Browse All Articles > "Virut" - Malware continues to evolve
INTRODUCTION
"Virut" is a nasty, polymorphic file infector, and it infects every executable and screensaver file on access. Some variant also infects .htm, html, .rar and .zip archives, and latest variants infects php and asp. It patches system files .e.g., userinit.exe, winlogon.exe, svchost.exe, spoolsv.exe, explorer.exe, sfc_os.dll among others.
This virus will also open a backdoor and connect to an IRC server. It then joins a channel and waits for commands to download files and other malware. It can also install a Trojan/Rootkit in the infected system.
Virut is a buggy file infector with destructive power; it destroys files. It infects files but not properly done (it misinfects because of its buggy code) so these files are corrupted beyond repair. Antivirus and other scanners can't clean the infected files so these are getting deleted instead and as a result programs will stop working.
METHOD OF INFECTION:
It gets in the System usually when the user uses P2P, browsing crack and keygen sites or visiting infected webpages. Files in the network shares will also get infected if accessed by a compromised machine with write access. It can also spread via Roaming profiles and removable media such as removable discs or USB drives.
SYMPTOMS:
Once the system is infected, you will notice that some programs no longer work, the system becomes sluggish, and you'll start getting errors as files get corrupted. You won't be able to open most executables (*.exe files).
As more malware files get downloaded, the system loses more functionality. You won't be able to do windows 'copy and paste/drag and drop' functions, firewall will be disabled and selection greyed out so it can't be turned on. It also disable Windows File Protection so critical system files are also infected. There will be unexpected DNS queries and also IRC related network traffic.
Internet explorer may not work when simply clicking on the desktop icon nor via the Start menu. If sality file infector is also present safeboot keys are deleted making the system unable to boot into safe mode, and in the later stage of infection may even render the PC unbootable.
DETECTION:
Your resident antivirus (if still functioning) will give alerts that executables in the system32 folder are infected with Win32.heu virus., PE_VIRUX.A, W32/Scribble-B, Trojan.Win32.Patched,Troj/Fujif-Gen or Win32.Virut.
If you scan the system with Hijackthis, in the log you might see some entries indicative of a file infector like below:
C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Owner\reader_s.exe (User 'Default user')
O1 - Hosts: ::1 localhost
O1 - Hosts: ??????????????? browser-security.microsoft.com
O1 - Hosts: ??????????????? antiwareprotect.com
O1 - Hosts: 209.44.111.57 security.microsoft.com
O1 - Hosts: 209.44.111.57 inetavirus.com
And you might also see some legitimate whitelisted services in the 023 lines that display "file missing" as their files have been deleted by your resident antivirus.
RESOLUTION:
So what would you do when the system is infected with this virus?
IF Virut hasn't been in the system for very long then you can try running ComboFix (with a Helper's guidance). ComboFix will flag the infected or patched system files and will replace them if a clean copy is found in the system. Then follow it up with DrWebCureIt . This scanner does a very good job of detecting and deleting virut-infected files.
There's also the AVG standalone virut removal tool.
For unbootable PC's, you could also use WebCureIt's LiveCD. Once you've made the bootable Live CD, you can boot from it and start scanning the system. Instructions on how to use DrWebLive CD here:
http://www.freedrweb.com/livecd/
Once the infection has been removed, you then have a job of reinstalling programs and replacing other deleted files. If you have the Windows CD you can run the "sfc /scannow" command from the "Run" box to replace missing files or you can reinstall windows.
In a nutshell, since all the infected files are un-cleanable they must be replaced, and if the system has been heavily infected with this virus, the quickest and safest solution would be to reformat and reinstall (I know it sounds harsh).
Virut and Sality infections are the only time when I would urge users to reformat because even when every scanners came out clean and the infection is presumably gone... there is no guarantee that the system is error-free afterwards. Some users who spent days removing Virut and replacing files may still end up reformatting in the end. Bear in mind, that when backing up files before reformatting, you must not back up files that are targeted with this virus (.exe, .scr, .rar, .zip,.htm, .html etc) as these files may be infected.
I hope you'll find this article useful.
More info on Virut here:
http://securitylabs.websense.com/content/Blogs/3300.aspx
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html
Step by step instructions to format and reinstall windows:
Windows XP: Clean Install:
Windows Vista:Clean Install:
How to prevent malware:
"Virut" is a nasty, polymorphic file infector, and it infects every executable and screensaver file on access. Some variant also infects .htm, html, .rar and .zip archives, and latest variants infects php and asp. It patches system files .e.g., userinit.exe, winlogon.exe, svchost.exe, spoolsv.exe, explorer.exe, sfc_os.dll among others.
