Hi DavidR,
This is the ultimate us versus them strain of malware, so to say, where we are anti-malware people and they are competitive malcreants trying to outwit us...
The witty maker(s) of virut must have thought of almost everything, it is very sinister advanced destructive malware, that has two layers of encryption, we read now form Symantec's blog report on Win32.CF Collateral Damage (I added some point here and there):
Polymorphic file-infectors have been around for a long time, with possibly the first one surfacing in 1990. This has proven to be an effective technique that malicious code authors have employed to give their code a better chance of survival in the wild. Since this type of threat showed up there has been a struggle between security vendors and malware writers. Every advance in antivirus prompted the malicious code authors to come up with new and imaginative ways to thwart these efforts and vice-versa.
So with virut we are out on the tiles, or out in the trenches rather....
Currently we are seeing an outbreak of a particularly sinister file-infector, known as W32.Virut.CF. This threat has already compromised corporate networks and is proving difficult to remove from infected networks. Once this threat infiltrates a network it can spread quite quickly using open network shares. So, what is it that sets this file-infector apart from the others and what makes it so difficult to remove?
Virut went through many revisions before the CF variant surfaced. This particular variant uses many advanced techniques to avoid detection and removal. None of the techniques are new, but have been used effectively within Virut. Some of the techniques employed include an advanced polymorphic engine, spaghetti code, and encryption.
There are two layers of encryption employed by Virut. The first layer encrypts the code using a weak encryption algorithm. This layer also uses spaghetti code and junk instructions to make white-box analysis more difficult and time consuming. The first layer is also optional, which helps to make detection more challenging. The second layer of encryption is more complicated. It uses checks such as checking CPU speed, illegal instructions, and API address manipulation to detect analysis. This layer uses a custom XOR encryption algorithm, which is also weak, but built in such a way that makes it trivial for the author to change. Each change makes Virut appear entirely different to casual analysis.
Once on the system the threat injects itself into multiple processes on the system and hooks the CreateFile API. This allows the threat to execute whenever any process opens a file on the system. Using this technique, Virut can infect many files on the host system or on remote systems over network shares. It will try to infect Portable Executable (PE), HTML, and ASP files among others. (HTML-IFrame attack
for instance)
And, if that’s not enough, the threat also uses Entry Point Obfuscation (EPO) to help evade detection. The infection routine will point to the entry point of the first or second layer of encryption mentioned earlier. Alternatively, the threat scans for certain APIs in Kernel32.dll and patches these to have its payload executed. This EPO not only makes analysis and detecting the threat more difficult, it also makes it significantly more difficult to safely repair the infected files. It also will fill part of the empty space
left unused by the coder of an executable etc., this randomly and in a random bogus way
One further/additional thing that makes this threat so difficult to remove is the wide variety of executable formats now available on Windows platforms. This threat was not designed to infect all of these but will attempt to do so anyway. This makes the results of infection very unpredictable and the task of removal more difficult. With file-infectors, the code only has to be good enough to infect a large amount of files—if it corrupts some files and renders them useless, it rarely affects the desired outcome or purpose of the threat. We have also seen malware becoming infected with Virut, which adds another layer of complexity in terms of detection and removal. Our engine attempts to detect and repair every sample infected with Virut, but because of the complications outlined above there are some exceptional cases where this is not possible.
All of this sounds quite grim, but this threat can be removed from infected networks by following best practices. The infected machines need to be isolated and then scanned with avast anti-virus, preferably in “Safe Mode,” in order to remove the infected files. Scanning in safe mode allows us to repair files that may be in use (for example, system files). Additionally, the virus will not load in safe mode. Non-repairable files may need to be restored from backup. Remove network shares, or make them read only at a minimum so that the virus can’t spread to them. As a last resort, highly compromised machines may need to be reimaged. Often still fdisk - format -re-install may be the only way out..
The websites associated with this threat should also be blocked at the network boundary. See the W32.Virut.CF write-up for further details on this. There is an online script for doing this I linked to in another posting with which webmasters can cleanse their websites....
Firewall logs should be monitored for outgoing requests to those sites that can give a good indication of the location of any infected machines within the network. If possible, the affected machines should be re-imaged from trusted media. When the machines have been cleaned they should be reintroduced into production networks with caution.
That is why do not trust special removal tools for this much, standard nor online..until I have seen the cleansing performed in real time...In the above txt there is no mention of the way in which the virus beats Windows File Protection through the in-mem-running-winlogon service adding code changing the dll responsible for WFP and changing the registry, there is a virut variant that infects notepad.exe on a pendrive, etc. etc. even infecting through linux (wine)...so in two words a formidable opponent,
polonus
