Need more information about polymorphic file infector

[wuemura]

Hello Guys!

I need more info about a virus named WIN32.Virut
http://www.avast.com/eng/win32-virut.html

This has other names as follow:

Code: [Select]

AntiVir - W32/Virut.R
ArcaVir - W32.Virut.E
Avast - Win32:Virut
AVG Antivirus - Zapchast.R
BitDefender - Win32.Virtob.4.Gen
ClamAV - W32.Virut.si
CPsecure - W32.Virut.F
Dr.Web - Win32.Virut.5
F-Prot Antivirus - W32/Virut.10392
F-Secure Anti-Virus - nothing
Fortinet - nothing
Ikarus - Virus.Win32.Virut.q
Kaspersky Anti-Virus - Virus.Win32.Virut.n
NOD32 - Win32/Virut.NAK
Norman Virus Control - W32/Virut.O
Panda Antivirus - W32/Virutas.gen
Sophos Antivirus - W32/Vetor-A
VirusBuster - Win32.Virut.Gen
VBA32 - Virus.Win32.Virut.f
The name of the infection in my computer is mrofinu1001186.exe, I've sent the file to a on line file scanner http://virusscan.jotti.org/ and got the results above. I don't know how this virus keep infecting my computer because I've just formated my computer, install free avast and soon as i run windows update the virus somehow keeps coming back. The sequence of problems are the same,  avast stop working with memory errors, notepad stop working (doesn't start), explorer crash and after reboot i get a empty Desktop, no icons nothing. I have to run firefox from command line.

Also, i doesn't run my computer with administration rights, i only logon as administrator to run windows update, everything else i use "Run As".

I have only one partition in my computer and the entire drive was formated, did not restore or install nothing, is just the time to connect to internet to get infected, My modem/router Speedstream 3610 that does the connection. My Windows is XP SP3 Original.

Do i need to close any specific port at the firewall?
I my router web inbound TCP 80/UDP 53/TCP 443 traffic is allowed and all outbound is allowed.

Thank you.

[wuemura]

I've found the problem.

All my backups, all my device drivers, all my service packs was infected.

Thanks.

[wyrmrider]

best a scan with Malwae bytes anti malware for a second opinion
also update then do a boot time scan with avast
let us know if you find anything else

[wuemura]

Hello wyrmrider!

I did scan my PC with spybot, had the tea time protectin but it was infected also, every time i scanned the computer it woun't find a thing, this virut found a good environment in my computer, i had cygwin environment and found a dozen *.h files in my C:/ driver after closer inspection of my backup's. I had to trash about 3Gb of backup, didn't lost anything because most of it i had the source code.

I was unable to do a boot scan because every time i tried to do so i end up with memory errors, illegal access types, very crazy errors.

After restoring the last image backup I've build a BartPE image with Avast inside Fedora 9 running windows 2000 in vmware, Virut was trigged about 12.381 times.

Everything is fine now.

[wyrmrider]

glad you're better

did you see these ?

forum.avast.com/index.php?action=printpage;topic=37374.0

www.avast.com/eng/win32-virut.html

from google search on
win32-virut.html

[polonus]

Hi wuemura,

This tool also removes virut.a & virut.b infections: http://support.microsoft.com/kb/890830

polonus

[wuemura]

Thank you guys!

I've googled for more info at the time, this is how i got here
All the info i got was sites telling about how i could got this from, like p2p, "strange" sites and that was not the case. I tough that i got this from some open port or something like this.

Thank you for the links!

[polonus]

Hi wuemura.

It is an IRC backdoor, there is more than likely where you may have got it. There are so many ways to have a comp infected, not fully patched OS, critical software not updated; like Java, MediaPlayer etc, an infested pen drive (USB) or through the Internet. Prevention: update, patch, use a safer browser like Fx 3.01 with in-browser security like NoScript, and clear your cache and your temporary files regularly with ATF Cleaner or ClearProg, use a solid FW. And come here more often, I have learned a bunch of security things while staying at forum.avast.com and I thank the avast people for that from the bottom of my heart, my computer has been clean ever since,

polonus

[wuemura]

Hello polonus!

I do work with security my self, in fact i was the one that gave Microsoft the original concept of LUA (Least-Privileged User Account), to tell you the truth they stole my work. Since November 2002 I've stop using antivirus after a proof of concept that a virus will not infect your computer without administrative privileges, oh that is a long story......

Anyway, i do use 3 firewall at home, one in my router, other in my home server (Debian 3.1) and Comodo Firewall in my windows Desktop, i use Fedora 9 in my main computer, this windows machine I use for electronic CAD work and video editing.

I did find the person who gave me the virus, it was a friend of mine that do some programming and i had to run his app as administrator, all started from there.

But i will keep coming back, I've never used avast before but i will keep it on my windows machine for a while.

[Lisandro]

wuemura, will UAC on Vista does the same job?

[wuemura]

I don't know, never used Vista and have no interest with it, as far as i know they did a piss poor job putting it together. In XP I know that works.

[Lisandro]

I don't know, never used Vista and have no interest with it, as far as i know they did a piss poor job putting it together. In XP I know that works.

Thanks anyway...

[wuemura]

No Problem.

PS: Eu sou brasileiro também!

[Lisandro]

PS: Eu sou brasileiro também!

You can have our flag on your profile

[wuemura]

Thank you Tech, I will 

polonus, tried to respond to you but i got a error from the forum, i will keep coming back and do my best to help.