Malware name Win32:Vitro

[partzeus]

Ok, I installed the SP1 update for Vista and seems to contained the memory and speed issues, but I know the virus is still on my system. I think the only reason it is not reaking havic on my system like it did XP is because the directory structure is different and the way Vista makes service calls. But I belive it is a matter of time that whoever made this one figures out a way to do the samething to Vista.

[Bigchris]

Yea i have had this too it is a nasty one by the time i restarted my computer it had already infected almost all .exe's on my computer

reformating the drive is neccesary i even changed my operating system just to be sure and i've been going 2 days now and i want to keep it that way
To prevent this from happing again use http://www.sandboxie.com/

[Bigchris]

The questions are:
1. How do you get infected?
2. Will, really, a firewall many any difference in this particular case?

After looking around its being spread from viewing a video it is not clear whether it is from watching it or downloading it i reccomend using firefox with no script plugin yea it is boring but it will save you from viruses like this i recommend using http://www.sandboxie.com/ it creates a virtual which you run in the browser and whatever happens in this area will not effect the operating system

[partzeus]

I read there was a security leak in the new flash player and I think this is how the new virus got through. That would mean that if the server hosting the website like "Youtube" could be compromised. Does anyone have a status on if this virus can be stopped? A lot of my clients are asking why this is not in the news yet? I have sent out a mass email warning them to get Avast. I tried other virus software and none of them are detecting this virus yet. Is Norton and the other companies asleep at the wheel?

[Lisandro]

Is Norton and the other companies asleep at the wheel?

I think they're running against it... but the malware was winning...
avast can detect but can't clean it right now...

[polonus]

Hi Tech,

Virut as it has other ways to propel its vector, also injects an invisible IFRAME into each HTML file that points to the domain. DO NOT visit these domains unless you enjoy backups, reformats, and reinstallations). SiteAdvisor mapped-out the target file as another Virut copy. There is another file infecting domain that is re-directed through SPAM.  This virut strain can manage to infect a thumbdrive image. Write-protected thumbdrives are vastly underrated.
Virus:Win32/Virut.BM

Win32/Virut.BM disables Windows System File Protection (SFP) by injecting code into the in-memory-version of WINLOGON.EXE. The injected code patches sfc_os.dll in memory which in turn allows the virus to infect files protected by SFP.

The virus infects .EXE and .SCR files on access, hence actions such as copying or viewing files with Explorer, including on shares (with write access) will result in files being infected, and the virus spreading from machine to machine.

The codex infecting variety removal is described here as Virut Q:
http://novirusthanks.org/blog/2009/02/viruswin32virutq-analysis-and-removal-instructions/

Also does the same infection: And using the dropped DLL file named sfc_os.dll the malware disabled the Windows File Protection by changing the value SFCDisable to ffffff9d:

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable

There is where the hardening should be concentrated at,

The removal instructions for the virut.q that changes explorer.exe and removes the original explorer.exe,
could be summoned up as:
To remove this kind of malware I can suggest you to do this:

1) Boot windows in SafeMode

2) Update and scan your computer with DrWebCureIt from a clean source on pendrive

3) Delete infected files except the infected C:\WINDOWS\explorer.exe.
They are:
C:\DOCUME~1\jimmy\LOCALS~1\Temp\381562351.exe
C:\DOCUME~1\jimmy\LOCALS~1\Temp\311188061.exe
C:\DOCUME~1\jimmy\LOCALS~1\Temp\csrssc.exe
C:\DOCUME~1\jimmy\LOCALS~1\Temp\7hjhffd.bat
C:\Documents and Settings\jimmy\__rar_00.000
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb
C:\Documents and Settings\jimmy\__rar_00.100
C:\Documents and Settings\jimmy\svchost.exe
C:\WINDOWS\system32\sfc_os.dll

4) Copy from your Windows OS CD-ROM the file explorer.exe in C:\WINDOWS\system32\dllcache\explorer.exe overwriting the original explorer.exe. Then you will need to re-enable the Windows File Protection (that was originally disabled by the malware) by editing the registry key as follow:

    Set the value as “0″ to SFCDisable in:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisabled

Now find the file named explorer.exe that is present in your OS CD-ROM and copy it under C:\WINDOWS\explorer.exe (overwriting the original infected one).
Now your explorer.exe should be the original file, to be sure of this just scan these files in our Virus Scanner:

    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\dllcache\explorer.exe

You must have as report 0 detections for both files.

After, you can restart your computer and see if the malware is gone.

Alternatively you can boot a windows OS LIVE from a CD-ROM and repair the infected explorer.exe.

If you have problems removing virutQ you can post your hijackthis logs here and we will try to help you removing it.

polonus

[partzeus]

I have found the infection has spread from "Myspace" to "Youtube" and other social networking sites. I even got a call from a customer that they picked it up from their bank website. This seems to be a sleeper virus that when it has infected all your files it will then destroy the system since it has nothing else to do. I have now gotten emails where people have told me that the mass email warning I sent out was too late. Will there be a cure for this virus soon?

[polonus]

Hi partzeus,

You think it is a sleeper virus, well if it is infecting it goes down the OS like wildfire or hayfire rather.
You and I have experienced that safe browsing habits are of the utmost significance to-day, because the tools for injecting malware into websites have fallen into the hands of many cybercriminals and the lower hacker echelons.
You do not need to be an 3L1T3 hacker to use a ready made tool from MetaSploit's to infect websites, and not a genius either, so the threat is spreading like an oilstain and using NoScript and RequestPolicy inside Firefox or Flock and having the avast Netshield and Webshield functionality is a must not to fall into those traps,

polonus

[partzeus]

My email box is filling up and my phone has been ringing of the hook. Can you please help me answer their questions? They are getting scared and I just don't have the answers to their questions.

