Author Topic: Vitro-virut - a file infector and why we cannot give false hope!  (Read 5416 times)

0 Members and 1 Guest are viewing this topic.

Online polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30849
  • malware fighter
Vitro-virut - a file infector and why we cannot give false hope!
« on: February 24, 2009, 11:53:40 PM »
Again,

We try to offer hope for victims of the latest vitro-virut file infector. The webmaster can cleanse his website easily from the malware frame, for infected users we have to offer no hope - fdisk - format and re-install is the only solution open to them.
We haven't a clue what the purpose of this "buggy" corrupting file infector is, and why it leaves a computer beyond repair. You cannot use it as a zombie in a botnet, you cannot use it for launching spyware. On the other hand the malware is so advanced in nature that it cannot have been developed but by very apt malcreants, it is pure genius in development and a nightmare for the av-vendor and the malware fighter - for the moment they have to throw in the towel - the malware won, we have bitten the dust...
But why it is pure negative, then? It has a random encrypted file infecting routine making it very hard to recover from it, how that is accomplished read here:
 http://www.sophos.com/security/blog/2008/05/1436.html

So the best protection is prevention (update, patch, use in-browser security, surf with normal user rights). I wonder where the weak side of this malware could be to tackle it, we haven't found that yet. For the moment I reckon for those infected that your luck was in,
this is the latest removal info: http://www.hm2k.com/posts/win32-virtob-virut-removal
About throwing in the towel:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html#IDComment15344616

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 80561
  • No support PMs thanks
Re: Vitro-virut - a file infector and why we cannot give false hope!
« Reply #1 on: February 25, 2009, 12:34:07 AM »
It makes absolutely no sense to me either, it is almost like when viruses first made an appearance some were malign, but just to let you know it was boss, some were pure malicious. The common factor was they were just by individuals and not as it is now organised crime to make money.

This is why it makes no sense to go to all this trouble to trash systems without an apparent purpose or gain. Unless this is just preparing the ground to watch how AVs respond for a phase two, like some of the other ransom ware, encrypting data folders/partitions and demanding money to release them.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.8.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Online polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 30849
  • malware fighter
Re: Vitro-virut - a file infector and why we cannot give false hope!
« Reply #2 on: February 25, 2009, 12:44:12 AM »
Hi DavidR,

We have seen this in the past with Vetor, but the latest credo for the malcreants seems to be:
"To junk or not to junk, and why not!"

Quote
It is also not unheard of to see viruses accidentally infect files that are not designed for the specific platform that the virus is running on. For example a virus may infect a Windows CE PE file that has been compiled for the ARM processor, while running under X86. This file now has no hope of running, yet a simple check of the MachineID field in the PE header and the virus would have known it was pointless to attempt to infect this file and could have moved on to the next.

It seems that modern day virus authors see a swathe of files left in varying degrees of corruptness as a perfectly acceptable and possibly desired, side effect of a successfully infected system.

To Junk or not to Junk? The virus authors say: Why Not?
But it is strange as these are the times of low-profile malware, that stays out of sight to do the cyber-criminal's bidding in a stealth way, vitro/virut etc. are just the opposite,

polonus
« Last Edit: February 25, 2009, 12:45:49 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 80561
  • No support PMs thanks
Re: Vitro-virut - a file infector and why we cannot give false hope!
« Reply #3 on: February 25, 2009, 01:16:01 AM »
Well it seems as has been mentioned in the other links you gave that there is an element of bad coding in this. As what would the purpose be of trying or creating a backdoor to download more malware or harvesting emails, etc. if the effect of the infection trashes the system defeats those purposes.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.8.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Jtaylor83

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1068
Re: Vitro-virut - a file infector and why we cannot give false hope!
« Reply #4 on: February 25, 2009, 02:08:45 AM »
I guess people should consider buying a Mac or Linux/Ubuntu as an alternative OS. Even when upgrading to Vista or Win7, PCs are still vulnerable to new viruses and are no longer safe to use.

This new version of Virut (Win32:Vitro) could hurt Microsoft's profits.

Avast 6.0, MalwareByte's Anti-Malware, CCleaner, Defraggler, DownloadHelper, WOT, NoScript, KeyScrambler, Thunderbird, Firefox, Windows XP SP3.

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8788
Re: Vitro-virut - a file infector and why we cannot give false hope!
« Reply #5 on: February 25, 2009, 12:54:15 PM »
Hi DavidR,

We have seen this in the past with Vetor, but the latest credo for the malcreants seems to be:
"To junk or not to junk, and why not!"

You could become today's William Shakespeare  ;D
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3061
Re: Vitro-virut - a file infector and why we cannot give false hope!
« Reply #6 on: October 07, 2009, 01:17:33 PM »
File Infector Takes Infection Up a Notch

quote:

It uses a polymorphic-entry point obscuring (EPO)-cavity type of infection, which is capable of moving some of the host file’s codes to another location. The malware encrypts its signature in a different way every time it executes as well as the instructions for carrying out the encryption. It hides its entry point in order to avoid detection. Instead of taking control and carrying out its actions as soon as an application is used or run, it allows it to work correctly for a while before taking action.

http://blog.trendmicro.com/file-infector-takes-infection-up-a-notch/