I'm another victim
and survivor
some malware is downloading x.exe and it is being reported as win32:vitro by avast, so i'm here to post some junk data about this virus.
I found the most common files created by this virus
\WINDOWS
msdriver32.exe
usb_magr.exe
\WINDOWS\SYSTEM32
x.exe <-
wshost32.exe
asr_<usrname to source>.exe
lots of junk files
some EXEs and some .SCR files
when investigated on the way how the virus is working, it is downloading files from various random sources using FTP
i renamed the FTP.EXE in system32 folder to _FTP.exe
voila it stopped working
hmmm it is a virus, must be surviving from some system files. I found it is being invoked by some module related to svchost.exe
After removing all the downloaded files and renaming FTP.exe, I'd executed msdriver32.exe (Virus)
using process explorer to monitor it.
It first closed process explorer
from process explorer i can see this thing starting too many threads connecting to remote hosts. it was establishing connections using some port related to microsoft-ds, may be looking for other hosts or victims.
The same kind of attack executed on me and it was reported as DCOM exploit attack (port 135) by avast
. I guess avast had failed when the virus had established a connection to my system through some other port or may be i'm wrong. That crap was struggling to establish a successful connection
and is a brain without any physical strength
Any ways for now renaming ftp.exe is an easy solution for me, stopped being bothered by junk stuff and explorer restarts and crashing Audio service etc.
This may help some body till the virus creator changes his code.
I feel ftp.exe is a helpful tool for virus' rather to common users.
And extremely sorry if this is not the way the story is supposed to be posted here. Some help in redirecting me to the more appropriate place will be helpful