[emcivile]

hello everybody! My name is Eddie, first post on this forum (I am an advanced pc user)

sunday my pc started to try to connect to irc.zief.pl . . . yep! VVVVVVVVIRUS... nothing more
bastard than one that even if I replace my driver with a clean ghost image...it still persist.

I have 3 drives and some pendrives... which is the virus and WHERE THE HELL it is??

is the VIRUT??? I am trying to clean wit an AVG specific remover...nothing happend...

so... please, help me... it's 3 days Im trying to delete it...

thanks!

Eddie

[polonus]

Hi emcivile,

Yep, seems like you anticipated, a virut.h infection: http://vil.nai.com/vil/content/v_143034.htm
also consider the removal instructions there, but first try to download DrWebCureIt from here and do a full scan: http://ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe

When your machine is cleansed do a free online scan here http://secunia.com/vulnerability_scanning/online/?task=start (enable JS on that page to start the scan to see what third party software on your machine needs either updates or patches)...

polonus

[emcivile]

ok.

also when I boot pc it downloads some TMP like VRTx.TMP where X stands for X.

is possible that this virus can affect other drives and pendrives?

[polonus]

Just the thing that seems to be working in this case and if that was the infection vector:-
use flash drive disinfector.
it’s a small program. download it from here:

http://www.precisesecurity.com/tools-resources/adware-tools/flash-disinfector/

then run it after preferably turning off your antivirus product’s real-time protection. your screen will go blank for a moment which is normal. when it say ‘Done!’ your problem is solved. it may create a folder called autorun.inf on your pen drive which you shouldn’t delete as it will cause the virus to reappear,

also give us a hjt logfile.txt as an attachment to your next post to analyze the system processes:
download here: http://download.bleepingcomputer.com/hijackthis/HiJackThis.zip or
http://download.bleepingcomputer.com/hijackthis/HiJackThis.exe

I assume you know after placing it on the desktop how to work it (see below):

HijackThis is general homepage hijackers detector and remover. Initially based on the article Hijacked!, but expanded with almost a dozen other checks against hijacker tricks. It is continually updated to detect and remove new hijacks. It does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites. As a result, false positives are imminent and unless you are sure what you're doing, you should always consult with knowledgable folks (e.g. the forums) before deleting anything.

Usage Instructions:

Note: You should only use HijackThis if you have advanced computer knowledge or if you are under the direction of someone who does. Improper usage of this program can cause problems with how your computer operates.

To use HijackThis, download the file and extract it to a directory on your hard drive called c:\HijackThis. Then navigate to that directory and double-click on the hijackthis.exe file. When the program is started click on the Scan button and then the Save Log button to create a log of your information.



polonus

[sqallpl]

Same problem here.

Avast still blocking "irc.zief.pl"

Dr Web didnt found anything, all my html files that Im saving got iframe script at bottom with zief.pl link.

Secunia scan crashes my firefox nad IE when Im starting scan process.

I cant run AtiTool, Pajaczek (html editor) and other applications.

Polonus can you give me your gg number? Or message me 6252247 .

[Jtaylor83]

The only way to get rid of it is disconnect from the internet, reformat, and reinstall from scratch because Win32:Virut is a dangerous file infector with some additional features. It tries to connect to an IRC network under the name "Virtu" and zombifies your PC.

[polonus]

Cześć sqallpl,

The virus will infect executable files on Windows systems.

Upon execution, the virus uses the CreateEvent function to create an event name "VT_3" so that only one instance of the virus runs on the infected computer.

The virus hooks some of the following system functions, so that it can infect files when they are accessed or executed:

NtCreateFile
NtOpenFile
NtCreateProcess
NtCreateProcessEx

Then the virus attempts to infect all accessed .exe or .scr files by appending itself to the executable file.

The virus avoids infecting files that contains the following strings:

PSTO
WC32
WCUN
WINC

Then the virus opens a back door by joining the channel #virtu on the IRC server proxim.ircgalaxy.pl through TCP port 65520 allowing a remote attacker to download and execute files onto the infected computer. Cleansing the computer can be done temporarily disabling system restore:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.aspx

If the computer has been severly compromised a total recall can be the only option left, but try to disinfect first,

pozdrawiam,

polonus

[emcivile]

yo maaaaaaaan... that crap causes lots of damage!!

Now I am moving everithing to an external disk and then I'll format every single disk present on my pc...

right?

[emcivile]

is possible that the virus can copy itself in a USB pendrive?

