<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

"Virut" - Malware continues to evolve

Published on
25,482 Points
8,382 Views
31 Endorsements
Last Modified:
Awarded
INTRODUCTION

"Virut" is a nasty, polymorphic file infector, and it infects every executable and screensaver file on access.  Some variant also infects .htm, html, .rar and .zip archives, and latest variants infects php and asp.  It patches system files .e.g., userinit.exe, winlogon.exe, svchost.exe, spoolsv.exe, explorer.exe, sfc_os.dll among others.

This virus will also open a backdoor and connect to an IRC server. It then joins a channel and waits for commands to download files and other malware.  It can also install a Trojan/Rootkit in the infected system.

Virut is a buggy file infector with destructive power; it destroys files. It infects files but not properly done (it misinfects because of its buggy code) so these files are corrupted beyond repair. Antivirus and other scanners can't clean the infected files so these are getting deleted instead and as a result programs will stop working.


METHOD OF INFECTION:

It gets in the System usually when the user uses P2P, browsing crack and keygen sites or visiting infected webpages. Files in the network shares will also get infected if accessed by a compromised machine with write access. It can also spread via Roaming profiles and removable media such as removable discs or USB drives.

SYMPTOMS:

Once the system is infected, you will notice that some programs no longer work, the system becomes sluggish, and you'll start getting errors as files get corrupted. You won't be able to open most executables (*.exe files).

As more malware files get downloaded, the system loses more functionality. You won't be able to do windows 'copy and paste/drag and drop' functions, firewall will be disabled and selection greyed out so it can't be turned on. It also disable Windows File Protection so critical system files are also infected. There will be unexpected DNS queries and also IRC related network traffic.

Internet explorer may not work when simply clicking on the desktop icon nor via the Start menu.  If sality file infector is also present safeboot keys are deleted making the system unable to boot into safe mode, and in the later stage of infection may even render the PC unbootable.

DETECTION:

Your resident antivirus (if still functioning) will give alerts that executables in the system32 folder are infected with Win32.heu virus., PE_VIRUX.A, W32/Scribble-B, Trojan.Win32.Patched,Troj/Fujif-Gen or Win32.Virut.

If you scan the system with Hijackthis, in the log you might see some entries indicative of a file infector like below:

C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Owner\reader_s.exe (User 'Default user')
O1 - Hosts: ::1 localhost
O1 - Hosts: ??????????????? browser-security.microsoft.com
O1 - Hosts: ??????????????? antiwareprotect.com
O1 - Hosts: 209.44.111.57 security.microsoft.com
O1 - Hosts: 209.44.111.57 inetavirus.com

And you might also see some legitimate whitelisted services in the 023 lines that display "file missing" as their files have been deleted by your resident antivirus.

RESOLUTION:

So what would you do when the system is infected with this virus?

IF Virut hasn't been in the system for very long then you can try running ComboFix (with a Helper's guidance). ComboFix will flag the infected or patched system files and will replace them if a clean copy is found in the system. Then follow it up with DrWebCureIt . This scanner does a very good job of detecting and deleting virut-infected files.  

There's also the AVG standalone virut removal tool.

For unbootable PC's, you could also use WebCureIt's LiveCD.  Once you've made the bootable Live CD, you can boot from it and start scanning the system. Instructions on how to use DrWebLive CD here:

http://www.freedrweb.com/livecd/

Once the infection has been removed, you then have a job of reinstalling programs and replacing other deleted files. If you have the Windows CD you can run the "sfc /scannow" command from the "Run" box to replace missing files or you can reinstall windows.

In a nutshell, since all the infected files are un-cleanable they must be replaced, and if the system has been heavily infected with this virus, the quickest and safest solution would be to reformat and reinstall (I know it sounds harsh).

Virut and Sality infections are the only time when I would urge users to reformat because even when every scanners came out clean and the infection is presumably gone... there is no guarantee that the system is error-free afterwards. Some users who spent days removing Virut and replacing files may still end up reformatting in the end. Bear in mind, that when backing up files before reformatting, you must not back up files that are targeted with this virus (.exe, .scr, .rar, .zip,.htm, .html etc) as these files may be infected.

I hope you'll find this article useful.

More info on Virut here:

http://securitylabs.websense.com/content/Blogs/3300.aspx
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

Step by step instructions to format and reinstall windows:

Windows XP: Clean Install:
Windows Vista:Clean Install:
How to prevent malware:
31
  • 3
  • 2
  • 2
  • +3
10 Comments
LVL 18

Expert Comment

by:WaterStreet
A nice, short, and informative article.  It gives the less-informed a better context to understand something that they wouldn't otherwise relate to.  It got my vote above.
0
LVL 18

Expert Comment

by:WaterStreet
rpggamergirl,

(such a fun name)


"Bear in mind, that when backing up files before reformatting, you must not back up files that are targeted with this virus(.exe, .scr, .rar, .zip,.htm, .html etc) as these files may be infected."

Please say again how we will know which files these are.

Thanks
0
LVL 47

Author Comment

by:rpggamergirl
Virut targets files with those extensions, so every executables, screensaver files, compressed files be it in .rar or .zip etc are likely to be infected.

That username used to be fun, but not anymore since I no longer play, if only I could change it.

Thanks for your vote, :)
0
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

LVL 47

Author Comment

by:rpggamergirl
Update:

The latest version of ComboFix will now alert the user if the system is infected with virut and will abort the scan.

The quickest and safest solution still is to backup personal documents and reformat the system.
0

Administrative Comment

by:ModernMatt
davepusey,

Your comments have been hidden at this time, as they could have been potentially dangerous or misleading.

ModernMatt
EE Moderator
0
LVL 38

Expert Comment

by:younghv
rpggamergirl:
I've read this Article several times and referred to it in Technical Questions for other Members, but never remembered to vote "Yes" (now done).
Thanks for a great (and helpful) Article.
0
LVL 47

Author Comment

by:rpggamergirl
younghv,

Thanks for the "Yes" vote!
0

Expert Comment

by:HSumlin
Thanks for the help Guys. Unfortunately a number of the suggestions are too technical for me.  I have in the interim been running Microsofts Security Essentials. Is this likely to finally solve the problem? I may get AVG trial offer and see what this does. But I wonder if my second computer is now doomed!
HS
0
 

Administrative Comment

by:younghv
HSumlin -
I see that you were referred here in a recent technical question you posted.
"Articles" are here for general information and not for specific advice with problems.

You should respond only over in your original question - where there are some Expert suggestions waiting for you.

younghv
Page Editor
0
LVL 23

Expert Comment

by:phototropic
Like younghv, I've just realised that I have refered to this article several times in answers to questions, but forgotten to vote "yes".

Great article - really useful when trying to explain why a file infector is so problematic.
0

Featured Post

Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
If you, like me, have a dislike for using Online Subscription anti-spam services, then this video series is for you. I have an inherent dislike of leaving decisions such as what is and what isn't spamming to other people or services for me and insis…
Next Article:

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month