Monday, June 2, 2008

Virut is back again - sigh

Virut (PE_VIRUT.XZ in this case) is back again.

This one "spreads" via email with subject: "Important update from Microsoft Windows XP/2003 Professional Service Pack 2(KB946026)" or "Critical Security Update for Microsoft Windows (KB946026)".
From: Micrisoft Corporation 2008 ©
The link to the supposed WINDOWS-KB946026-X86-ENU download from Microsoft for the fix goes to this address:

URL=hxxp://xxxxx.net/upload/WINDOWS-KB946026-X86-ENU.EXE.exe



Note: This is NOT the legitimate download from Microsoft here. The legitimate WINDOWS-KB946026-x86-ENU.EXE does NOT have above "Windows icon", but has the default exe file icon instead.
The file from the link in the mail doesn't install any updates, but installs Virut, a polymorphic appending file infector.

This one attempts to infect any accessed .exe or .scr files by appending itself to the executable. It contains an IRC-based backdoor that provides unauthorized access to infected computers.

Luckily, since this is an older variant - most Antivirus Scanners *should detect and delete it immediately. That's why it's really important that your Antivirus Scanner is up to date!

In case you are someone who just loves to click links in mails - even though your Antivirus Scanner alerts you - or you have an Antivirus where the trial already expired for a couple of months - or don't even have an Antivirus installed... Well, I can assure you, you'll really regret it if you open/run the file. Mainly because this is a file infector which infects legitimate exe and scr files, so these files may not be deleted, but disinfected instead. And a common problem I see with Virut is that in some cases (some variants), it contains a bug in the code and as a result it may misinfect a proportion of executable files. And because of that, an Antivirus Scanner cannot disinfect it properly either > result > a corrupted file.

That's why, if I guide someone with Virut present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall. Unless the person knows what files are corrupted and knows how to replace them with a clean one. But then again, it's no guarantee that everything will work properly again and Virut is gone.
A format and reinstall in this case is still the fastest and especially the safest solution.

So once again, make sure your Antivirus is always up to date!

Source.

Related Posts by Categories