Malware name Win32:Vitro

[Confused Computer User]

Well from the outset you would say that, because it does not seem to serve a purpose

I'm just a casual observer and this is only my opinion so here it goes. I have not seen anyone so far do something that did not have a purpose. By this I mean that when we create something it serves a greater purpose than its immediate use (i.e. A fishing rod is used to catch fish, so this is the immediate purpose, and the fish caught is used for sustenance, which is the secondary/greater purpose).

Now the virus seems to cripple the Win based system which is its immediate goal. So what is the secondary scope. As far as I gather this virus doesn't seem (and I use this word specifically since I'm not entirely sure) to affect other OS
If this is false, then my argument fails.

The only thing that I see getting something out of this virus is the Competition (ie Mac and Linux).
So a conspiracy theory is plausible if indeed these Competing Non Windows OS are not affected.

[partzeus]

I thought the samething but Apple is owned by MS. What I find really strange is MS sales of Vista bombed and even though Vista does get infected. What I find stranger is after applying the sp1 update. I have not had the degree of problems I did at first.

What I also find is funny is no one believes that this is a nasty computer virus because they have not heard anything on the news about it. I guess unless the news tells you then it is not gospel. LOL

Back in May 31, 2008  I got this email BIG VIRUS COMING-CONFIRMED BY SNOPES

Hi All.  I checked with Norton Anti-Virus, and they are gearing up for this virus!  I checked Snopes and it is for real!!  Get this E-mail message sent around to your contacts ASAP.

PLEASE FORWARD THIS WARNING AMONG FRIENDS, FAMILY AND CONTACTS!
You should be alert during the next few days.  Do not open any message!  With an attachment entitled 'POSTCARD,' regardless of who sent it to you.  It is a virus which opens A POSTCARD IMAGE, which 'burns' the whole hard disc C of your computer.  This virus will be received from someone who has your e-mail address in his/her contact list.  This is the reason why you need to send this e-mail to all your contacts.  It is better to receive this message 25 times t han to receive the virus and open it.

If you receive a mail called 'POSTCARD', even though sent to you by a friend, do not open it! Shut down your computer immediately.

This is the worst virus announced by CNN.  It has been classified by Microsoft as the most destructive virus ever.  This virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus.  This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept.
 
http://www.snopes.com/computer/virus/postcard.asp


Granted this email does not discribe the the virus we all are fighting, but people did know something big was coming and here it is.

Did anyone listen back then. NO! LOL Well now the virus is here and escalating. I wonder what the internet will be like by the end of the month. My phone has been ringing off the hook from those who did not read the email I sent them a couple days ago. I guess we need to be call the "computer news media" before people heed our warnings. LOL

I have also noticed my internet access has increased this week. Either fewer people are using the internet "NOT" or they are now infected and no one is online. "Happy surfing" to those who protected their systems and read this forum.

[polonus]

Hi partzeus,

I am a malware fighter, and no philosopher. I did not have a discussion with the malcreants of the new file infector strains to what purpose their miscreations were wrought upon us, and I do not like to speculate either.
On the other hand is not it the prize we pay for letting SafeHex not be a top priority in computing.
That means there are vast amounts of people cruising the Internet not knowing one hoot about how to be or stay secure, loads of them behind a zombie machine spewing 250.000 e-mails illegally every hour, for the main part without an active dual way firewall installed (who influenced users to no longer install firewalls), many users that never have their OS and third party software updated, making them vulnerable as hell. Not many users using safe browser procedures e.g. blocking script to run or request to be made from re-directs to malware sites. And we just go on selling M$ out of the box and run these with full admin rights on an as default machine with AV disabled, because isn't this using too much of my poor cycles? It is almost a policy over the last two decades where we can sigh: "Actually we deserved this virus to tell us a lesson and cripple the way we were on the Internet for years". And now the genie is out of the proverbial bottle, how do we get it back in?

polonus

[Confused Computer User]

I thought the samething but Apple is owned by MS.

I find this hard to believe. As I recall there are stick laws that prevent MS from having a monopoly over the market. If Apple is owned by MS then that would create false competition since it's still MS that gets the revenue. Can you Develop this idea and explain what you mean?

Back in May 31, 2008  I got this email BIG VIRUS COMING-CONFIRMED BY SNOPES

I find this an odd method of spreading the word since I generally regard this E-mails as a nuisance. Half my contacts even more don't have advanced or medium knowledge of their computer (i'm in the later). So why send them such E-mails?

many users that never have their OS and third party software updated, making them vulnerable as hell. Not many users using safe browser procedures e.g. blocking script to run or request to be made from re-directs to malware sites. And we just go on selling M$ out of the box and run these with full admin rights on an as default machine with AV disabled, because isn't this using too much of my poor cycles?

Well I'm Using my admin Account on my vista but it seems more and more people seem to push this idea of using a second account for everyday tasks (however I have Avast security set on HIGH). Guess I'll try that as well. Could not hurt at this point although I don't see the advantage since in both cases viruses get installed and run right?

cheers

[partzeus]

You are correct concerning Apple. What I meant to say is a couple years ago they were about to shut their doors and MS stepped up to the plate and infused a lot of money into the company. Granted they do not own apple but they do own shares of stock in the company. How much I can't say. You would have to Google the news story. If memory serves me correctly this happened between 2000 and 2005 I am sorry I could not be more help.

