Hi mindry,
The software firewalls, well so many hats so many preferences, we have that covered in many threads in the general section of this forum, just use the search function. Main thing is MS inbuilt firewall is not dual way by default, re:
http://www.tek-tips.com/faqs.cfm?fid=4777 In Vista If you go to the Administrative Tools folder (which you can access from Control Panel, or from the Start Menu if you have configured it to be shown on the Start Menu) there is a link to the "Windows Firewall with Advanced Security" MMC Snapin. That can be used to configure (via a GUI) outbound and inbound rules.
The other question is that av vendors went silent on the Windows File Protection circumvention since mid 2007, the moderators here were rather upfront about the fact that av does not stand a chance against this b*gg*r...and where that stage is reached there are others that prick their ears, and that's me, we will keep you informed...
his virus is especially fun because it is very good at propagating throughout a Microsoft Windows environment very quickly. Here are some of the most interesting features:
Virus:Win32/Virut.BM
Win32/Virut.BM disables Windows System File Protection (SFP) by injecting code into WINLOGON.EXE. The injected code patches sfc_os.dll in memory which in turn allows the virus to infect files protected by SFP. It is quite easy to disable the SFC via several undocumented API's, which are nevertheless widely used in malware (as a malware fighter I can vouch for that). See a good writeup here:
http://www.bitsum.com/aboutwfp.asp The virus infects .EXE and .SCR files on access, hence actions such as copying or viewing files with Explorer, including on shares (with write access) will result in files being infected, and the virus spreading from machine to machine.
But there are other variants with other propagation vectors:
W32/Scribble-A (the Sophos name for this type of file infector virut)
A injects a malicious iframe into files whose extensions start with HTM, PHP or ASP, with affected files detected as Troj/Fujif-Gen. At the time of writing the iframe points to a site that hosts more malware.
PE_VIRUT.BO
This file infector connects to a remote IRC server. It then joins a channel to receive and execute commands on the affected system. This routine effectively compromises system security.
polonus