hello everybody! My name is Eddie, first post on this forum (I am an advanced pc user)

sunday my pc started to try to connect to irc.zief.pl . . . yep! VVVVVVVVIRUS… nothing more
bastard than one that even if I replace my driver with a clean ghost image…it still persist.

I have 3 drives and some pendrives… which is the virus and WHERE THE HELL it is??

is the VIRUT??? I am trying to clean wit an AVG specific remover…nothing happend…

so… please, help me… it’s 3 days Im trying to delete it…

thanks!

Eddie

Hi emcivile,

Yep, seems like you anticipated, a virut.h infection: http://vil.nai.com/vil/content/v_143034.htm
also consider the removal instructions there, but first try to download DrWebCureIt from here and do a full scan: ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe

When your machine is cleansed do a free online scan here http://secunia.com/vulnerability_scanning/online/?task=start (enable JS on that page to start the scan to see what third party software on your machine needs either updates or patches)…

polonus

ok.

also when I boot pc it downloads some TMP like VRTx.TMP where X stands for X.

is possible that this virus can affect other drives and pendrives?

Just the thing that seems to be working in this case and if that was the infection vector:-
use flash drive disinfector.
it’s a small program. download it from here:

http://www.precisesecurity.com/tools-resources/adware-tools/flash-disinfector/

then run it after preferably turning off your antivirus product’s real-time protection. your screen will go blank for a moment which is normal. when it say ‘Done!’ your problem is solved. it may create a folder called autorun.inf on your pen drive which you shouldn’t delete as it will cause the virus to reappear,

also give us a hjt logfile.txt as an attachment to your next post to analyze the system processes:
download here: http://download.bleepingcomputer.com/hijackthis/HiJackThis.zip or
http://download.bleepingcomputer.com/hijackthis/HiJackThis.exe

I assume you know after placing it on the desktop how to work it (see below):

HijackThis is general homepage hijackers detector and remover. Initially based on the article Hijacked!, but expanded with almost a dozen other checks against hijacker tricks. It is continually updated to detect and remove new hijacks. It does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites. As a result, false positives are imminent and unless you are sure what you’re doing, you should always consult with knowledgable folks (e.g. the forums) before deleting anything.

Usage Instructions:

Note: You should only use HijackThis if you have advanced computer knowledge or if you are under the direction of someone who does. Improper usage of this program can cause problems with how your computer operates.

To use HijackThis, download the file and extract it to a directory on your hard drive called c:\HijackThis. Then navigate to that directory and double-click on the hijackthis.exe file. When the program is started click on the Scan button and then the Save Log button to create a log of your information.

polonus

Same problem here.

Avast still blocking “irc.zief.pl”

Dr Web didnt found anything, all my html files that Im saving got iframe script at bottom with zief.pl link.

Secunia scan crashes my firefox nad IE when Im starting scan process.

I cant run AtiTool, Pajaczek (html editor) and other applications.

Polonus can you give me your gg number? Or message me 6252247 .

The only way to get rid of it is disconnect from the internet, reformat, and reinstall from scratch because Win32:Virut is a dangerous file infector with some additional features. It tries to connect to an IRC network under the name “Virtu” and zombifies your PC.

Cześć sqallpl,

The virus will infect executable files on Windows systems.

Upon execution, the virus uses the CreateEvent function to create an event name “VT_3” so that only one instance of the virus runs on the infected computer.

The virus hooks some of the following system functions, so that it can infect files when they are accessed or executed:

NtCreateFile
NtOpenFile
NtCreateProcess
NtCreateProcessEx

Then the virus attempts to infect all accessed .exe or .scr files by appending itself to the executable file.

The virus avoids infecting files that contains the following strings:

PSTO
WC32
WCUN
WINC

Then the virus opens a back door by joining the channel #virtu on the IRC server proxim.ircgalaxy.pl through TCP port 65520 allowing a remote attacker to download and execute files onto the infected computer. Cleansing the computer can be done temporarily disabling system restore:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.aspx

If the computer has been severly compromised a total recall can be the only option left, but try to disinfect first,

pozdrawiam,

polonus

yo maaaaaaaan… that crap causes lots of damage!!

Now I am moving everithing to an external disk and then I’ll format every single disk present on my pc…

right?

is possible that the virus can copy itself in a USB pendrive?

