I actually wanted to blog about this last week, but didn't find the time yet...
In the last couple of weeks, I noticed a HUGE increase of Virut present on computers. As a matter of fact, 30% of the infected computers I analyzed were infected with Virut. This is bad, really bad... :-(
Virut is a Polymorphic File Infector that infects .EXE and .SCR files. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker - for example to download/run more malware on the compromised computer. Emails may be harvested as well.
This latest variant may also search for htm, html, asp and php files on the drives and modifies them by inserting an iframe that points to a malicious website. So you can already imagine what may happen if the owner is a webdesigner and uploads the infected webpages.
An excellent write up on this latest variant (and previous one) can also be found here (by Nicolas Brulez): http://securitylabs.websense.com/content/Blogs/3300.aspx
Disinfection of the infected webpages should be easy - it's just a matter of deleting the iframe script in it.
The disinfection of the infected exe and scr files is something else...
Since Virut infects legitimate files, the files may not be deleted, but disinfected instead. And that's where the problems start...
Virut was known to be a buggy Virus in the past and it appears that this hasn't changed yet. We've seen this with other File infectors as well: To Junk Or Not To Junk.
And because of that, Virut may misinfect a proportion of executable files > result > corrupted file.
The same applies for other File infectors such as Sality.
If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall.
And even though an Antivirus is able to disinfect the files, in a lot of cases, many files will be corrupted anyway > result > many programs won't work > loads of errors > corrupted Windows + there's still no guarantee that the Virus is really gone.
So why bother to clean this if a format and reinstall is the fastest and especially the safest solution?
And that's why I am blogging about this in the first place, especially since Virut is a very common infection nowadays. It's a pity to see that so many people are struggling with it and whatever they try, nothing helps. Then they ask for support via the forums and in a lot of cases, the one who is helping/guiding won't give up either and posts a new set of instructions to deal with this one.
Unfortunately another failure as result, so again, new instructions are posted... and this may go on and on...sometimes for weeks....
Is this responsible?
I'm not saying it fails everytime, but from what I have seen so far and especially if you're helping someone else with this infection... don't guarantee them a "clean" and errorfree computer afterwards .
In anyway, that's how I see it. Imho, dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall.
Many people may see this as "giving up", but I see this different.
After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.
Tuesday, February 17, 2009
Virut and other File infectors - Throwing in the Towel?
Logging you in...
Comments by IntenseDebate
Subscribe to:
&webpageName=miekiemoes'%20Blog%3A%20Virut%20and%20other%20File%20infectors%20-%20Throwing%20in%20the%20Towel%3F&ref=&url=http%3A%2F%2Fmiekiemoes.blogspot.com%2F2009%2F02%2Fvirut-and-other-file-infectors-throwing.html&width=1280&height=720&rand=907<=701){kind=tracking}
Dave aka IndiGenus · 840 weeks ago
Fluff · 840 weeks ago
You be safe :)
Fluff
WawaSeb · 840 weeks ago
This "Scribble" is VERY HARD to remove...
Internetnubje · 840 weeks ago
Paul · 839 weeks ago
Nick-Firestorm · 839 weeks ago
i'm just wondering...Why are there Antivirus Programs while they can't fix some viruses? ? ? Why do we pay them? To format?????
= /
Keeno the Beano · 838 weeks ago
Seth · 838 weeks ago
i've downloaded xoftspy and others malware detection programs such as MBAM it detected the virut mentioned here and able to remove it, after a routine restart my computer just going well and no problem, but things going chaotic when i connect to the internet. i used "whats running 2.2" and it display me a numerous process of cmd.exe followed by services.exe as the three branches and not to mention reader_s.exe, in normal task manager we cant stop services.exe but with "whats running 2.2" it can stop the process and regain the usual performance of my PC, thats as far as i can get...until now i still havent able to totally clean my PC...
to giving up is not an option i think, lots of people keep their collection of programs, data and stuff in their hard drive, and i think its almost impossible to formatting all the drive and sacrifice it all.but on the other hand this virut is still unbeatable at the moment...
i guess all i can do now is keep on maintaining my CPU through "whats running" and hoping there will be a way out of this troubling virut...
best regards - SETH
IndiGenus · 837 weeks ago
SETH · 837 weeks ago
i did a whole scan all night and it cleaned every EXE that infected,after that i run a whole scan with an updated AVG 7.5. now my computer runs well without any of cmd.exe services.exe and reader_s.exe processes initialized
and btw, i DO really realizes what im dealing with here, hey its my CPU and i have a lot of valuable things inside it.so i took every way possible every day i turn my PC on, i never stop to try save my PC and now...everything comes back to normal without any nasty and annoying virut.
@IndiGenus i think you should try RMVIRUT first, THERE IS a way beside reformatting all the drive and loose your precious data.
SETH · 837 weeks ago
but it a step ahead than my situation yesterday.
i use AVG 8 now, since yesterday all i got is AVG 7.5 and i cant download any of .EXE files. so i didnt have a choice, now just want you to know, that it works....even though not 100%...
im glad my effort could bring a result...
THX...learn a lot from you.
Mike · 837 weeks ago
Mike · 837 weeks ago
chris · 836 weeks ago
Im from Trend Micro Antivirus company, I like reading your blogs. Thanks! can you be my friend?
Dennis · 835 weeks ago
gru · 835 weeks ago
if u notice virut.14 or 51 50 format is the only cure couse u will scan for hours and gain nothing
nwt · 835 weeks ago
Could I please ask for your advice? I've found here for the first time a clue about what's been happening to my html files - the iframe.
