Malware name Win32:Vitro

[alfie_dub]

Well, i've been hit pretty hard by this virus.

I didn't act quick enough, and now I can't even get into safe mode as i'm stuck in the same log-in loop as previous posters have mentioned. I created a Dr Web Live boot CD, which picked up about 100 infected files (although none actually said vitro iirc- most were trojan.packed.140 with a couple of viruts thrown in). I deleted/cured all files and restarted but the same problem persists.

What are my next options? I have an XP setup disk (not mine, will this be a problem?), and I need to recover some files from my HDD if possible so I don't want to format straight away. It is a desktop so can I remove the HDD and recover files using another computer? I'm not brilliant with computers so this could be a bit tricky.

Thanks for any help
Alfie

[Maxx_original]

when you say that, I can say nothing more, because I trust you, using your product to protect my computer is showing that I trust you!!

what i meant is - a genius (geek) is a white hat, someone who cares, because he wants to discover some weaknesses and interesting techniques.. that's acceptable... but when someone uses his skills to do some kind of "black magic" (and Virut connects the victim to a botnet etc.), i seriously can't call him a genius..

[alfie_dub]

OK- i've now tried doing a Windows rebuild with an XP setup disk (following these instructions: http://www.informationweek.com/1094/langa.htm)

I press any key to load from disk, and get the blue screen saying 'Setup is loading files' and then 'setup is starting windows'. The next screen I get says 'A problem has been detected and windows has been shut down to prevent damage to your computer.....check for viruses on your computer.....run chkdsk/f to check for hard drive corruption'......etc etc

I have no input before this screen comes up, there's nothing I can do but turn it off after this message displays. Does this mean that I won't even be able to format it, or is there a way around this?



Also- I have my documents I want to recover on an extra hard drive installed in my machine. I can remove this, and connect it to a working PC or a caddy to recover my files, but how can I check that this hard drive hasn't been corrupted before I connect it to a clean PC, I don't want to spread this thing any further! If i can do this i'm happy to kiss goodbye to my PC, it was old anyway and i'm getting a new one soon.

[bluestarmatrix]

I'm another victim   and survivor  

some malware is downloading x.exe and it is being reported as win32:vitro by avast, so i'm here to post some junk data about this virus.

I found the most common files created by this virus

\WINDOWS
  msdriver32.exe
  usb_magr.exe

\WINDOWS\SYSTEM32
  x.exe <-
  wshost32.exe
  asr_<usrname to source>.exe
lots of junk files
some EXEs and some .SCR files

when investigated on the way how the virus is working, it is downloading files from various random sources using FTP  

i renamed the FTP.EXE in system32 folder to _FTP.exe  
voila it stopped working  

hmmm it is a virus, must be surviving from some system files.  I found it is being invoked by some module related to svchost.exe

After removing all the downloaded files and renaming FTP.exe, I'd executed msdriver32.exe (Virus)   using process explorer to monitor it.

It first closed process explorer  

from process explorer i can see this thing starting too many threads connecting to remote hosts.  it was establishing connections using some port related to microsoft-ds, may be looking for other hosts or victims.   The same kind of attack executed on me and it was reported as DCOM exploit attack (port 135) by avast  .  I guess avast had failed when the virus had established a connection to my system through some other port or may be i'm wrong.  That crap was struggling to establish a successful connection  and is a brain without any physical strength 

Any ways for now renaming ftp.exe is an easy solution for me, stopped being bothered by junk stuff and explorer restarts and crashing Audio service etc.  

This may help some body till the virus creator changes his code.

I feel ftp.exe is a helpful tool for virus' rather to common users.  

And extremely sorry if this is not the way the story is supposed to be posted here.  Some help in redirecting me to the more appropriate place will be helpful  

[Omid Farhang]

@bluestarmatrix: if you feel you are infected with something which avast! failed to clean, try another Antivirus engine to scan your computer.

The Avira AntiVir Rescue System a linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to repair a damaged system, to rescue data or to scan the system for virus infections. Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer. The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available. You can download it from Here. You can learn how to use it from Here.
also, if you want to burn that disc yourself with your own burning tool (Such as Nero or…), you can download the Image File (.iso) from Here.
After burn it to disc, use it to boot your computer and do a full scan and remove everything it find.

Download, install and update these programs (just use Offline update installer if you cannot use Live Update to update your programs):

Program	Download	Offline Updater
Malwarebytes Antimalware	Download	Updater
SUPERAntiSpyware	Download	Updater
SpyBot S&D	Download	Updater

scan your computer using them, also during installation of SpyBot S&D disable all residents.

you may like to block bad URLs to prevent download more infected files by your computer. so:
Download and install HostsMan.
after install run it, click on "update Hosts", choose "MVPS Hosts" and in below options choose "Overwrite Current" hosts.
this step would immunize your Hosts File and would prevent any internet traffic to malware sites and also would fix Windows Hosts File if it has been HiJacked by malwares.

[bluestarmatrix]

@Omid Farhang

dude, all i wanted to tell was to be stopped being bothered by the vitro virus.
It is not about blaming avast or pramoting other anti-virus.

Hope you get my point talking about FTP.exe  
Thanks for the info regarding various tools and software!

[Omid Farhang]

@Omid Farhang

dude, all i wanted to tell was to be stopped being bothered by the vitro virus.
It is not about blaming avast or pramoting other anti-virus.

Hope you get my point talking about FTP.exe  
Thanks for the info regarding various tools and software!

I got you, and I did not blame avast! or something else, I just gave you some additional tool to make sure there are nothing wrong in your computer and enjoy feeling of security!!