Hi emicivile,

Ir is a propagation manner, so use this: http://www.precisesecurity.com/tools-resources/adware-tools/flash-disinfector/ and leave the file it makes there as a protection against re-infection,

Manual disinfection info I have dug up here, this may be your rescue:
http://www.threatexpert.com/report.aspx?md5=8dc6979d57e456fcd19b7a6d75a463f4

File System Modifications

* The following file was created in the system:

Filename(s) File Size File MD5

1 [file and pathname of the sample #1] 32,768 bytes 0x8DC6979D57E456FCD19B7A6D75A463F4

* The following files were modified:
      o %ProgramFiles%\Internet Explorer\IEXPLORE.EXE
      o %System%\ctfmon.exe
      o %System%\drivers\etc\hosts

* Notes:
      o %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
      o %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 45,056 bytes

Registry Modifications

* The following Registry Keys were created:
      o HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{540D8A8B-1C3F-4E32-8132-530F6A502090}\Implemented Categories
      o HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{540D8A8B-1C3F-4E32-8132-530F6A502090}\Implemented Categories\{00021492-0000-0000-C000-000000000046}
      o HKEY_CURRENT_USER\Keyboard Layout\Toggle
      o HKEY_CURRENT_USER\Software\Microsoft\CTF\Assemblies
      o HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar
      o HKEY_CURRENT_USER\Software\Microsoft\CTF\Sapilayr
      o HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP
      o HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}
      o HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile
      o HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000409
      o HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000409\{09EA4E4B-46CE-4469-B450-0DE76A435BBB}
      o HKEY_CURRENT_USER\Software\Microsoft\SAPI Layer
      o HKEY_CURRENT_USER\Software\Microsoft\Speech

* The newly created Registry Values are:
      o [HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000409\{09EA4E4B-46CE-4469-B450-0DE76A435BBB}]
            + Enable = 0x00000000
      o [HKEY_CURRENT_USER\Software\Microsoft\CTF\Sapilayr]
            + ProfileInitialized = 0x00000001
      o [HKEY_CURRENT_USER\Software\Microsoft\CTF\LangBar]
            + ExtraIconsOnMinimized = 0x00000001
            + ShowStatus = 0x00000004
      o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
            + ctfmon.exe = "%System%\ctfmon.exe"


Other details

* To mark the presence in the system, the following Mutex object was created:
      o oleacc-msaa-loaded

* The HOSTS file was updated with the following URL-to-IP mappings:

127.0.0.1 ZieF.pl

* The following Host Name was requested from a host database:
      o irc.zief.pl

* There was application-defined hook procedure installed into the hook chain (e.g. to monitor keystrokes). The installed hook is handled by the following module:
      o %System%\MSCTF.dll

It modifies the registry at the following location to ensure its automatic execution at every Windows startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer"TargetHost"

The above registry entry contains IP address and port number information. The virus may then use this information to open a back door on the compromised computer.

If the value in the above registry entry is not available, the virus may open a back door on TCP port 80 using the IRC server ircd.zief.pl.

Additional on Virut.U
The virus uses (Eight Random characters) on the above channel.

The back door allows a remote attacker to download files on to the infected computer and execute them.

This virus first appeared on September 06, 2007.

A rather nasty beast of crap, isn’t it,

Ciao,

polonus

thank you!

now it’s done… so I can plug the pendrive everywhere now without any risks?

Hi emcivile,

That is right, but cleanse that crap from your machine, all the entries as I gave them,

polonus

oh man… probably something is right now… but I found some of these keys…

o [HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000409{09EA4E4B-46CE-4469-B450-0DE76A435BBB}]
+ Enable = 0x00000000
o [HKEY_CURRENT_USER\Software\Microsoft\CTF\Sapilayr]
+ ProfileInitialized = 0x00000001

now I deleted the one I found and tomorrow I’ll format everything in my pc…

yeah, TIRAMISU’ for everybody!!!

wrong…wrong… I deleted manually every single voice…

what a job!

I also deleted MSCTF.dll and similar.

Now it seems to be free from that damns virus!!

regkeys were deleted… I seen also that in the same position on reboot I have newer values and newer keys different from the last.

it’s ok?

emcivile, you are after format?

