Author Topic: Malware name Win32:Vitro  (Read 244456 times)

0 Members and 1 Guest are viewing this topic.

Offline janr46

  • Newbie
  • *
  • Posts: 4
Malware name Win32:Vitro
« on: February 17, 2009, 02:05:42 PM »
whatever this is,is locking me out of say my games on my computer.and it will not let me download&install[Malwarebytes.org]or.superAntispyware.com]i simply cannot find no answers at all,sooo,please somebody please help me remove this.and it shows to be in C:\Windows\hh.exe.or if i try and run the malwarebytes comes up[unable to execute file:C:\program files\Malwarebytes:Anti-Malware mba.exe]so please send me anything to help remove these permantly.thanks.

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Malware name Win32:Vitro
« Reply #1 on: February 17, 2009, 02:12:54 PM »
it's a new *hardcore* file infector from the authors of Virut..

Online polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29561
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #2 on: February 17, 2009, 08:18:52 PM »
Hi janr46,

The Virut family of viruses uses polymorphism to hide from all anti-virus protection, it infects executable files. File infection makes it very hard to repair a system that has been infected. W32/Vitro injects code in running processes and hooks the following functions in ntdll.dll which transfers control to the virus every time any of these function calls are made.

    * NtCreateFile
    * NtCreateProcess
    * NtCreateProcessEx
    * NtOpenFile
    * NtQueryInformationProcess


I would strongly recommend rebuilding the system from backups.

Windows can be rebuilt as described in the following link: http://www.informationweek.com/showArticle.jhtml?articleID=189400897 or failing this a format of the system will be required,

polonus


« Last Edit: February 17, 2009, 09:30:01 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline S t Y L o

  • Newbie
  • *
  • Posts: 1
Re: Malware name Win32:Vitro
« Reply #3 on: February 17, 2009, 10:04:12 PM »
been having the same prob here for 2 days now, normally have been able to remove such stuff but this one is a hard one

formatting c: 3 times now, but keeps comming back somehow ???

Offline pjd4ioi

  • Newbie
  • *
  • Posts: 1
Re: Malware name Win32:Vitro
« Reply #4 on: February 18, 2009, 02:42:46 AM »
I have this same problem and rebuilding didn't solve it.  Can anyone help?  Thanks.


Offline artitr

  • Newbie
  • *
  • Posts: 1
Re: Malware name Win32:Vitro
« Reply #5 on: February 18, 2009, 04:08:27 AM »
I am having this problem too, as informed by polonus it seems to be attacking exe processes e.g. logonui.exe, explorer.exe etc.

I have tried to repair - it fails so deleting the files resulted in deletion of important files in my windows systems !!!

Ended up having to rebuild windows system, but the virus comes back again...any suggestion?

Thanks


Offline Wahezu

  • Newbie
  • *
  • Posts: 1
Re: Malware name Win32:Vitro
« Reply #6 on: February 18, 2009, 04:16:05 PM »
Same thing happened to me.

I had a Snapshot for backup, when I restore with BartPE, the virus Win32:Vitro come back after a few minutes.

What can we do? anyone with the solution?

Offline Jim Selleck

  • Newbie
  • *
  • Posts: 1
Re: Malware name Win32:Vitro
« Reply #7 on: February 18, 2009, 05:02:17 PM »
Please let us know when there is a cleaning procedure available for files infected with the Vitro payload.

This IS a particularly nasty one!

I have spent about 20 hours battling it, only to have to resort to a total scorched-Earth solution.

1.  I copied all essential data files to a separate hard drive
2.  Deleted the system partition
3.  Did a total repartition and reformat of the System hard drive, then reinstalled EVERYTHING

Vitro is now gone and has not returned.  However, Avast reports that it still exists in some files on the separate hard drive, so I have to keep them segregated for the present time.

I'd like to warn friends about Vitro!  Does anybody know what the other virus protection peeps are calling it?

Online polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29561
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #8 on: February 18, 2009, 08:56:18 PM »
Hi Jim Selleck,

Did you made an upload of an infected executable to virustotal.com and can you post the results you get there here as an attached file? The following information I distilled from tweakers netherlands:
If you are infected by virut vitro, then this is an advanced virus that tries to infect all kind of files. After a reformat a re-infection can occur easily through infected back-ups.
I informed above in the thread:
Quote
"The Virut family of viruses uses polymorphism to hide from all anti-virus protection, it infects executable files. "Buggy" file infection makes it very hard to repair a system that has been infected. W32/Vitro injects code in running processes and hooks the following functions in ntdll.dll which transfers control to the virus every time any of these function calls are made.