I hate Virto and Virut, because it has ruined my system in my past and everywhere that I see sign of it, I attack it with all my power!! it's why I wrote you those things to protect your computer

[bluestarmatrix]

thanks buddy !!

may be i am wrong regarding what i'd posted, seems to be some other malware is trying to download virto.   Now every thing is ok.

That malware is trying to connect v1.virtual-rejectz.com and to download some malicious stuff.  I mapped the domain name to 0.0.0.0 and it is keep trying to that web site

[atomicrabbit]

My parents computer just got infected with this monstrosity of a virus.

Whatever you do, DO NOT SCAN THE INFECTED COMPUTER WHILE IT'S RUNNING. Put the infected HDD into an enclosure and scan it from a clean computer, or boot the computer from an antivirus boot cd. Scanning the infected computer from within the infected Windows will spread the virus faster because of the way it works. Basically if an EXE file is accessed in any way by the OS, the virus will infect it. So a virus/malware scanner will actually make the infection worse by scanning and accessing each exe on your computer.
Just an tip for those trying to fight this sucker.

I haven't yet cleaned the infected computer, but I plan to backup the important data and reformat/install XP over again.

[khchin22]

I'm an IT guy for a small company in LA.  We got hit by this virus hard; took down our file server, plus four workstations.  Took me 2 solid days to get everything up and running.  I know this has been repeated in this thread before, but just thought I'd add it again for those who don't want to read all 23 pages.

1.  Do not run any kind of virus scan once you suspect an infection on your network, it will just spread the virus and your computer will be toast.
2.  SAFE mode doesn't work, don't even try it.
3.  My experience was that running a cleaner from a boot CD did NOT work.  Virus still remains after multiple scans from multiple engines.
4.  Repairing windows from a fresh WinXP cd seemed to work, but my users always re-infected themselves with the infected HTML files and other exes on their systems.  It also infects USB thumb drive with autorun.inf, so it will infect whatever computer you stick it into next.  You can still use thumb drives if you are careful and delete the autorun.inf and whatever exe files it creates on the thumbdrive.
5.  What worked for me was to format the disc, re-install windows, and restore their data files.  But before that, I had to make sure they had no EXEs or html files in their backups.  You can use windows' search and just delete them all.
6.  Again, this virus is NOT magical, it does not "remain in memory" after a hard power-off.  Users are just re-infecting themselves because the computer is not clean.  The virus spreads all over the place, so it's quite easy.
7.  I blocked the IPs and websites mentioned in previous posts, and that seemed to help with the spread rate.

Take away: BACKUP BACKUP BACKUP.  I don't think you could, or would want to leave an infected computer on your network just because you didn't take the time to backup you data.

[Northeast]

Hi Omid Farhang, I read about ur thread about installing hostsman and I decided to give it a try and once I followed ur instructions my hosts tab section on my Online Armor firewall came up with these bad hosts name and I did not know if to set it to allow or block these hosts so I uninstalled the hostsman program and left my original hosts files.

I'm not familiar with the online armor firewall functions as I just installed it not too long ago. Also I don't know much about hosts protection and hosts files. 

[YoKenny]

@Northeast

Please read:
Blocking Unwanted Parasites with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

I don't use Online Armor firewall but I would let it block those entries. 

[polonus]

Hi malware fighters,

This thread is being referred to elsewhere and also summarized:
http://forums.techpowerup.com/showthread.php?t=94238
I think it has become an important thread on this high risk file infector.
Anyone aware of new developments like immediately go on into Safe Mode, try not to interrupt cleansing session or do more than one cleansing routine. Try to avoid repairing instructions because of the buggy nature of the infector and the loss of vital executables. Keep in mind that the executable that scans can also be infected, because it is an executable. What is the payload after the infector has been cleansed by closing a virtual machine or sandbox? How can the circumvention of Windows file protection and FW be blocked? What further hardening against it is possible? Questions, questions? For which we have not that many answers. And in the case of something new turning up, keep posting them here,

polonus

[Omid Farhang]

Hi Omid Farhang, I read about ur thread about installing hostsman and I decided to give it a try and once I followed ur instructions my hosts tab section on my Online Armor firewall came up with these bad hosts name and I did not know if to set it to allow or block these hosts so I uninstalled the hostsman program and left my original hosts files.

I'm not familiar with the online armor firewall functions as I just installed it not too long ago. Also I don't know much about hosts protection and hosts files. 

Yes, those bad URLs come into your HostsFile and Online Armor would show them, don't touch them and let them to re-direct from their main way into LocalHost address (127.0.0.1). for your windows those URLs are blocked, I cannot remmeber what Online Armor do when a Hosts Entry are blocked or allowed...

[marasgal]

I dont know IF this helps or not, but I hope it will. I was trying to figure out why my PC was acting funny. It was getting stuck at the Wallpaper after logging in, no icons, just the wallpaper. I put in my windows CD, booted from CD and did a Bootfix. Started into safe mode, restored to a few days back, then restarted my PC. As soon as I got in, AVAST went crazy. I set it to do a Bootscan, and restarted. I set it to Delete all viruses it came across.
As soon as I got the PC up and going again after 3 hours of Scanning (Over 1600 viruses, almost all were Vitro) I got back into windows. I got the AVG rmvirut.exe program, checked found nothing, and I got ClamWin Free Antivirus which also found nothing so far.
I am not 100% sure I am totally clean, since its only been about an hour, but I will keep you updated if anything new comes up or not.
I really hope this helps someone so they are able to fix their problems.