Author Topic: Vitro-virut - a file infector and why we cannot give false hope!  (Read 7217 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Vitro-virut - a file infector and why we cannot give false hope!
« on: February 24, 2009, 11:53:40 PM »
Again,

We try to offer hope for victims of the latest vitro-virut file infector. The webmaster can cleanse his website easily from the malware frame, for infected users we have to offer no hope - fdisk - format and re-install is the only solution open to them.
We haven't a clue what the purpose of this "buggy" corrupting file infector is, and why it leaves a computer beyond repair. You cannot use it as a zombie in a botnet, you cannot use it for launching spyware. On the other hand the malware is so advanced in nature that it cannot have been developed but by very apt malcreants, it is pure genius in development and a nightmare for the av-vendor and the malware fighter - for the moment they have to throw in the towel - the malware won, we have bitten the dust...
But why it is pure negative, then? It has a random encrypted file infecting routine making it very hard to recover from it, how that is accomplished read here:
 http://www.sophos.com/security/blog/2008/05/1436.html

So the best protection is prevention (update, patch, use in-browser security, surf with normal user rights). I wonder where the weak side of this malware could be to tackle it, we haven't found that yet. For the moment I reckon for those infected that your luck was in,
this is the latest removal info: http://www.hm2k.com/posts/win32-virtob-virut-removal
About throwing in the towel:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html#IDComment15344616

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88854
  • No support PMs thanks
Re: Vitro-virut - a file infector and why we cannot give false hope!
« Reply #1 on: February 25, 2009, 12:34:07 AM »
It makes absolutely no sense to me either, it is almost like when viruses first made an appearance some were malign, but just to let you know it was boss, some were pure malicious. The common factor was they were just by individuals and not as it is now organised crime to make money.

This is why it makes no sense to go to all this trouble to trash systems without an apparent purpose or gain. Unless this is just preparing the ground to watch how AVs respond for a phase two, like some of the other ransom ware, encrypting data folders/partitions and demanding money to release them.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: Vitro-virut - a file infector and why we cannot give false hope!
« Reply #2 on: February 25, 2009, 12:44:12 AM »
Hi DavidR,

We have seen this in the past with Vetor, but the latest credo for the malcreants seems to be:
"To junk or not to junk, and why not!"

Quote
It is also not unheard of to see viruses accidentally infect files that are not designed for the specific platform that the virus is running on. For example a virus may infect a Windows CE PE file that has been compiled for the ARM processor, while running under X86. This file now has no hope of running, yet a simple check of the MachineID field in the PE header and the virus would have known it was pointless to attempt to infect this file and could have moved on to the next.

It seems that modern day virus authors see a swathe of files left in varying degrees of corruptness as a perfectly acceptable and possibly desired, side effect of a successfully infected system.

To Junk or not to Junk? The virus authors say: Why Not?
But it is strange as these are the times of low-profile malware, that stays out of sight to do the cyber-criminal's bidding in a stealth way, vitro/virut etc. are just the opposite,

polonus
« Last Edit: February 25, 2009, 12:45:49 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88854
  • No support PMs thanks
Re: Vitro-virut - a file infector and why we cannot give false hope!
« Reply #3 on: February 25, 2009, 01:16:01 AM »
Well it seems as has been mentioned in the other links you gave that there is an element of bad coding in this. As what would the purpose be of trying or creating a backdoor to download more malware or harvesting emails, etc. if the effect of the infection trashes the system defeats those purposes.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Jtaylor83

  • Guest
Re: Vitro-virut - a file infector and why we cannot give false hope!
« Reply #4 on: February 25, 2009, 02:08:45 AM »
I guess people should consider buying a Mac or Linux/Ubuntu as an alternative OS. Even when upgrading to Vista or Win7, PCs are still vulnerable to new viruses and are no longer safe to use.

This new version of Virut (Win32:Vitro) could hurt Microsoft's profits.


YoKenny

  • Guest
Re: Vitro-virut - a file infector and why we cannot give false hope!
« Reply #5 on: February 25, 2009, 12:54:15 PM »
Hi DavidR,

We have seen this in the past with Vetor, but the latest credo for the malcreants seems to be:
"To junk or not to junk, and why not!"

You could become today's William Shakespeare  ;D

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3054
Re: Vitro-virut - a file infector and why we cannot give false hope!
« Reply #6 on: October 07, 2009, 01:17:33 PM »
File Infector Takes Infection Up a Notch

quote:

It uses a polymorphic-entry point obscuring (EPO)-cavity type of infection, which is capable of moving some of the host file’s codes to another location. The malware encrypts its signature in a different way every time it executes as well as the instructions for carrying out the encryption. It hides its entry point in order to avoid detection. Instead of taking control and carrying out its actions as soon as an application is used or run, it allows it to work correctly for a while before taking action.

http://blog.trendmicro.com/file-infector-takes-infection-up-a-notch/