Hi Tech and others,
The malcreant of the various forms of the virut.h aka Vitro that is spreading on a system like bushfire isn't just a simple script kiddie he is aware of advanced polymorphic virus techniques that are meant to destroy an Operational System utterly and beyond repair. Following data were on the 2008 variant and what it did: _002959_.tmp.dll, _002960_.tmp.dll, _002963_.tmp.dll are some of the files found in the way it infects and these names with random numbers DIL*tmp, where * is a random number, VT100, 17PHolmes1001186.exe & mrofinu1001186.exe were being found on the infected machines whose owners were downloading illegal game keys when they got infected, code crypted starts with it starts with
üè)...S¹ ...‹Úf1.@†Ö@...âô
after importing > KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess > msvbvm60.dll: _CIcos
Technical write-up about the new variant:
http://securitylabs.websense.com/content/Blogs/3300.aspxFor the variant here the decryptor is polymorphic and can be located either:
* Immediately before the encrypted code at the end of the last section
* At the end of the code section of the infected host in 'slack-space' (assuming there is any)
* At the original entry point of the host (overwriting the original host code)
The decryptor will either receive control directly or an API call within the host code body will be overwritten to point to it (EPO technique). In all cases where host code is overwritten by the virus the original bytes are stored within the encrypted virus body, and are restored before transferring control back to the host. This virus may also infect the files multiple times. Disabling and re-installing XP SP3 also is not an option..the virus is just too destructive in such a completely random and buggy fashion that the infected files remain beyond repair and danger of re-infection is imminent from infected systems and peripherals, a hopeless situation, best policy avoid infection through this very dangerous file infector!
Because of attempts to cleanse this particular malware only leads to long threads and almost no workable results, your best option that remains is fdisk - format -re-install :
http://www.pcworld.com/article/129977/how_to_reinstall_windows_xp.htmlRecovering from recurring infections on a network
The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
1.
Ensure that avast antivirus product is installed on ALL machines connected to the network that can access or host shares (see above for further detail).
2.
Ensure that all available network shares are scanned with an up-to-date antivirus product, like avast
3.
Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: [url]http://technet.microsoft.com/en-us/library/bb456977.aspx.
4.
Remove any unnecessary network shares or mapped drives.
polonus