" The spread of such virus undoubtly caused the anxiety of users of P2Ps and it is strange enough that though the presence in networks of Win32.Polipos is not a secret for anybody for a whole month, Dr.Web Anti-virus has long remained the only anti-virus to detect it."

http://info.drweb.com/show/2815/en

Thanks

Hello TAP,

Well you know by now that you can scan your machine with avast installed with the downloadable scanner from DrWeb: get it here:
http://download.drweb.com/drweb+cureit/ Just like online scanning, youcan do that once in a while. I have downloaded DrWebCureIt on my mem stick, and have it always with me.
I also use the DrWeb free services inside my browser, e.g. DrWeb online to upload files, and the free hyperlink pre-scanner plug-in from DrWeb. Nice addidtions to avast, never exoerienced any conflict. DrWebCureIt can remove this virus you mentioned.

polonus

Well, the detection of the Polipos virus was added with the latest VPS - 0617-1
But does avast! detects all the infected with Polipos virus files, because I’ve read somewhere that some AVs have troubles with detecting all the infected files(detects only few of the infected ones)

MELT! I have this horrible horrible virus, system restore has been disabled (which was advised by symantec online) but i dont have their norton to clean it? ??? Confused! Any ideas anyone? Im going to try and Dr Web or whatever u call it
Any help appreciated, Niall.

DjNj

Are you using Windows XP?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.

You can try Dr.Web CureIt either

Tried the boot-time scan & it was throwing up every single program I have with this virus and it wont repair either - actually come to think of it, it will NEVER repair? ??? I turned avast off while I was offline because the laptop has only 256mb ram and wanted to turn off all the un-used applications / processes … typical…

DjNj

I’m afraid avast! isn’t able to repair the infected files at the moment (it’s not clear whether it’s at all possible to reliably fix all the infected files) - so the boot-time scan probably won’t help much here.
The best thing to do is to replace the infected files with their originals from backups (or installation CDs).

HAHA, are you actually serious? So when avast updates, it just blocks u from getting the virus, doesnt help to remove it?! DrWeb seems to be able to sort me out here anyway… hopefully its gone! Thanks for the help

DjNj

Yes, I am serious - at least right now. Maybe it will improve in the next days, maybe not.
Even DrWeb cannot clean all the files, btw.

Yeah, I just registered here to talk about the very virus. Completely infected every program file I have on my computer. The only reason why I have access right now to the internet, where Avast! would normally bring up the scanner, I disabled the Standard Shield to get access to all my applications again. This is the only thing I know how to fix this. I’m not reinstalling windows to fix this problem, nor am I going to reinstall every application I have/had.
Only way I’m seeing this problem fixed with this virus is wait for Avast! to have the capabilities to clean the files without deleting them, otherwise, disable the Standard Shield so you still have access to your applications, just be very careful, especially in any of your Messengers if you send files to other people, make sure that you scan the file as you’re sending it to the person, to ensure that the worm will not attach to the file, if it does, cancle the upload immediately.
Curious isn’t it? I come here for help and I end up giving help/advice on the problem I’m having. :

Hi Dichromaru,

Well apparently you see the dangers here of P2P-ring. This virus demonstrates this very effectively, very difficult to recover from an infection. For a description look here: http://www.bitdefender.com/VIRUS-1000066-en--Win32.Polipos.A.html
As for the moment blocking the virus to infect is the best option. Protection is always a better option than cure.
Well Polipos is certanly beyond just G1/G2 networks (Gnutella 1 and 2) as i already found it on ED2K/KAD (eMule). This shift was probably caused by hybrid clients like Shareaza that connect on both ED2K and G1/G2. Or by users that use Gnutella and eDonkey2000 clients with same shared folder. These infections make people shy away from these virus-ridden services.
For general P2P dangers see: http://www.computerweekly.com/Articles/2001/09/20/182572/ThedangersofP2Pnetworks.htm
Still very actual info.

polonus

What strikes me as odd to how I got this virus, is the fact that I haven’t been on any form of P2P program in a long time. This virus has to have an “incubation” period on it or something. Then again, whenever I’m playing World of Warcraft, I have my P2P shield turned down/off because if it’s on full, it causes a bit of lag, which might be where I finally contracted it from, not from the WoW servers, but simply from something that managed to get into my computer without me even actually knowing it while beating away at some random monster on there… Is this virus/worm only known to be spread from P2P programs?
Now what I’m curious of, and it will have to wait untill I get home today, but does this virus infect all your harddrives? I hope it doesn’t, and if it doesn’t I’m pretty much home free here. I’ll just have to copy down all the file names, file locations, delete them, then copy them from my secondary hard drive. But perhaps any of you that have any information on this virus, that perhaps it does, or doesn’t infect any other hard drives that you have on your computer.
Having said that, though, wouldn’t it be the best safety to delete all those programs on my main hard drive, granted my other one hasn’t been infected yet. Swap the secondary with the first so that it’s the boot drive and transfer the files that way? In theory, wouldn’t that prevent the worm/virus from spreading into my secondary hardrive?