1. Are they infecting the websites they are going too or are they getting infected by the websites?
2. What files does this virus get? (I have been sending everyone to your site to download Avast and when they run it they are finding their doc, xls, dot, dll, mp3, jpg, wmv,etc. The list is growing?) what doesn't this virus get?
3. Are they getting infected by visiting their bank or credit card sites and is their private info being compromised?
4. Was your last post a fix for this virus or a temp patch?
5. Should they unplug from the internet until there is a fix?
6. Is this affecting Mac or Linux computers?
7. Why is this not in the national news?
8. If they visit a website that is not infected will they infect that site?
9. Can people be infected by emails or if they are infected by sending emails?
10 Why are you the only company working on this problem and why is MS, Norton and the others not talking about this virus? Are they working on a solution too?
11. Are Cell phones and emails affected by this virus if they plug it into an infected computer?

I know I posted a lot of questions, but people are getting pissed when I tell them the only way to stop this virus is to re-format and maybe lose all their data or isolate it until there is a clean for this virus.

This is a short list of the questions I am getting. I also did a test on my MS 2003 server and it got infected? As far as you know will this affect all MS servers. I am recommending that a total lock down on their computers. I have heard reports that MP3 players and digital cameras are getting infected. Is this the same virus?

I am recommending that if they have a company server that no one should plug in their USB sticks or MP3 players until a fix is found.

[polonus]

Hi partzeus,

1. Are they infecting the websites they are going too or are they getting infected by the websites?
The are being infected from websites redirecting to the malware site: hxxp:zief.pl/v.exe and to a site by opening a mail redirecting to hxxp://ntkmpla.info/rc/load.exe (source: Arizona?)
People can infect remote sites through network shares and corporal networks have been known to be infected, and the malware is difficult to remove to say the least.
2. What files does this virus get? (I have been sending everyone to your site to download Avast and when they run it they are finding their doc, xls, dot, dll, mp3, jpg, wmv,etc. The list is growing?) what doesn't this virus get? exe and scr files are attacked, but via a backdoor other malware can be downloaded to perform sinister actions through a backdoor.
3. Are they getting infected by visiting their bank or credit card sites and is their private info being compromised? If they are not already infected maybe not.
4. Was your last post a fix for this virus or a temp patch? A fix for virut.q as it was proposed on the internet. Best still is protect by SafeHex browsing (Fx/Flock + NoScript + RequestPolicy activated)
5. Should they unplug from the internet until there is a fix? The best thing is go into SafeMode immediately upon detection, then unplug and to be sure one is clean to fdisk, format and re-install.
This is less time-consuming than trying to cleanse an infection that has compromised already several system executables, and will be active after SafeMode is left!
6. Is this affecting Mac or Linux computers? Not to my knowledge.
7. Why is this not in the national news? Maybe conficker was better commercially....and could be cured
8. If they visit a website that is not infected will they infect that site? Not just by visiting without
script running active in the appl.
9. Can people be infected by emails or if they are infected by sending emails? As stated above yes, virus uses all available infection vectors, files, pendrives, network shares, system API hooks, and mails.
10 Why are you the only company working on this problem and why is MS, Norton and the others not talking about this virus? Are they working on a solution too? A solution is difficult because it is a very sinister file-infector for which a cure has not been found yet. Since 2007 we have not heard much mention of the danger of disabling the Windows File Protection scheme. I am not part of avast but a private security investigator and malware fighter by choice, we are all volunteers and avast evangelists,
but it is a good thing that avast tries to tackle the problem, and the experts at geeks2go are seeking ways to beat the beast.
4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.

   1. Click Start > Run.
   2. Type regedit
   3. Click OK.

      Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

   4. Restore registry entries under the following registry subkey to their previous values, if required:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List


   5. Exit the Registry Editor.

      Note: If the risk creates or modifies registry subkeys or entries under HKEY_CURRENT_USER, it is possible that it created them for every user on the compromised computer. To ensure that all registry subkeys or entries are removed or restored, log on using each user account and check for any HKEY_CURRENT_USER items listed above.
11. Are Cell phones and emails affected by this virus if they plug it into an infected computer?
Not sure, but I would not run the risk to find out. Use Flash disinfector on pendrives and removables.

Furthermore on the encryption that can be changed for every new variant:
http://www.bestsecuritytips.com/modules/planet/view.article.php?21832
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-020411-2802-99&tabid=2

polonus

[Bigchris]

I read there was a security leak in the new flash player and I think this is how the new virus got through. That would mean that if the server hosting the website like "Youtube" could be compromised.

I don't think there was a compromise in the new flash player if there was its already fixed i just downloaded it and avast said it was squeaky clean

[Wheresthelove]

Hey, i got a quick question. Do you have to unistall an older version of flash player to install the new one?? or does install over the older version.

[polonus]

Hi BigChris,

Well the infected can check whether they are infected through eventual  viral registry changes. Well the file infector cannot be transmitted using a browser with script and certain requests disabled like in Firefox or Flock browser with the NoScript extension and the RequestPolicy extension. The vulnerabilities in Adobe not patched has nothing to do with this one, that's why I use FoxIt Reader fully patched and listen and watch my streams with VLC.
Malware always will target the bigger mainstream applications/software for maximum destruction results or criminal revenues.
This newest file infector is just a sinister one meant to destroy as many Windows machines as it can reach, and it is on the loose...still av vendors qualify it as "low risk",

polonus

[Wheresthelove]

Polonus, so is ok to Use Noscript, RequestPolicy and ADblock Plus?

[Lisandro]

Hey, i got a quick question. Do you have to unistall an older version of flash player to install the new one?? or does install over the older version.

It's install over the old one.