[polonus]

Hi emicivile,

Ir is a propagation manner, so use this: http://www.precisesecurity.com/tools-resources/adware-tools/flash-disinfector/  and leave the file it makes there as a protection against re-infection,

Manual disinfection info I have dug up here, this may be your rescue:
http://www.threatexpert.com/report.aspx?md5=8dc6979d57e456fcd19b7a6d75a463f4

    File System Modifications

    * The following file was created in the system:

#    Filename(s)    File Size    File MD5
1     [file and pathname of the sample #1]     32,768 bytes     0x8DC6979D57E456FCD19B7A6D75A463F4

    * The following files were modified:
          o %ProgramFiles%\Internet Explorer\IEXPLORE.EXE
          o %System%\ctfmon.exe
          o %System%\drivers\etc\hosts

    * Notes:
          o %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
          o %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

 
    Memory Modifications

    * There was a new process created in the system:

Process Name    Process Filename    Main Module Size
[filename of the sample #1]    [file and pathname of the sample #1]    45,056 bytes

 
    Registry Modifications

    * The following Registry Keys were created:
          o HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{540D8A8B-1C3F-4E32-8132-530F6A502090}\Implemented Categories
          o HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{540D8A8B-1C3F-4E32-8132-530F6A502090}\Implemented Categories\{00021492-0000-0000-C000-000000000046}
          o HKEY_CURRENT_USER\Keyboard Layout\Toggle
          o HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies
          o HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar
          o HKEY_CURRENT_USER\Software\Microsoft\CTF\Sapilayr
          o HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP
          o HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}
          o HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile
          o HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000409
          o HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000409\{09EA4E4B-46CE-4469-B450-0DE76A435BBB}
          o HKEY_CURRENT_USER\Software\Microsoft\SAPI Layer
          o HKEY_CURRENT_USER\Software\Microsoft\Speech

    * The newly created Registry Values are:
          o [HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000409\{09EA4E4B-46CE-4469-B450-0DE76A435BBB}]
                + Enable = 0x00000000
          o [HKEY_CURRENT_USER\Software\Microsoft\CTF\Sapilayr]
                + ProfileInitialized = 0x00000001
          o [HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar]
                + ExtraIconsOnMinimized = 0x00000001
                + ShowStatus = 0x00000004
          o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
                + ctfmon.exe = "%System%\ctfmon.exe"

 
    Other details

    * To mark the presence in the system, the following Mutex object was created:
          o oleacc-msaa-loaded

    * The HOSTS file was updated with the following URL-to-IP mappings:

127.0.0.1 ZieF.pl
#

    * The following Host Name was requested from a host database:
          o irc.zief.pl

    * There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:
          o %System%\MSCTF.dll

It modifies the registry at the following location to ensure its automatic execution at every Windows startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\"TargetHost"

The above registry entry contains IP address and port number information. The virus may then use this information to open a back door on the compromised computer.

If the value in the above registry entry is not available, the virus may open a back door on TCP port 80 using the IRC server ircd.zief.pl.

Additional on Virut.U
The virus uses (Eight Random characters) on the above channel.

The back door allows a remote attacker to download files on to the infected computer and execute them.

This virus first appeared on September 06, 2007.
 
 
 A rather nasty beast of crap, isn't it,

Ciao,

polonus

[emcivile]

thank you!

now it's done... so I can plug the pendrive everywhere now without any risks?

[polonus]

Hi emcivile,

That is right, but cleanse that crap from your machine, all the entries as I gave them,

polonus

[emcivile]

oh man... probably something is right now... but I found some of these keys...

o [HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000409\{09EA4E4B-46CE-4469-B450-0DE76A435BBB}]
                + Enable = 0x00000000
          o [HKEY_CURRENT_USER\Software\Microsoft\CTF\Sapilayr]
                + ProfileInitialized = 0x00000001

now I deleted the one I found and tomorrow I'll format everything in my pc....

yeah, TIRAMISU' for everybody!!!

[emcivile]

wrong...wrong... I deleted manually every single voice...

what a job!

I also deleted MSCTF.dll and similar.

Now it seems to be free from that damns virus!!

regkeys were deleted... I seen also that in the same position on reboot I have newer values and newer keys different from the last.

it's ok?

[sqallpl]

emcivile, you are after format?

I tried a lot of software, also deleted a lot of register entries, and scan didnt found VIRUT, but now Im scanning all hard drives by Kaspersky Rescue CD, somebody told me that this stuff repraied his system, I will see and reply here.

BTW. Can I just delete all registry and install windows using repray option? I know that I will not have many of important non windows applications entries, but I can handle it, I can reinstall. I dont want to format, because I have many folders, photos, music, movies etc and I dont want to move all stuff to other disks.