And thanks for the links, but I do know the dangers of P2P very well, not only is there a chance that you can get caught for stealing copy righted material because you didn’t actually purchase the software/music/etc. but there are other problems as well. avast! itself is configured to scan all my downloads as soon as they’re complete, in my P2P programs. Every download I do, I monitor myself. And generally, I’m using the Gnutella networks (Bearshare) because the other’s are not to my liking. Every download at 99%, I don’t let it verify right away. It pauses and I scan it, then if it passes the scan, I let it verify, then I scan it again. Generally the first scan will pick up the more basic viruses/worms, which the files can be eliminated before they actually have a chance to affect my computer. The second scan always picks up the more advanced viruses/worms.
P2P isn’t safe by any means. There are people out there that just sit at home and download common files, and by that, I’m sure you are aware of what sort of “files” I’m refering to , though most of the time it’s popular software. They then code in thier viruses/worms into those files and redistribute them themselves, therefore, those people who sit at home with thier firewalls and virus scanners turned off so that they can download the files, get the virus/worm, and if the virus/worm itself is capable of “adaptation”, a lot of people can be screwed over within a couple of hours, for a lack of better words.

Piracy is wrong, yes, but most of the world doesn’t care. And eventually, you know, the producers of software themselves will actually be making thier own viruses that come with your programs. Sounds weird, and I’m sure that many reading this will simply pass up the thought, but bear with me for a moment.
A virus, that doesn’t harm your computer, persea. You buy the software, and you install the program. Your scanners wont pick it up because it’s not activated. 90% of the people that install software don’t both and blindly click the “I agree” button on the user agreement. A software company would have to put the information about the virus into the user agreement, but hardly anyone will know about it but save for a few people that work outside of that company. But, getting back to this “virus”. It would only affect the program itself. If it detects any P2P activity, it will instantly deactivate your registration key, rendering your copy useless, therefore disabling the want to spread the software around.
The “virus” itself, will tell thier website, when you get your first downloaded patch, that that registration key has been used. Then, if someone does figure out, “Hey this only activates if I share it over a P2P network, so I’ll just burn a copy of it for my friends and family.” Wont work, as soon as they try to register the software, which by the time this sort of thing is developed, will be done online, will not work. When someone tries to do this, your copy of the “virus” will activate, and just like described in the previous situation, will deactivate your registration key, rendering your copy, once again, useless.

And yes, once again, thanks for the first link, I’ll be reading up on it shortly, as soon as I click the “Post” button.

Hi Dichromaru,

It is clearly a Gnutella-worm, and the polymorphic qualities, and the overall changing character, and the high quality obfuscating API-hooking techniques make it very difficult to find up and clean out. The malware artists that created this piece of mishap, sure knew to make it “state of the art”. I would make backups of all your files, that are found to be clean. Do a double scan, one with the DrWebCureIt free tool, and one sweep with the online Bitdefender scanner in this fashion close down all programs, run the scans mentioned, make a note of all the files that are cleansed and the files that could not be cleansed as well for later reference, restart in Safe Mode, edit any registry entries that were mentioned in the recovery instructions for this particular malware, Leave Safe Mode and Scan again with Avast. Clean is clean. I hope so for ye.
Else there is always the option of save what you can and make a new re-install of the OS, but that should be a last resort thing, and is always sad to perform. Look to see what you can do in the “normal” worm-cleansing procedure first. Also download dotomyco from here: http://www.niksoft.at/php/dl.php?f=dotomyco-sfx.exe (mind you have vb40032.dll there for it to run)
Curious to see the result file delivered by dotomyco. It is beta, good to test it on this monster.

Another known way to desinfect is to rename all the infested files and extensions and note down in notepad all of the original names and extensions to the dot. Be careful to do this absolutely free of mistakes. Good procedure to perform in any desinfection routine, this is, trick of the “old doggies”. Then desinfect or restore to clean files, rename them back as originally meant, that is “hopla” for you. In combination with the above it gives you another old fashioned way to beat the virus or worm.

polonus

But if I do this, I would have to use Notepad, which is also infected with the worm, therefore when I save the file, that file itself has a piece of the worm in it as I understand, and cleansing the files would be pointless there after. If just one program were to access that document, the worm will re-spread itself all over my computer, leaving me once again in a state of incapacitation. So, to put it short to a certain degree, I have to use a real notepad and pencil for that process.
I will be, however, working with this worm throughout the weekend, and if I discover anything of use, I will be sure to post it up here so that we can get past this thing with more ease. Post as many ideas as you can think up, short of re-installing the OS or beating my computer with a hammer; and I’ll be sure to give it a try; I’ve enough experience with computers to know how to fix problems, including the ones that I cause myself.

Hi everyone!

Just found some good news on the German IT-news site heise.de:

http://www.heise.de/newsticker/meldung/72459

The text is written in German. If you don’t speak German try a translator! The text basically says that there was an av-test concerning Polip.A-Virus. According to the the article Avast! was one of the few scanners which were able to find all test samples of Polip.A-Virus. BTW: It was one of the fastest scanners, too.

Hi Dichromaru,

The running processes that are infected upon infection are:
csrss
ctfmon
drwatson
drwtsn32
dumprep
dwwin
kernel32.dll
savedump
smss
spoolsv
temp

Everytime a executable or src file is opened the malware code is injected there.

polonus

I believe it’s processes that are not infected (avoided)

This virus really spreads like wildfire. When I did the boot-up scan avast filled up the chest storage area way before I was virusfree. So I have two questions,

it would be nice to be able to adjust the chest size while you did a boot-up scan… since neither repair nor move worked I was “forced” to delete a lot of files. In my case the files were not that important, but they COULD have been

And all the files in chest, will a later upgrade of the virus library make avast able to repair these files?

100% repair for all files is impossible.

bitdefender is able to repair many of them… at least it reports so