I got the link to your post about Virut from a very kind sir at BleepingComputer. Following his instructions, I've put the computer in service for a clean install of Windows (I also had a problem with the ethernet card). After getting the computer back with some of my vital files recovered (pictures, documents, html files for my site, etc.) I still have this iframe in most my html files - even ones created after getting the computer back from the shop. But unlike when I was infected, now when I delete the iframe it will remain deleted. Luckily I haven't uploaded any pages on my site because as soon as I've seen the bit of extra code I knew there was something fishy.
I don't dare to ask, but do you think the computer is still infected? I see no other signs and everything is running better than ever. This virus was by far the nastiest experience I've had with my comp, and we are normally very good friends.
I don't mean to bother and thank you in advance.
Cristina.
Zllio · 834 weeks ago
With misinfect, do you mean that Virut is destroying machines because of buggy programming and not because it intends to?
tero · 833 weeks ago
I tried format only my system partition - didn't help, then I wiped whole HDD - no luck...
So, even if you wipe your HDD and reinstall Windows, there is a chance you'll get infected again because Virut can stay in your RAM - so restart is not enough.
Make sure you turn off your PC for ~5mins after you format HDD.
Since this PC is still infected, Im doing research first ....
I've uploaded many files to online antivirus scanners, and only one who can really detect it is Avast (and few others)....
I'll try Avast and clean my HDD first ... before I wipe HDD again and waste few more hours or a day.
Good luck with cleaning :)
Innovator · 831 weeks ago
singlebullet · 829 weeks ago
First, I had never seen anything like this virus. I pretty much could see when my machine (Windows XP Pro) was infected and within roughly 2 hours I was already attempting a fix. After disconnecting from the internet and reading just how bad this virus is, I started deleting everything from my drive that was already backed up or easily replaced. I figured that the task at hand would be more easily accomplished with as little left on the computer as possible. When deleting material off the drive, I did it with ccleaner overwriting erased sections with 3 passes of zeroes to make certain that whatever was erased wasn't coming back. Along the way I turned off system restore and then had ccleaner overwrite empty portions of the drive with zeroes just as a precaution, as well.
Then I did a full scan pass with Eset AV which turned up a few thousand infected files (again that within just a few hours of contact). If you're wondering how I got this in the first place if I had Eset running, the problem was that I had turned Eset off for an install earlier in the day and forgot to turn it back on. The pass with Eset helped but I still was seeing many, many infected files. I then tried another full scan pass in safe mode which seemed to further whittle down the problem, but not entirely. I then tried a full scan with Dr Web's CureIt which surprisingly showed no infection at all on the computer.
Next, I found an article on the McAfee site (http://vil.nai.com/vil/content/v_154029.htm) that discussed a number of possible registry entries created by virut. I deleted whatever I could find on my computer that was listed in that article. It was around then that I found a file in my documents and settings folder called "haha.exe" which I'm sure was the source of this misery and got rid of it. I've seen some articles listing it as "ha.exe" as well.
I then turned to the "rmvirut" files that I saw mentioned here and a few other places. I did two passes with that at which point the machine began to look clean. It's a little tough with that rmvirut fix though, because you get no final report out of it, and have to watch closely during the process to see what it has or hasn't cleaned.
With that done, I tried yet another pass with Eset, and at that point I was coming up with no report of infection at all. However, given what I had read about the difficulty in cleaning this up, I decided it was best to not yet be content. I went over to VirusTotal and started scanning several files that I remembered had been a problem and found DISAPPOINTMENT. Many files were turning up as being infected, all of them of the htm or html variety. I wasn't certain if what was being picked up was a remnant of the virus that was then inactive or files that were actually still infected because there seemed to be no further spreading of the infection at that point. But I didn't wanted to be careful and started considering what I could do that would entirely eradicate this. I decided that since one of the VirusTotal components that was consistently showing a continued problem was Kaspersky, that I would uninstall Eset and install a trial of Kaspersky AV.
Once I did that, Kaspersky was able to clean up any remaining elements of the infection, and now the machine appears to be totally cleaned of the virus. Kaspersky picks up nothing now, and lengthy efforts with VirusTotal picks up nothing, as well. Eset already had stopped picking up anything prior to my effort with Kaspersky so I saw no point trying that again. I had noticed two files in the windows registry, system32, that had bothered me while the infection appeared active--I had noticed they kept radically changing in size in task manager. They were ctfmon.exe and dmadmin.exe. To be as cautious as possible I extracted those files from my Windows XP disk and replaced the files on my machine with fresh copies. Prior to getting back on the internet, and as a further precaution, I downloaded the hosts file from the mvp site, and started using that, and added references to the number of chinese websites and domains into that, that I have seen associated with this virus.
Several days now, and no suggestion of any problems left on the machine. Full scans with Kaspersky, malwarebytes, CureIt, and spybot are coming up with absolutely nothing. Hope this helps someone. I know it seems like alot of effort, but I had things on my computer that I considered irreplaceable, and so for me at least, the effort was worthwhile. I'll post again here if there's any sign of a further problem that would indicate I was fooled into thinking I was rid of this.
good luck!
singlebullet · 829 weeks ago
starboykb · 828 weeks ago
Zappa · 826 weeks ago
This virus has been annoying me since 3 weeks ago.
Ill format (again) and save only non infected files .....
Adi Graham · 826 weeks ago