Author Topic: Malware name Win32:Vitro  (Read 340226 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #15 on: February 19, 2009, 11:45:53 PM »
Hi OneRing2Rule,

As long as there is no executable file on the partition, because the active file infector spreads like hayfire, and it corrupts because it does not simply attach, it is a polymorphic one and destructive, re:
http://forum.avast.com/index.php?topic=42554.msg356009#msg356009
It is hooking in API handling dll's makes its maneuvering room go really far. I would disinfect the pen drives etc. with a usb disinfector tool, and what you wanna save, save that in RTF to make these files inert.
Try to scan with DrWebCureIt from here: ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe
Good also against polymorphics....
Place this launch.exe (updated to the latest version) on a non-compromised USB stick protected with the file that usb disinfector has left there (do not remove), download from here: http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe
Instructions to use here:
http://www.myantispyware.com/2009/01/08/flash-disinfector-free-autoruninf-trojans-removal-tool/

polonus


Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Exile

  • Guest
Re: Malware name Win32:Vitro
« Reply #16 on: February 20, 2009, 09:54:49 AM »
 I was infected. I hooked up my external HD where I had my back ups and scanned it with avast and detected win32:vitro. I tried to delete and move to virus chest several times, but it didn't work. Is there anyway to remove the infected file or files so I can retrieve my backed up data? I need my movies, music, games, favorites etc..

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #17 on: February 20, 2009, 01:39:08 PM »
Hi Exile,

Your only chance is where you have backups that this virus has not touched. In most cases the experience of the workings of such a critter in the aftermath is the only thing that teaches victims a backup policy of some sort, best thing next is not to panic, that won't help...
As the virus uses the open spaces left in the code of executables and it does so indiscriminately and rather sloppy and buggy it makes cleansing a quite difficult task because it is so destructive on exe, MP3 files etc.
Then another way in which the virus operates using a specific dll that works for a plethora of tasks using API's is another complicating factor, it also immediately attacks a scanner because it attacks executables, so these should be renamed to run in another format on Windows, certainly rename the infector file extension. The miscreant(s) haven't left many options open to us. Cleansing from a CD is the best option, having your data stored somewhere else a blessing,

polonus

« Last Edit: February 20, 2009, 01:40:46 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

geodane

  • Guest
Re: Malware name Win32:Vitro
« Reply #18 on: February 20, 2009, 05:59:53 PM »
I got this one also. I was able to remove it with Dr. Web from http://www.freedrweb.com/ I used the free scanner and it took the bugger out, of course it took about 2500 exe files with it but after a couple of days I am back up and running as before. I did not reformat my hard drive. This is the worst one I have come across since the introduction of boot sector viruses in the DOS days. I ran a thorough scan with AVAST after the Dr. Web scan and it cleaned up the rest. Just for information purposes I had my laptop, desktop and 3 flash drives infected in about one hour. All is good now though, but several hours lost.

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Malware name Win32:Vitro
« Reply #19 on: February 20, 2009, 06:04:11 PM »
this new variant of Virut is still being analysed (it's quite complex).. what's sure is the capability of infecting any PE module and this variant is most probably responsible also for injecting some stuff into html pages.. i guess it contains also an IRC client as the older variants did... the detection will be updated today to cover the recent mutation..

OneRing2Rule

  • Guest
Re: Malware name Win32:Vitro
« Reply #20 on: February 20, 2009, 09:08:01 PM »
Well, if there's one good thing about this, it finally got me involved from a "user" to "forum user".   ;D

Good to know I'll have this available for scanning.

Now, I *do* have the Avast USB version (paid for it!).  I ran some USB Disinfector (seems to just leave a hidden autorun.inf file in the drive) and I know the drive is clean.  That should be my first line of defense against these computers stacked up on the workbench, right?

Was there another USB disinfector that I should have used?

Michael, who thought he knew his stuff...

PS:  uh, THANKS TO AVAST!!!!!!!!!!!!!!!!!!!

