Hi all,

Last week I ended up with what AVAST reports as the Vitro virus/worm. I have been spending a lot of time to find a good procedure to clean a system from this thing. I was able to do it and posted the steps I took to do so.

I have since set up and dedicated a machine to fighting this stuff… basically joining the ranks of those who are fighting back against these a-holes who create and release this stuff. I am a NEWBIE when it comes to viruses, trojans, worms, in terms of how they work and so forth… but I learn fast so please bear with me if I ask a seemingly simple question.

Since doing so (building a dedicated isolated machine), I am now wondering if indeed it was the Vitro that infected my system. I have also figured out that somewhere I still have this thing on one of my drives. The system I fixed is still ok but I have been plugging the drives I had disconnected from that machine in to this isolated machine and scanning them one by one. NONE have showed any infected files during scanning.

However, suddenly now this test machine is infected with something. 95% of the files reported AVAST reports as Win32:Vitro. The other 5% are reported as other viruses… Win32:JunkPoly [Cryp] and Win32:Swizzor [trj]. ** I have attached the log file from AVAST to this message.

First indication was suddenly I could not use RegSvr32.exe when I tried to register an OCX file I created in VB6. And from there things went down hill fast. The OCX is not infected… I wrote it just to play with on this isolated system.

I also left one other drive attached to this machine tried something… after I tried and could not use RegSvr32.exe, I copied a clean copy from another machine onto this external drive via a empty memory card. Then from that drive I tried to use RegSvr32.exe. It worked. Once. After that first time, AVAST suddenly reported it as an infected file and sure enough, it will now not execute again even though I placed it on a different drive for purposes of this test…

I ran a manual scan using AVAST. As you can see by the log, over 300+ files are suddenly being reported as viruses or infected. That is just in the Windows dir and the test drive I setup externally as well. After reading further here in the threads, I decided to try using the HiJackThis tool and a couple Rootkit tools recommended. I downloaded however NONE will execute. Both rootkit tools and the HiJackThis tool all error out when I try to execute them… basically the same thing that happens with a myriad of other programs I try to run now like regsvr32.exe and others. Errors display range from “you do not have permission…” to “such and such a program has stopped working…” and others.

After thinking on this a bit, I find it hard to believe that all these files are infected… I think a more logical and more common sense answer is that something ALL these files access or have in common is actually either the worm or virus itself or is the infected version of a driver, file or some other item in Windows… and anything accessing it, including AVAST is being reported as infected. Perhaps it is just one file infected, not 300+.

Is this feasible?

Now I am at a loss on how to get rid of something like this or track it down without formatting away again. Especially since I am still struggling with how exactly this thing is even doing its damage in the first place… I cannot kill what I cannot see or find and if it is something on one of the extra drives, how do I find this thing if the drives are all being reported clean by whatever method I use to scan it with?

I am all ears…

EDIT: Forgot one thing… I also start seeing this systray popups from AVAST that say it blocked connection attempts from such and such a location… I assume this is related to this situation and thus whatever is doing this is trying to also communicate with some other location…

Malakie

Hi Malakie,

Can’t you grasp that when something infects that fast it already has infected also all the executables you wanna scan or fight it with. This b^gger infect whenever whatever out of SafeMode and from hidden drive files and also from html files it has found and injected and left behind on the machine. Read this what one of the best of the female malware fighters writes about this: http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html
So I think what could be a solution is work from a Windows OS on a Linux dvd and toggle in and out between these platforms, if this could be legally done. This latest variant also may search for htm, html, asp and php files on the drives and modifies them by inserting an iframe that points to a malicious website.
Here you have the technical details of this malcreation: http://securitylabs.websense.com/content/Blogs/3300.aspx
Many aspects of the Virut virus have changed, making newer variants much more effective. The fact that it infects running processes makes it very virulent. If you move a file that matches the requirements in the infected code onto an infected machine, it is instantly infected. The virus also uses the SFC functions to make sure Windows won’t pop up an error message if a Windows file is infected. The fact that it infects Web pages makes it even more virulent, as Webmasters could and probably do upload infected htm/asp/php pages, leading to various exploits that target their visitors.

