus-that-cant-be-quarantined/