Author Topic: [SOLVED]win32:Vitro How to protect and how to remove?  (Read 37913 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: [SOLVED]win32:Vitro How to protect and how to remove?
« Reply #15 on: April 04, 2009, 08:55:05 PM »
Hi Tech and others,

The malcreant of the various forms of the virut.h aka Vitro that is spreading on a system like bushfire isn't just a simple script kiddie he is aware of advanced polymorphic virus techniques that are meant to destroy an Operational System utterly and beyond repair. Following data were on the 2008 variant and what it did: _002959_.tmp.dll, _002960_.tmp.dll, _002963_.tmp.dll are some of the files found in the way it infects and these names with random numbers DIL*tmp, where * is a random number, VT100, 17PHolmes1001186.exe & mrofinu1001186.exe were being  found on the infected machines whose owners were downloading illegal game keys when they got infected, code crypted starts with it starts with
Code: [Select]
üè)...S¹ ...‹Úf1.@†Ö@...âô after importing > KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess > msvbvm60.dll: _CIcos
Technical write-up about the new variant:
http://securitylabs.websense.com/content/Blogs/3300.aspx
For the variant here the decryptor is polymorphic and can be located either:

    * Immediately before the encrypted code at the end of the last section
    * At the end of the code section of the infected host in 'slack-space' (assuming there is any)
    * At the original entry point of the host (overwriting the original host code)

The decryptor will either receive control directly or an API call within the host code body will be overwritten to point to it (EPO technique). In all cases where host code is overwritten by the virus the original bytes are stored within the encrypted virus body, and are restored before transferring control back to the host. This virus may also infect the files multiple times. Disabling and re-installing XP SP3 also is not an option..the virus is just too destructive in such a completely random and buggy fashion that the infected files remain beyond repair and danger of re-infection is imminent from infected systems and peripherals, a hopeless situation, best policy avoid infection through this very dangerous file infector!

Because of attempts to cleanse this particular malware only leads to long threads and almost no workable results, your best option that remains is fdisk - format -re-install : http://www.pcworld.com/article/129977/how_to_reinstall_windows_xp.html

Recovering from recurring infections on a network
The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
 

   1.
      Ensure that avast antivirus product is installed on ALL machines connected to the network that can access or host shares  (see above for further detail).
   2.
      Ensure that all available network shares are scanned with an up-to-date antivirus product, like avast
   3.
      Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: [url]http://technet.microsoft.com/en-us/library/bb456977.aspx.
   4.
      Remove any unnecessary network shares or mapped drives.

 

polonus
« Last Edit: April 04, 2009, 11:22:56 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

diegoss

  • Guest
Re: [SOLVED]win32:Vitro How to protect and how to remove?
« Reply #16 on: April 07, 2009, 09:37:03 AM »

Because of attempts to cleanse this particular malware only leads to long threads and almost no workable results, your best option that remains is fdisk - format -re-install : http://www.pcworld.com/article/129977/how_to_reinstall_windows_xp.html

Recovering from recurring infections on a network
The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
 

   1.
      Ensure that avast antivirus product is installed on ALL machines connected to the network that can access or host shares  (see above for further detail).
   2.
      Ensure that all available network shares are scanned with an up-to-date antivirus product, like avast
   3.
      Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: [url]http://technet.microsoft.com/en-us/library/bb456977.aspx.
   4.
      Remove any unnecessary network shares or mapped drives.
polonus

Hi polonus,

I do really appreciate your hints. I was following the threads about Win32:Vitro last few days cos I am fightin it as well. I think the situation is clear, I have just few more questions.

I decided to beta test Win7, deleted partitions, formatted drives and installed Win7 from a scratch. But, I am trying to save indispensable files (docs, pics and videos) from an infected external HDD. I thought, it is safe to connect this drive into fully secured Win7 with avast and spybot under restricted user account, then run avast full test and delete all infected files from that drive. Secondly do the scans with Dr.WebCureIt and Hijackthis. But - I am not sure yet and still in doubt whether this is safe or not.

The reason is: I wasn't able to find out all the filetypes which are vulnerable (I know about exe, dll, htm, php, ... and?). Is it able to infect also common files like jpegs, avis, mpegs, docs, xls, pdfs etc.?

