[evilfantasy]

Discovered: April 11, 2007

Latest Rapid Release version February 10, 2009 revision 024

Virut spreads through every .exe and .scr file on a computer. It's polymorphic, which means it spreads faster than any antivirus can contain it. 99.99% of the time the only solution is a reformat and reinstall. Virut is so aggressive it even infects already infected files with itself. It's a computer killer...

Viruses belonging to the Virut family also contain an IRC-based backdoor that provides unauthorized access to infected computers.

In short. There is no solution for this other than a reformat and reinstall.

Win32/Virut: Microsoft

Symptoms: The following symptoms may be indicative of a Virus:Win32/Virut infection:

* Network traffic on TCP port 65520 with connection to IRC server proxima.ircgalaxy.pl, on channel & virtu

* Increase in file size of infected files

* Infected files fail during execution and have a recent modified date property

HJT logs will have an F2 entry similar to this.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\TEMP\init.exe,

Dr. Web CureIt will show many files like this. Notice that these aren't just some random files. Pretty much sums it up...

explorer.exe;c:\windows;Win32.Virut.56;Cured.;
imagination studio.scr;c:\windows;Win32.Virut.56;Cured.;
unregmp2.exe;c:\windows\inf;Win32.Virut.56;Cured.;
xpnetdiag.exe;c:\windows\network diagnostic;Win32.Virut.56;Cured.;
alg.exe;c:\windows\system32;Win32.Virut.56;Cured.;
cisvc.exe;c:\windows\system32;Win32.Virut.56;Cured .;
clipsrv.exe;c:\windows\system32;Win32.Virut.56;Cur ed.;
ctfmon.exe;c:\windows\system32;Win32.Virut.56;Cure d.;
dllhost.exe;c:\windows\system32;Win32.Virut.56;Cur ed.;
logon.scr;c:\windows\system32;Win32.Virut.56;Cured .;
logonui.exe;c:\windows\system32;Win32.Virut.56;Cur ed.;

It says cured but that isn't true. Virut spreads back to the newly cured files so it's a never ending process of cleaning and infecting.

It's believed to have started from a p2p web site or sites. One malware removal forum is saying they are at about 40% of their users requesting help are infected with Virut right now. Since it also spreads via IRC the longer they wait to wipe the drive the more users there are getting infected.

Waiting or trying to clean it just gives it that much longer to infect others. Enough users have it now that the IRC-based backdoor part has zombified many who haven't figured out they are infected yet. Even seemingly clean email/chat attachments from known good sources can be infected.

If you have a shared folder for your p2p then that is a gateway for the IRC to connect to you, spread itself, and zombie your computer or network.

There is NO safe cure for this. If you see one file infected with Virut immediately disconnect from the Internet and start reformatting and reinstall.

This probably won't go away any time soon but all major AV vendors have supposedly updated to block this new variation.

Good luck!

[Hybr!d]

Good post mate, dugg it > http://digg.com/security/Virut_PE_Wi...us_on_the_Rise

[evilfantasy]

Thanks!

I haven't put that much effort into a singe post in a while

I read where a Houston, Texas City network had over 600 computers down for nearly a week due to this. Pretty nasty bugger indeed!

[Hybr!d]

Seems like you pretty much broke the news, not much in Google on this.

[evilfantasy]

For some reason it's only being discussed in passing or in private forums it seems. No need to keep it a secret. Too many techs out there who should know what's up.

[sjb007]

Come across a couple of infected machines myself, nasty peice of work, just one cure - Format! Most infections comming in from P2P (as stated above) so one good reason for users out there to pack up limewire and such....!

[Hybr!d]

No wonder I couldn't find anything, you spelt it wrong in the thread title but correct everywhere else, I changed it for you now mate.

[evilfantasy]

Yes they seem to be calling this one Virut PE.

I found this blog post. Pretty technical stuff but informative. Under the Hood: Virut. I love the first line. "Virut is a weird freak amongst malware."

[Glaswegian]

Great post EF!

The only person I've seen successfully cleanse an earlier version of virut was sUBs (no surprise there!) - the user stayed online all the time sUBs was on, so instructions were being enacted almost immediately. This newer version seems to be much worse though...

[evilfantasy]

sUBs would be one of the people, maybe the only person, I would trust to be able to fix Virut in a forum setting.

I saw someone offer up a fix on the MBAM forums but it was pretty complex and didn't sound like it would work. Something like slaving a drive and cleaning/transferring/deleting files. To me it would just result in two infected drives instead of one and reformat/reinstall would be much easier since you still have to reinstall all third party software and so on.