Wheresthelove

  • Guest
Re: Malware name Win32:Vitro
« Reply #21 on: February 20, 2009, 09:29:25 PM »
I got a question about this... noone really made clear to me anyways.. Does this virus infects video and audio files???

Sorry about this. I am just curious

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Malware name Win32:Vitro
« Reply #22 on: February 20, 2009, 10:02:56 PM »
it is most probable, that this virus is not able to infect audio and video files...

Wheresthelove

  • Guest
Re: Malware name Win32:Vitro
« Reply #23 on: February 20, 2009, 10:08:43 PM »
If i were to move these files to an external HD that has exe files in it.. would it most likely infect that drive?

ardvark

  • Guest
Re: Malware name Win32:Vitro
« Reply #24 on: February 21, 2009, 04:15:12 AM »
If i were to move these files to an external HD that has exe files in it.. would it most likely infect that drive?

Hi...

If your username is a question, please see my signature links below. :)

In answer to your question, I would say it's certainly possible. :(

May God Bless you! :)

markerpower

  • Guest
Re: Malware name Win32:Vitro
« Reply #25 on: February 21, 2009, 09:08:14 AM »
So if I delete all exe files, I should be fine?

I'm not sure when I was infected with this virus, but I just want to know if it is safe to restore files that aren't exe.

mindry

  • Guest
Re: Malware name Win32:Vitro
« Reply #26 on: February 21, 2009, 12:07:55 PM »
I have just recovered from this infection... it took down about 50 .exe files and I have now wiped the computer using the restore discs - it now seems to be clean. I did manage to salvage my important documents and burn them onto a CD-R - they are all .doc, .ppt or .xls files, definitely no .exe ones. What I want to know is, is there a chance the Vitro worm could be on that disc somehow, and if it is, what is the best way to rescue my files without letting Vitro back in, as I really need those documents back!

Also I have a couple of momory sticks that I think have been plugged in since I've had this virus. Could these ben infected, and if so is there any way to disinfect these, or should I just dispose of them lest they let Vitro back into my system?

Finally, I get my internet wirelessly, and the computer attached to the router (apologies for lack of proper terminology!), while not actually networked to my infected PC, is now showing as having a virus. I don't know whether this is Vitro or something that's actually possible to remove. Could Vitro somehow have spread wirelessly to the router and thence to this computer, even though there is no network connection between the two computers?

Sorry for all the questions, but this has ruined my computer and I want to make sure I don't let it back in or lose the second PC to it!

JMC

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Malware name Win32:Vitro
« Reply #27 on: February 21, 2009, 01:00:48 PM »
Could these ben infected, and if so is there any way to disinfect these, or should I just dispose of them lest they let Vitro back into my system?
Use the same procedures you've used in your computer and also
  • Download Flash Drive Disinfector and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
  • Note: Flash Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder... it will help protect your drives from future infection.
Could Vitro somehow have spread wirelessly to the router and thence to this computer, even though there is no network connection between the two computers?
If two computers are networked, yes, the virus could have spread between them.
The best things in life are free.

mindry

  • Guest
Re: Malware name Win32:Vitro
« Reply #28 on: February 21, 2009, 02:23:50 PM »
Thanks for the hint but the flash drive disinfector will not install,I go through all the Run and Allow stuff, then am told that the programme didn't install correctly. So I click "install again with recommended settings" but this just causes the cycle to repeat. Any ideas?

Also what should I do with the CD with my documents on - any chance Vitro could have got to this somehow?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Malware name Win32:Vitro
« Reply #29 on: February 21, 2009, 02:53:04 PM »
Thanks for the hint but the flash drive disinfector will not install,I go through all the Run and Allow stuff, then am told that the programme didn't install correctly. So I click "install again with recommended settings" but this just causes the cycle to repeat. Any ideas?
Read the instructions, download and burn (maybe from another computer), finally use one of this rescue CD's:

1. Avira
2. Kaspersky
3. BitDefender
4. F-Secure
The best things in life are free.