BTW guys, what is the status on controling this virus. In one of my past posts I asked if this http://www.scanforfree.com/09/win32-virut-gen-5-removal.html  would clean the virus or does it just isolate it?

What have you been finding out? Is this virus spreading or is it now contained? The internet has been really quiet the past couple of days which is strange.

[polonus]

Hi partzeus,

Statistics for it here: http://www.threatexpert.com/threats/win32-virut-gen-5.html

I have seen that SAS has been updated for this to-day, so there is some action on this front, to what extent the detection is effective, haven't a clue,

I will post also on MozillaZine to ask Giorgio Maone what is the best in-browser protection against this, he is the maker of the NoScript extension inside Fock/Firefox,

Also read this: http://www.avertlabs.com/research/blog/index.php/category/malware-research/

polonus

[polonus]

Hi partzeus,

It could be that the therm "bypasses" was translated with "circumvent", in this case we were discussing a bug - that is NOT the case - no way.

According to the following McAfee writeup ( http://vil.nai.com/vil/content/v_154029.htm ) this is what the virus is doing (after the system has been infected!) to make an exception in the registry-settings of the Microsoft Windows firewall (that is only monitoring incoming traffic by default in XP and stops by default) the exception here is being made for the  Winlogon.exe process in memory. This will result in Winlogon listening in on a TCP or UDP port and incoming outward connections for that port(s) will no longer be blocked by the  firewall, While the virus injects itself into the winlogon process it can open up ports by itself.

N.B:
- So this is not an attack vector, e.g. a non infected PC cannot be infected by "circumventing" the Windows XP firewall (as set by default).

- Whenever you have a NAT-modem/router opening up ports on your PC makes no sense, the NAT router will stop outward connections anyway. This does not influence the update process of the virus, it can download updates and additions. Also it can seek connection from within to  IRC servers etc. to receive instructions.

- When you use another software firewall you probably will get a message pop-up that Winlogon.exe is trying to listen on a certain port. Because the message does not sound suspicious right out, users will allow this.

- Log-on as non-admin will thwart the virus here in this respect probably (changing the mentioned registry settings and altering the HOSTS file is not possible in this case).

- One could alter the file system permissions on the machine. Normal users (I myself and I) do not have writing permission in C:\ and C:\Windows\Temp\; in last mentioned folder the virus will try to download extra files. These are typical in-depth-defense measurements, I have writing permission in D:\ but by being not like the average user in these respects you will have some additional in-built-protection. Of course you will allow writing permissions in %TEMP% (under XP mapped on C:\Documents and Settings\polonus\Local Settings\Temp\) but then this is a personal folder (With thanks to Bitwiper for the write-up),

polonus

[partzeus]

Thanks for the links this is the best information. I just hope in time someone finds a clean for the files. A lot of my customers need the data I backed up to a USB drive for them, but I told them they can not access the files until I know there is a clean untility. Is this correct?

For now they are running with a fresh install and all the tips provided and running avast they should be safe from future attacks correct?

[Lisandro]

According to the following McAfee writeup ( http://vil.nai.com/vil/content/v_154029.htm ) this is what the virus is doing (after the system has been infected!) to make an exception in the registry-settings of the Microsoft Windows firewall (that is only monitoring incoming traffic by default in XP and stops by default) the exception here is being made for the  Winlogon.exe process in memory. This will result in Winlogon listening in on a TCP or UDP port and incoming outward connections for that port(s) will no longer be blocked by the  firewall, While the virus injects itself into the winlogon process it can open up ports by itself.

With Vista Firewall Advanced Settings, is it possible to block winlogon.exe outbound connections?

[polonus]

Hi Tech,

Rules can be configured for services by its service name chosen by a list, without needing to specify the full path file name,

polonus

[Lisandro]

Hi Tech,

Rules can be configured for services by its service name chosen by a list, without needing to specify the full path file name,

polonus

So, can we just block all tentatives of winlogon.exe to outbound connections? All ports, all protocols?

[polonus]

Hi Tech,

Re: http://articles.techrepublic.com.com/5100-10878_11-6098592.html

pol

[Lisandro]

Hi Tech,

Re: http://articles.techrepublic.com.com/5100-10878_11-6098592.html

pol

I know how to do it.
What I don't know is what should I do? Block outbound connections of winlogon.exe?

[polonus]

Hi Tech,

winlogon.exe (Windows Logon)
Name = winlogon.exe
Description =
Type = custom

Rules

Microsoft Winlogon LDAP connection
Name = Microsoft Winlogon LDAP connection
Enabled = true
High Priority = false
Domain Rule = true
Ignore Checksum = false
Default Rule = true

Where the protocol is TCP
  and the direction is Outbound
  and the remote port is 389, 3268
Allow it

Microsoft Winlogon DCOM connection
Name = Microsoft Winlogon DCOM connection
Enabled = true
High Priority = false
Domain Rule = true
Ignore Checksum = false
Default Rule = true

Where the protocol is TCP
  and the direction is Outbound
  and the remote port is 135
Allow it
6. Process-control settings
Hidden processes

Warn = true
Raw sockets

Warn = true

polonus

[Lisandro]

Sorry, need further help... Is it added as a program or service?
Where is this info: Microsoft Winlogon LDAP connection

I'm afraid to block a legit connection and mess my computer...