Hi partzeus,
1. Are they infecting the websites they are going too or are they getting infected by the websites?
The are being infected from websites redirecting to the malware site: hxxp:zief.pl/v.exe and to a site by opening a mail redirecting to hxxp://ntkmpla.info/rc/load.exe (source: Arizona?)
People can infect remote sites through network shares and corporal networks have been known to be infected, and the malware is difficult to remove to say the least.
2. What files does this virus get? (I have been sending everyone to your site to download Avast and when they run it they are finding their doc, xls, dot, dll, mp3, jpg, wmv,etc. The list is growing?) what doesn't this virus get? exe and scr files are attacked, but via a backdoor other malware can be downloaded to perform sinister actions through a backdoor.
3. Are they getting infected by visiting their bank or credit card sites and is their private info being compromised? If they are not already infected maybe not.
4. Was your last post a fix for this virus or a temp patch? A fix for virut.q as it was proposed on the internet. Best still is protect by SafeHex browsing (Fx/Flock + NoScript + RequestPolicy activated)
5. Should they unplug from the internet until there is a fix? The best thing is go into SafeMode immediately upon detection, then unplug and to be sure one is clean to fdisk, format and re-install.
This is less time-consuming than trying to cleanse an infection that has compromised already several system executables, and will be active after SafeMode is left!
6. Is this affecting Mac or Linux computers? Not to my knowledge.
7. Why is this not in the national news? Maybe conficker was better commercially....and could be cured
8. If they visit a website that is not infected will they infect that site? Not just by visiting without
script running active in the appl.
9. Can people be infected by emails or if they are infected by sending emails? As stated above yes, virus uses all available infection vectors, files, pendrives, network shares, system API hooks, and mails.
10 Why are you the only company working on this problem and why is MS, Norton and the others not talking about this virus? Are they working on a solution too? A solution is difficult because it is a very sinister file-infector for which a cure has not been found yet. Since 2007 we have not heard much mention of the danger of disabling the Windows File Protection scheme. I am not part of avast but a private security investigator and malware fighter by choice, we are all volunteers and avast evangelists,
but it is a good thing that avast tries to tackle the problem, and the experts at geeks2go are seeking ways to beat the beast.
4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.
1. Click Start > Run.
2. Type regedit
3. Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
4. Restore registry entries under the following registry subkey to their previous values, if required:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
5. Exit the Registry Editor.
Note: If the risk creates or modifies registry subkeys or entries under HKEY_CURRENT_USER, it is possible that it created them for every user on the compromised computer. To ensure that all registry subkeys or entries are removed or restored, log on using each user account and check for any HKEY_CURRENT_USER items listed above.
11. Are Cell phones and emails affected by this virus if they plug it into an infected computer?
Not sure, but I would not run the risk to find out. Use Flash disinfector on pendrives and removables.
Furthermore on the encryption that can be changed for every new variant:
http://www.bestsecuritytips.com/modules/planet/view.article.php?21832http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-020411-2802-99&tabid=2polonus