Update.pif

[Nicolas]

A fully encrypted file, named  update.pif  (153 kB), was found in system32 after alerts by WinPatrol, Microsoft Antispyware and Sygate firewall because it attempted to access the internet. Taskmanager showed it as a running process of 5352 kB, but was unable to kill it. Rename and delete was also unsuccessful. Because of the encryption, virusscans were negative.
From the time data it followed that this virus penetrated the system during startup

Removal: disconnect from the internet (the LAN must be disabled, but do not unplug an ethernet cable) and the process will stop. Then you are able to delete.

No other related files have (yet) been found. Win-XP users will have to disable system restore and to reboot first.

This update.pif file is obviously not the same as mentioned before on various websites in connection with Zotob and other viruses.   

[Nicolas]

Additional info on update.pif :

apart from infected zombie computers, it tries to contact

your.urgentupdate.net (211.189.88.24) TCP 65529/1036 and 1427/1034 (local/remote)

Rules: GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-TCP ;
           Ask all running apps   

Do not visit this URL, unsafe !
Whois did not yield any result (as to be expected !)

Furthermore, various port combinations are tried, including 135, 445, etc.

It tried to place startup registry keys, which was prevented.

[DavidR]

You can add a url mask for *.pif in the URL Blocking of web shield to stop downloading any *.pif files.

URL blocking should overcome the fact that it is encrypted I believe.

[Nicolas]

You can add a url mask for *.pif in the URL Blocking of web shield to stop downloading any *.pif files.

Thanks for reminding me of that possibility!

Finally, in the registry was found:

HKEY_USERS\DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa

[Nicolas]

You can add a url mask for *.pif in the URL Blocking of web shield to stop downloading any *.pif files.

Tried it out and it does work !
Went to a serious looking hit of MSN Search for "update.pif" and Avast showed up: ACCESS DENIED ! keyword "update.pif"

My older, dirty, computer (used for risky tasks), unveiled it is actually a porn site that has the virus onboard.

[DavidR]

Great to see that it works as expected as the trick of encryption to bypass AV detection is a serious one.

The thing that concerns me is a fire that is encrypted most surely have other elements, 1) to unencrypt and 2) to run it. As an encrypted file is like a zip file inert until run/opened, etc.

What browser are you using, it would be interesting to find out just how it is being downloaded just by visiting a site.

The fact that it planted itself in the system32 folder indicates that you brows whilst logged on to a user account with administrator privileges?
You might want to check out this link as limited users shouldn't be able to add/modify files in the system32 folder Security Tips & Tricks - DropMyRights.

[Nicolas]

The thing that concerns me is a fire that is encrypted most surely have other elements, 1) to unencrypt and 2) to run it. As an encrypted file is like a zip file inert until run/opened, etc.

I assume, it uses the code and IP shown to the outside world. This particular one depends on the LAN functioning; at least it stopped when I disabled the LAN. I did not find other related files, which of course does not necessarily mean they are not there.
The file update.pif is totally inaccessible because it generates Read/Write errors to prevent being examined. Therefore, a password protected zip fails. It seems also polymorphic, for its length varies between 153 - 160 kB (as far as observed) and this may point to an internal counter. Considering the encryption the source code must be very large.
I have Microsoft AntiSpyware, Spyware Blaster and WinPatrol resident which may have saved the system.

What browser are you using, it would be interesting to find out just how it is being downloaded just by visiting a site.

Explorer 6, SP1 + updates. But the virus penetrated the system during startup. On the dirty computer (using same OS, etc) it was not downloaded because of Avast webshield blocking *.pif
Since such sites don't let you go, the next screen showed the girls.

The fact that it planted itself in the system32 folder indicates that you brows whilst logged on to a user account with administrator privileges

Yes, correct.

You might want to check out this link as limited users shouldn't be able to add/modify files in the system32 folder Security Tips & Tricks - DropMyRights

This is certainly advisable

[DavidR]

You might want to check out this link as limited users shouldn't be able to add/modify files in the system32 folder Security Tips & Tricks - DropMyRights

This is certainly advisable

What I like about the DropMyRights is, it doesn't require you to constantly log on/off to a limited user account, just create a couple of desktop/quicklaunch shortcuts to run the relevant program with limited rights. Need admin rights for say windows update, use the regular shortcut for IE, finished, close, revert to limited rights version.

I use this for all my browsers and email, etc. for the most part they don't require admin rights.

[Nicolas]

Indeed an ingenious way to limit the eventual damage.

Thanks for this tip !

[DavidR]

That is what it is all about limiting the damage (first day virus, etc.) and not giving a virus the same administrator rights of the user account.

One of the few great things to come out of MS that I keep trying to get people to use

[Nicolas]

Using heuristic methods, this particular "update.pif" has been recognized as comparable, but not identical, to:

morphine-crypted, Backdoor.RBot.abi

Avast does have a signature for this virus, but could not catch this variant (polymorphic !).

(Edit) Tools used:

PE decompression tools (not mine);
Ewido Security Suite 3.5 (Recommended as 2nd layer protection !!)
IceSword Chinese program for rootkits and invisible viruses; English version now available:

www.xfocus.net  (Chinese page, with program names in English)

IceSword_en1.12.rar

[Lisandro]

That is what it is all about limiting the damage (first day virus, etc.) and not giving a virus the same administrator rights of the user account.

David, how this tools works?
If the worm/virus does not use the browser process (restricted user), couldn't it be save into the disk and run with the actual administrator rights (logon) and not with the browser ones (restricted)?