Another important question: how is it with the Vista and Win7 resistance. I read some post saying using those OS you are not vulnerable, but I am not sure about this - especially when running 32bit versions of this operating systems.

Could you please try to make this clear for me?

Thanks a million!
Diego

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: [SOLVED]win32:Vitro How to protect and how to remove?
« Reply #17 on: April 07, 2009, 10:47:35 AM »
Hi Diego,

It seems that the virus can beat the Windows File Protection on XP (and Windows firewall protection) and that of Vista when there is full encryption of the hard drive (been reported here). If you use back-up material that is from peripherals that has not been in contact with the file infector to copy unto a cleansed system that is OK. The file infector tries to infect "all and every" file, to what extent it has been successful can only be decided in the aftermath, you should check by changing the extension into a notepad.exe file to see if the infection persisted. The virus can only be safely handled/cleansed in Safe Mode, if a remainder is still there and the OS runs normally it again starts to spread like hay fire,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

diegoss

  • Guest
Re: [SOLVED]win32:Vitro How to protect and how to remove?
« Reply #18 on: April 07, 2009, 12:34:59 PM »
...If you use back-up material that is from peripherals that has not been in contact with the file infector to copy unto a cleansed system that is OK.

Hi polonus,

thank you for your reply... so that's the bad news for me, cos I am trying to rescue files from obviously attacked hard drive. Brand new own photos and vids of high importance for me. Shaid! I'll do my best to get rid of this evil and save my data.

So if it might infect files such as jpegs, it seems that Avast is not able to locate this polymorph in such files and is reporting it just in executable files... (scans found no infected jpegs or docs yet) Am I right? I hope these guys developing AVs will find some reliable solution soon... cos it seems there are no successes around these days  ???

Diego

okiseenow

  • Guest
Re: [SOLVED]win32:Vitro How to protect and how to remove?
« Reply #19 on: June 28, 2009, 06:58:46 PM »
Hi Diego,

It seems that the virus can beat the Windows File Protection on XP (and Windows firewall protection) and that of Vista when there is full encryption of the hard drive (been reported here).

polonus

First, would like to give credit to all on this forum who have helped others with solving this horrible virus. Thanks guys. 
I can attest to it harming a Vista system. I first noticed it when Google said some of my website pages had malware..After deleting those I found out html files on my system were infected. It had added a ton of iframe references to the end of html files. I booted with Avast and it found many files that were infected with Vitro and 2 with JunkPoly. I didn't save the infected files to the Chest but deleted them, so now I have an unbootable system.
My question is what Linux bootable CD will work that will allow me access to the ntfs c drive so that I can copy off my data files to a USB stick? My original restore is on D: but not sure if it may have been affected. I want to totally reformat the HD from the Vista CD and start anew. Tips or suggestions are welcome.

buzasibg

  • Guest
Re: [SOLVED]win32:Vitro How to protect and how to remove?
« Reply #20 on: December 22, 2009, 07:53:23 AM »
Hi!
i have not got internet at home, but i still updating avast, and it has noticed that i have this virus on my computer.

i also tried to format and reinstall anything but the virus is still there.
please give me a solution.

thanks, buzasibg

A-Vaste

  • Guest
Re: [SOLVED]win32:Vitro How to protect and how to remove?
« Reply #21 on: December 22, 2009, 12:14:26 PM »
Virut is very buggy. You can't repair your system.
1. Delete your Windows partition,format and reinstall. (Its fastest and safest solution)
2. Download latest free version of MBAM and Dr.Web CureIt! from the official page. (Use other non-infected computer)
3. Enter safe mode immediatelly! Run MBAM first and after that Dr.Web CureIt! IN SAFE MODE!! (It must be done in safe mode). Do a full system scan and cure infected files. (If any..)
4. Download Avast! from the official Avast! page. Do the first time boot scan.
5. Your system is clean.

I forgot to say..
After you've downloaded MBAM and Dr.Web CureIt! burn them to cd.
Run that cd in safe mode.
Good luck.
« Last Edit: December 22, 2009, 12:20:11 PM by A-Vaste »