Author Topic: Malware name Win32:Vitro  (Read 340216 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #105 on: March 09, 2009, 04:33:12 PM »
Hi BrBrasil,

It is not avast nor any other av's fault for that matter, this virus was developed just to ruin operational systems because the infection vector works rather buggy, so it is almost impossible to repair the partially and totally infected files, because it will ruin files in a random way and only partially or not and while it has circumvented the Windows File Protecting scheme it goes on ruining every executable from memory it finds and reappears and goes on infecting if only a small trace of the infector is left (copies, archives), and this goes astonishingly fast, so we have to throw in the towel, a virus developed just to ruin an operational system as best it can, cannot be beaten, there is no cure against it.
Only option left with this nastiest of file infectors is the FFR-method, that means to fdisk, then to format and finally re-install, that is all,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Malware name Win32:Vitro
« Reply #106 on: March 09, 2009, 04:54:27 PM »
Is avast having problems only to clean an already infected machine, or is also missing variants of Vitro when it tries to infected a machine with an updated Avast Av?
Both.
The best things in life are free.

partzeus

  • Guest
Re: Malware name Win32:Vitro
« Reply #107 on: March 09, 2009, 07:07:39 PM »
This is one worst viruses I have seen in years. So no one has a program to clean this one? Why isn't this in the news? Why doesn't Norton or Macafee detect this virus? Does anyone have any answers?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Malware name Win32:Vitro
« Reply #108 on: March 09, 2009, 07:37:33 PM »
Polonus, do you have the answers?
Any official word from Alwil virus analyst?
The best things in life are free.

mindry

  • Guest
Re: Malware name Win32:Vitro
« Reply #109 on: March 09, 2009, 07:55:02 PM »

As things stand for the moment the best way is to go SafeHex to prevent infection, that will mean update and patch all of your Windows OS and all the vulnerable third party software (use Secunia PSI to do this real easy), do not cruise the Internet with full admin rights (only for necessary downloads and installs), do abstain from doing risky things there (going after cracks, key-gens, insecure P2P), use a safer browser like Firefox or Flock with NoScript and RequestPolicy add-ons installed), have a two-way fw active and update your av and have all the services like NetShield and Webshield etc. operational,

polonus

Hi Polonus,

what free firewall would you recommend I use to try and protect against getting this again? I tried ZoneAlarm but that kept causing Firefox to crash and occasionally wouldn't let me log on (problems which went away as soon as I removed it). Is there a better one I can use on Vista?

mindry

  • Guest
Re: Malware name Win32:Vitro
« Reply #110 on: March 09, 2009, 07:58:23 PM »
Why isn't this in the news?

That's exactly what I was thinking. With the rate and ease at which this one spreads, and the sheer destruction it causes, it can surely only be a matter of time until it goes "mainstream" and hits the headlines.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #111 on: March 09, 2009, 08:20:43 PM »
Hi mindry,

The software firewalls, well so many hats so many preferences, we have that covered in many threads in the general section of this forum, just use the search function. Main thing is MS inbuilt firewall is not dual way by default, re: http://www.tek-tips.com/faqs.cfm?fid=4777 In Vista If you go to the Administrative Tools folder (which you can access from Control Panel, or from the Start Menu if you have configured it to be shown on the Start Menu) there is a link to the "Windows Firewall with Advanced Security" MMC Snapin. That can be used to configure (via a GUI) outbound and inbound rules.

The other question is that av vendors went silent on the Windows File Protection circumvention since mid 2007, the moderators here were rather upfront about the fact that av does not stand a chance against this b*gg*r...and where that stage is reached there are others that prick their ears, and that's me, we will keep you informed...

his virus is especially fun because it is very good at propagating throughout a Microsoft Windows environment very quickly.  Here are some of the most interesting features:

    Virus:Win32/Virut.BM

    Win32/Virut.BM disables Windows System File Protection (SFP) by injecting code into WINLOGON.EXE. The injected code patches sfc_os.dll in memory which in turn allows the virus to infect files protected by SFP. It is quite easy to disable the SFC via several undocumented API's, which are nevertheless widely used in malware (as a  malware fighter I can vouch for that). See a good writeup here:
http://www.bitsum.com/aboutwfp.asp


    The virus infects .EXE and .SCR files on access, hence actions such as copying or viewing files with Explorer, including on shares (with write access) will result in files being infected, and the virus spreading from machine to machine.

But there are other variants with other propagation vectors:

    W32/Scribble-A (the Sophos name for this type of file infector virut)

    A injects a malicious iframe into files whose extensions start with HTM, PHP or ASP, with affected files detected as Troj/Fujif-Gen. At the time of writing the iframe points to a site that hosts more malware.