This virus will also open a backdoor and connect to an IRC server. It then joins a channel and waits for commands to download files and other malware. It can also install a Trojan/Rootkit in the infected system.
Virut is a buggy file infector with destructive power; it destroys files. It infects files but not properly done (it misinfects because of its buggy code) so these files are corrupted beyond repair. Antivirus and other scanners can't clean the infected files so these are getting deleted instead and as a result programs will stop working.
METHOD OF INFECTION:
It gets in the System usually when the user uses P2P, browsing crack and keygen sites or visiting infected webpages. Files in the network shares will also get infected if accessed by a compromised machine with write access. It can also spread via Roaming profiles and removable media such as removable discs or USB drives.
SYMPTOMS:
Once the system is infected, you will notice that some programs no longer work, the system becomes sluggish, and you'll start getting errors as files get corrupted. You won't be able to open most executables (*.exe files).
As more malware files get downloaded, the system loses more functionality. You won't be able to do windows 'copy and paste/drag and drop' functions, firewall will be disabled and selection greyed out so it can't be turned on. It also disable Windows File Protection so critical system files are also infected. There will be unexpected DNS queries and also IRC related network traffic.
Internet explorer may not work when simply clicking on the desktop icon nor via the Start menu. If sality file infector is also present safeboot keys are deleted making the system unable to boot into safe mode, and in the later stage of infection may even render the PC unbootable.
DETECTION:
Your resident antivirus (if still functioning) will give alerts that executables in the system32 folder are infected with Win32.heu virus., PE_VIRUX.A, W32/Scribble-B, Trojan.Win32.Patched,Troj/
If you scan the system with Hijackthis, in the log you might see some entries indicative of a file infector like below:
C:\WINDOWS\System32\reader
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Owner\reader_s.ex
O1 - Hosts: ::1 localhost
O1 - Hosts: ??????????????? browser-security.microsoft
O1 - Hosts: ??????????????? antiwareprotect.com
O1 - Hosts: 209.44.111.57 security.microsoft.com
O1 - Hosts: 209.44.111.57 inetavirus.com
And you might also see some legitimate whitelisted services in the 023 lines that display "file missing" as their files have been deleted by your resident antivirus.
RESOLUTION:
So what would you do when the system is infected with this virus?
IF Virut hasn't been in the system for very long then you can try running ComboFix (with a Helper's guidance). ComboFix will flag the infected or patched system files and will replace them if a clean copy is found in the system. Then follow it up with DrWebCureIt . This scanner does a very good job of detecting and deleting virut-infected files.
There's also the AVG standalone virut removal tool.
For unbootable PC's, you could also use WebCureIt's LiveCD. Once you've made the bootable Live CD, you can boot from it and start scanning the system. Instructions on how to use DrWebLive CD here:
http://www.freedrweb.com/livecd/
Once the infection has been removed, you then have a job of reinstalling programs and replacing other deleted files. If you have the Windows CD you can run the "sfc /scannow" command from the "Run" box to replace missing files or you can reinstall windows.
In a nutshell, since all the infected files are un-cleanable they must be replaced, and if the system has been heavily infected with this virus, the quickest and safest solution would be to reformat and reinstall (I know it sounds harsh).
Virut and Sality infections are the only time when I would urge users to reformat because even when every scanners came out clean and the infection is presumably gone... there is no guarantee that the system is error-free afterwards. Some users who spent days removing Virut and replacing files may still end up reformatting in the end. Bear in mind, that when backing up files before reformatting, you must not back up files that are targeted with this virus (.exe, .scr, .rar, .zip,.htm, .html etc) as these files may be infected.
I hope you'll find this article useful.
More info on Virut here:
http://securitylabs.websense.com/content/Blogs/3300.aspx
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html
Step by step instructions to format and reinstall windows:
Windows XP: Clean Install:
Windows Vista:Clean Install:
How to prevent malware:
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (8)
Author
Commented:The latest version of ComboFix will now alert the user if the system is infected with virut and will abort the scan.
The quickest and safest solution still is to backup personal documents and reformat the system.
Commented:
I've read this Article several times and referred to it in Technical Questions for other Members, but never remembered to vote "Yes" (now done).
Thanks for a great (and helpful) Article.
Author
Commented:Thanks for the "Yes" vote!
Commented:
HS
Commented:
Great article - really useful when trying to explain why a file infector is so problematic.
View More