I tried a lot of software, also deleted a lot of register entries, and scan didnt found VIRUT, but now Im scanning all hard drives by Kaspersky Rescue CD, somebody told me that this stuff repraied his system, I will see and reply here.

BTW. Can I just delete all registry and install windows using repray option? I know that I will not have many of important non windows applications entries, but I can handle it, I can reinstall. I dont want to format, because I have many folders, photos, music, movies etc and I dont want to move all stuff to other disks.

Don’t worry. Just backup all your personal data before reformatting.

I have another question. What will hapen if I will have some infected exe’s ond HD, but I will not run them?

I have another question. What will hapen if I will have some infected exe's ond HD, but I will not run them?

I’d suggest that after formatting, re-scan all of your disks for viruses to make sure that the exe’s that you have aren’t infected. After that, I’d guess that you were good to go…

I think formatting is a MUST in this case. I think that this virus can replicate in exe files stored in your pc, in installers too. so I deleted everithing an I sore only photos and music. no HTML or other things. too dangerous. fortunately I have a strong backup system based on a 750 GB NAS. consider something similar after this experience.

I’ll format tomorrow every single disk.

I have noticed also that AVAST can’t find infected EXEs.

last night I finished a deep scan with avast and no viruses were found BUT: when I deleted registry key and I plug the LAN to the router for an internet connection AVAST found a VIRx.TMP file (where stands for a number from 1 to 4). becouse of this I imagine that there are some other exe infected files that runs normally in windows but are not found by AVAST…

please, someone to confirm this.

Best regards!

NOTE!!
NOW I AM DOING ANOTHER DEEP ANTIVIRUS SCAN ON THE PC INFECTED. I DELETED ALL REGISTRY KEYS AND NOW ALL HTML FILES ARE INFECTED BY HTML:Iframe-inf VIRUS!!!

NOW I AM SCANNING ONLY C:. I HOPE THAT NOTHING WILL BE INFECTED ON OTHER PARTITION.

BECOUSE OF THIS I AM “CONDAMNED” TO DELETE ALL HTM, HTML AND EXE FILES FROM MY DRIVES TO AVOID INFECTED FILES ON THE BACKUP.

THAT’S A PITY…

scythe944
the problem is that AVAST is not ABLE to find the virus. AVAST find only infected htm and html files.
Avast is not able to report infected EXEs too.

question:
today I was on a XP of a friend. I executed REGEDIT to view if he has the same reg keys. he has all of them but no irc…pl connection and no TMP files downoladed… is he infected. I explain: the reg keys up shown are normally in non infected XP copies or added ONLY a consequence of this DAMN virus???

update!!!
I found W32\VIRTU on my drive. It ifecdet a component of MIONET used to open my NAS. disinfected.

is this the end?

Hi sqallpl & emciville,

Do the manual cleansing first, delete the malware system files, the registry entries, cleanse your hosts file (it has been altered too) etc. etc. Maybe you have to make a back-up of all your important data,
you must have to work from SafeMode and/or temporaily have to disable system restore, then I think you could have a task at re-installing your system, because you can never tell as too what extent it has been compromised,

In short the normal cleansing for this malware:
When the virus executes, it creates the following event so that only one instance of the threat runs on the compromised computer:
Vx_4

W32.Virut.U is a virus that infects .exe and .scr files on the compromised computer.
Next, the virus checks the value for the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer"TargetHost"

The above registry entry contains IP address and port number information.
The virus may then use this information to open a back door on the compromised computer.

If the value in the above registry entry is not available,
the virus may open a back door on TCP port 80 using the following IRC server:
ircd.zief.plThe above registry entry contains IP address and port number information. The virus may then use this information to open a back door on the compromised computer.

It uses the following name on the above channel:
[EIGHT RANDOM CHARACTERS]

The back door allows a remote attacker to download files on to the compromised computer and execute them.

Damage
Damage Level: Medium
Payload: Opens a back door on the compromised computer.
Modifies Files: Infects .exe and .scr files.

Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan.If the antivirus product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.

After the files are deleted, restart the computer in Normal mode.

After the computer is cleansed you should change all your passwords for your normal log-in accounts…
and for the future use only user rights for your normal activities when online, and full admin rights only for downloading updates, enabling programs, or makingchanges to your configuration

polonus