Hi, why so little is known about the new virut virus beating WFP?

General Topics
1

Hi malware fighters,

I have found up this very interesting article: http://windowsir.blogspot.com/2009/02/virut-unanswered-questions.html

Read it, then indeed answer these questions, why are not we given the full details and why Microsoft had been silent that long about how virut circumvents its file protection scheme? Yes ,why our exe’s are not secure in the hands of Microsoft, and why no av vendor told us about this, why is MS the only vendor that I’ve found so far to make any mention of WFP being disabled by this file infector?

Someone has some answers or some protection?

According to the Analysis page here (http://www.microsoft.com/security/portal/Entry.aspx?Name=Virus%3AWin32%2FVirut.BM) the virus infects the in-memory version of WINLOGON and the System File Protection DLL, thereby bypassing SFC.

I don’t think it’s fair to blame Microsoft, as it’s impossible (AFAIK) to protect against System-level privileges, which is how this virus is spread to begin with. It’s actually a rather intelligent virus, from the looks of it. Considerably more advanced than Conficker in its attack mechanism, anyway.

polonus

2

Homalware fighters,

Some more info on the new virut infector. I pass it as I have found it:

OK, I use WinPatrol.com on all of the systems I service and its continuing prompt to allow C:\Windows\Services.exe was the tip off that the system was still infested. There was also an executable in C:\Documents and Settings(Username) which could not be deleted, numerous TMP files in both the Windows and System32 folders, an ACROBAT.BAT file in \Windows and reports of NDIS.SYS + WDMAAUD.SYS being infected.

As of today, it looks as if running a complete scan with an updated TrendMicro Trial version, WinsockFix (to correct the HOSTS file), and deleting this registry entry:
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
FirewallPolicy\DomainProfile\ delete this entry:
AuthorizedApplications\List ??%System%\winlogon.exe = “??%System%\winlogon.exe:*:enabled:@shell32.dll,-1”
just may do most of the job.

Bear in mind that we should still have an issue with System File Protection being turned off, numerous permissions issues, uncleaned .SYS files, AND whatever effects the secondary infestations cause. Isn’t it clever of them to have generated a random link to their server so different systems get different malware?


polonus