Avast WEBforum
Other => General Topics => Topic started by: polonus on February 24, 2009, 11:53:40 PM
-
Again,
We try to offer hope for victims of the latest vitro-virut file infector. The webmaster can cleanse his website easily from the malware frame, for infected users we have to offer no hope - fdisk - format and re-install is the only solution open to them.
We haven't a clue what the purpose of this "buggy" corrupting file infector is, and why it leaves a computer beyond repair. You cannot use it as a zombie in a botnet, you cannot use it for launching spyware. On the other hand the malware is so advanced in nature that it cannot have been developed but by very apt malcreants, it is pure genius in development and a nightmare for the av-vendor and the malware fighter - for the moment they have to throw in the towel - the malware won, we have bitten the dust...
But why it is pure negative, then? It has a random encrypted file infecting routine making it very hard to recover from it, how that is accomplished read here:
http://www.sophos.com/security/blog/2008/05/1436.html
So the best protection is prevention (update, patch, use in-browser security, surf with normal user rights). I wonder where the weak side of this malware could be to tackle it, we haven't found that yet. For the moment I reckon for those infected that your luck was in,
this is the latest removal info: http://www.hm2k.com/posts/win32-virtob-virut-removal
About throwing in the towel:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html#IDComment15344616
polonus
-
It makes absolutely no sense to me either, it is almost like when viruses first made an appearance some were malign, but just to let you know it was boss, some were pure malicious. The common factor was they were just by individuals and not as it is now organised crime to make money.
This is why it makes no sense to go to all this trouble to trash systems without an apparent purpose or gain. Unless this is just preparing the ground to watch how AVs respond for a phase two, like some of the other ransom ware, encrypting data folders/partitions and demanding money to release them.
-
Hi DavidR,
We have seen this in the past with Vetor, but the latest credo for the malcreants seems to be:
"To junk or not to junk, and why not!"
It is also not unheard of to see viruses accidentally infect files that are not designed for the specific platform that the virus is running on. For example a virus may infect a Windows CE PE file that has been compiled for the ARM processor, while running under X86. This file now has no hope of running, yet a simple check of the MachineID field in the PE header and the virus would have known it was pointless to attempt to infect this file and could have moved on to the next.
It seems that modern day virus authors see a swathe of files left in varying degrees of corruptness as a perfectly acceptable and possibly desired, side effect of a successfully infected system.
To Junk or not to Junk? The virus authors say: Why Not?
But it is strange as these are the times of low-profile malware, that stays out of sight to do the cyber-criminal's bidding in a stealth way, vitro/virut etc. are just the opposite,
polonus
-
Well it seems as has been mentioned in the other links you gave that there is an element of bad coding in this. As what would the purpose be of trying or creating a backdoor to download more malware or harvesting emails, etc. if the effect of the infection trashes the system defeats those purposes.
-
I guess people should consider buying a Mac or Linux/Ubuntu as an alternative OS. Even when upgrading to Vista or Win7, PCs are still vulnerable to new viruses and are no longer safe to use.
This new version of Virut (Win32:Vitro) could hurt Microsoft's profits.
-
Hi DavidR,
We have seen this in the past with Vetor, but the latest credo for the malcreants seems to be:
"To junk or not to junk, and why not!"
You could become today's William Shakespeare ;D
-
File Infector Takes Infection Up a Notch
quote:
It uses a polymorphic-entry point obscuring (EPO)-cavity type of infection, which is capable of moving some of the host file’s codes to another location. The malware encrypts its signature in a different way every time it executes as well as the instructions for carrying out the encryption. It hides its entry point in order to avoid detection. Instead of taking control and carrying out its actions as soon as an application is used or run, it allows it to work correctly for a while before taking action.
http://blog.trendmicro.com/file-infector-takes-infection-up-a-notch/