* NtCreateFile
* NtCreateProcess
* NtCreateProcessEx
* NtOpenFile
* NtQueryInformationProcess"

So virut will attach to an important system file that is used for a plethora of things, and so creates room for the virus as it pleases so-to-say, because almost every program makes use of these system-APIs. Also the virus scanner itself is not immune from it....
Scanning from another computer is not a very bright thing to do either in case of a file-injector involved seen to re-infection, the only sensible thing to do in such a case is using a PE CD.
The virus only injects when it is active, but an autorun is also enough to infect.
Best policy is preventing infection by running fully updated and patched Windows and third party software, and to use in browser security like Firefox with NoScript installed. Malcreants at the moment will use every weakness in IE browsers known for spreading their drive-by-malware-infectors.....and one ounce of prevention is worth 10 kg of cleansing after the fact....

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline OneRing2Rule

  • Newbie
  • *
  • Posts: 4
Re: Malware name Win32:Vitro
« Reply #9 on: February 19, 2009, 04:38:54 AM »
Dear sweet lord, I hope someone gets a solution for this.  I just lost a computer to this virus.  Going with scorched earth.  Also, it jumped to my USB drive (autorun?) and almost got my laptop.

Avast is catching this, when Norton and McAfee did NOT.   Still, I am very uncomfortable with this virus.  Any way to clean the infected files?

Oy.   And it acted like a loop virus, too, but I think that spools.exe is a different one.

OneRing2Rule

Offline pctechguy

  • Newbie
  • *
  • Posts: 1
Re: Malware name Win32:Vitro
« Reply #10 on: February 19, 2009, 06:36:54 AM »
I got this Virus, ITS BAD!!

One a single computer on my network so far, (THANK GOD)
Wipe out nearly every .exe file, including explorer.exe, and drivers that need to run!
Definately Polomorphic and attacking running executable files, not sure how it worms though since no other infections on the internal network.
Also make .tmp and 213123421 type backups of itself seen first in the root of C:\
Quickly everywhere.

My Plan...
Remove HDD, Backed up all NON-EXECUTABLE FILES, left out programs, as they are possibly infected.
Formating and reinstalling seems best idea for any polymorphic virus that attacks with such a brute force.

Offline OneRing2Rule

  • Newbie
  • *
  • Posts: 4
Re: Malware name Win32:Vitro
« Reply #11 on: February 19, 2009, 07:50:48 PM »
Well, it's making me money for sure.  8)   I'm into computer repair on the side and she's a bitch of a virus.  Got five customers now with it.  In every case, they downloaded something from zShare and had either Norton or McAfee.  I downloaded the same file with Avast on a non-networked test cpu and Avast caught it.

Still, there is no solution other then doing what the Aussie said.  Yank the HDD out, copy all of the data files, non-exec. types and nuke the HD.  I'm repartitioning and reformatting aggressively.  After reinstalling windows, I'll rescan with Avast to make sure that it's not on there somehow.

What are other scanners calling this one?  A Google search of "vitro virus computer" is only showing a few results for Avast, none for Kapersky or the other ones.....

Michael

Online polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29561
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #12 on: February 19, 2009, 08:31:10 PM »
Hi OneRing2Rule,

It is from the makers of virut aka virux, and the complexity of this last strains like virux.u are striking, read the analysis of a few of the tricks of this infector here:
http://securitylabs.websense.com/content/Blogs/3300.aspx
These malcreants for sure aren't amateurs, they know every trick in the book, and because in some ways the infector is buggy, it is almost impossible to repair the damage. So until DrWebCureIt can repair the files "en masse", the best way to go is called "Total Recall",

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline janr46

  • Newbie
  • *
  • Posts: 4
Re: Malware name Win32:Vitro
« Reply #13 on: February 19, 2009, 10:22:48 PM »
it's a new *        * file infector from the authors of Virut..
i am at my public library,so don*t have no worries.yeah,that win32-vitro virus really got me again!!problem is i do not go to nooo,sites i do not trust!!and my computer is once again is in the repair shop.it had gotten so bad,that when i turned on my computer,that there was no icons what so ever,but,could use computer in safemode.that was a [?????]sorry.so where is that virus coming from???is there any real way to keep it away??permantly???sorry,like i said my computers in the shop again,so maybe will be tommorrow before i  can get it out,so anyone who gets that virus,i really know what you all are going thru,and good luck.

Offline OneRing2Rule

  • Newbie
  • *
  • Posts: 4
Re: Malware name Win32:Vitro
« Reply #14 on: February 19, 2009, 10:49:01 PM »
Polonus,  Thanks for the tips and the interesting but over-my-head reading.

Will it be safe to move HTM files from the original machine's HD?
And is the act of copying and moving enough to trigger an infection to spread?
All I want to copy are .doc, .mp3, and .htm files.  The .htm files are negotiable.

Finally, I would like to know how I can tell if the USB drive is infected.  I've got stick it in SOMETHING to reformat it.
Any hints?