    PE_VIRUT.BO

    This file infector connects to a remote IRC server. It then joins a channel to receive and execute commands on the affected system. This routine effectively compromises system security.

polonus


« Last Edit: March 09, 2009, 08:59:26 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Malware name Win32:Vitro
« Reply #112 on: March 09, 2009, 09:16:52 PM »
The questions are:
1. How do you get infected?
2. Will, really, a firewall many any difference in this particular case?
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #113 on: March 09, 2009, 09:52:28 PM »
Hi Tech,

The main line of infection seems risky Internet activities like going after key-gens, cracks and P2P-ing.
Yes the two-way firewall can make a difference, also seen to the second payload these virut infectors can be inviting.
At the moment what I can grasp of it, the main lines of defense is NOT USING FULL ADMIN RIGHTS during normal online activities (some say this is one of the exceptions to the normal 92% of viruses that are halted to a great extent this way), (beating the WFP or WFC cannot be performed), using a hardened browser like Fx or Flock with NoScript and RequestPolicy installed is making the browser application secure.
Some av vendors are better in detecting the malware now, but that is not helping those already infected,
immediately go into SafeMode and try to cleanse with DrWebCureIt downloaded from a secure source onto a secured USB stick, but in most cases fdisk - format - re-install is the way to conclude, sad but true, alas.
I think this virus did not get all the momentum lately because of the concern about Conficker (hyped),
http://bytesandbadges.wordpress.com/2009/02/11/virut-personal-reflections/

polonus
« Last Edit: March 10, 2009, 12:23:24 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Malware name Win32:Vitro
« Reply #114 on: March 09, 2009, 10:34:26 PM »
Polunus, thanks.
Need your help in other thread also: http://forum.avast.com/index.php?topic=43227.msg361644#msg361644
The best things in life are free.

partzeus

  • Guest
Re: Malware name Win32:Vitro
« Reply #115 on: March 09, 2009, 11:11:29 PM »
You are wrong I tried dropping admin rights on a virgin install. Even dropping admin rights does not stop this virus. I even changed policies and locked down all rights to alter and install software and it still broke through. This is not your average virus. Currently Vista is unaffected to the degree XP will be. In the 30 years I have been doing this I have NEVER seen a virus as bad and distructive as this.

I got mine from the "Myspace" page as did my other 10 clients.

I hope someone finds a way to clean and remove this virus. In Vista it slows down all your processes to the point you would be better running an XT computer and I am running a Quad with over 4 gigs. I hope who ever did this gets there just deserts. This is the worst and I still belive this is not the work of one person. Everyone has ideas where it came from but I find it hard to believe this came from streaming video sites since my clients have no clue what they are.

partzeus

  • Guest
Re: Malware name Win32:Vitro
« Reply #116 on: March 09, 2009, 11:22:56 PM »
Hate to say this. Unless there is a fix for this one I can see this one being as bad as the sasser virus of 2004. The clients who are coming to me are not using p2p or keygens. They are lucky to know how to turn on their PC's. This virus is on webpages now. I am totally surprised this caught Norton and Macafee with their pants down. They claim they are 100% at catching stuff like this. I have told all my clients in a mass email to get avast since you guys were the only guys who caught this one. Now the question is can it be stopped?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Malware name Win32:Vitro
« Reply #117 on: March 09, 2009, 11:40:08 PM »
I have told all my clients in a mass email to get avast since you guys were the only guys who caught this one.
Are you sure that avast is blocking all the variants of Vitro?

Now the question is can it be stopped?
Well... the Norton and McAfee users will think twice if they think they're completely protected...
If avast can detect, can block and we're safe.
The best things in life are free.

partzeus

  • Guest
Re: Malware name Win32:Vitro
« Reply #118 on: March 10, 2009, 12:42:51 AM »
That is the problem. Avast can detect this virus but can not get rid of it. This Virus also infects Vista I found out and I stand to be corrected. The only difference is you can operate with Vista to some degree but until they learn how to attack Vista like they can XP anyone is pretty much *******.
« Last Edit: March 10, 2009, 08:53:02 AM by partzeus »

mindry

  • Guest
Re: Malware name Win32:Vitro
« Reply #119 on: March 10, 2009, 10:15:08 AM »
Yeah, on Vista I could still use most stuff, and log on OK, but everything was horrifically slow and I still had to format. I first noticed a problem when Avast started picking up viruses in the temp files (of all users, not just the admin - I already only use admin rights when I need them) named something like VRT49EC.tmp - they were all VRT___.tmp (which in retrospect probably means Virut) and refused to be deleted, moved or anything. Frustrated, I downloaded some tool to remove any file, and this deleted all the VRTs upon reboot, but once I'd rebooted, that was when Avast told me I had a live virus and should do a boot-time scan. In retrospect I should have done that as soon as I found the VRT files.

I'm pretty sure by the way that this came off my brother's memory stick, as the problems started when he plugged this in and I had to restart twice to get anything going again. Oddly he doesn't have it, though (he's running Vista Ultimate if this makes any difference).

Thanks for the hints on firewalls Polonus, I will have a look when I get some time.