So Malakie, I ask you again do you know what you are up against? And do you have some idea of the reasons why a such talented developer and coder would invest so much know-how into such a dirty low-life piece of malware that only seems out to destroy every Windows machine it finds on its path or rather what the payload of it finds on its path, a payload which is extremely virulent and destructive, and almost impossible to repair fully

polonus

Hmmm, no need to get upset… maybe I should have been more clear… Now that I set up a separate machine that is isolated and to be used specifically for this, I am now learning with first hand doing. In other words, I am reading everything I can but the BEST teacher is not found in books rather in hands on doing.

So, I purposely infected this machine for the sole purpose of learning. I did not go into safe mode because I am trying to learn HOW and WHERE this thing does its work. The first thing I have to learn is how to find the ‘ground zero’ file. The file or opening that allows this thing in. If it is a file being downloaded, I need to find that one SPECIFIC file. If it is a script, a command… whatever… I need to find the FIRST and ONE thing that starts this whole process. By learning how to track and find the ‘ground zero’, I can learn much both in how it functions AND in how to defeat something like this. It does not have to just be this virus I was hit with… this could have been any virus. But since this is the one I got, it is a great starting point for me to learn how it works.

As I said in the first message, I apologize if some of my questions appear simple or uninformed… I am new at this but I learn fast… and the only way to learn is by asking and by doing! So far I am now an expert in infected this machine! It will take a lot more for me to become in expert in how to track it, in how it works… etc etc.

For example, I have already figured out how to locate the point where it is attempting to make an outside connection to and from my machine. By learning about that, I am now able to, if nothing else, block any access to and from that location.

I understand fully as my other thread indicates… Safe mode has to be used to clean this thing. However, I am unable to watch or learn what this thing is doing while it is inactive which it is under safe mode.

In my first message of this thread I am not trying to outright fix it, I am trying to learn and that is the reason for the questions I asked… i.e., am I understanding what is happening correctly… is it actually infecting all those files OR is it infecting ONE file that is common to all those files because they utilize the Windows API etc etc? Or is it just that fast that when I place a new exe on the drive, it is immediately infected period… ie HiJackThis.exe etc…

I will also read from the links you sent me… any information I can learn from is welcome…

again though to reiterate… I am trying to learn… If I am going to fight with others I need to learn first. My goal is not to create tools to block or fix these viruses… my goal is to eventually learn the ‘signature’ and method of these viruses so I can pursue these people in real life using the resources I have available to me. It is time for us to take the fight to them instead of always being on the defensive. I intend to go offensive and to do that, I need to learn this stuff with your help and everyone else’s help.

That means sometimes I will ask questions that seem stupid or make no sense… Why, because I don’t know the answer or I misunderstand something I know nothing about.

You asked me “do you know what you are up against?”. The answer is yes I do and THAT means I have MUCH to learn. You are correct this is a low life peice of malware. To you and others it is important to learn enough to recognize it, block it and perhaps somehow even find a way to kill it. For me though, it is important because through the design is how I will learn WHO did it and WHERE they are. Perhaps not this specific virus, or the next. But over time all criminals leave a trail… many have a signature including when writing computer code… The style they use, the methods, even how they release it and what channels they use to put it out there. All of this information can slowly be put together until finally enough exists for someone like me to home in on the person or persons responsible.

So to you some of my questions may seem a bit out there or redundant. It is because I am looking for a different thing that you that I will ask. Where you look for the virus, I intend to look for the actual person who created it. For me to do that, I MUST learn everything I can about viruses and how they work, how they function, etc etc etc… Since before this I have never really paid attention to viruses, I am totally new to this world so I have to start at the very beginning. I can only do that by asking questions now as I start this process.

If you could still answer those few questions I asked in that first post of this thread it would be appreciated… If you are still confused by what I am trying to accomplish, please ask and I will try to better explain.

Malakie

Hi Malakie,

For the time being, our model is suitable only for listing all API calls and for logging the return values of API functions. If you want to add parameter logging or validation, it can easily be done - the API function arguments are just below the original return address on the CPU stack. However, you must provide our “spying team” with the argument lists of the target API functions - unfortunately, there is no way to obtain this information from the PE file. The solution to this problem lies with the enhanced communication between the controller application and the spying DLL - the controller application can always get the description of arguments of the target API function from the user, and provide the DLL with this information at run time. Apparently, RelocatedFunction structure would require one more data member, i.e. a pointer to some array that contains the description of arguments, so that Prolog() would be able to examine the arguments. We leave it for you to decide how to do it.

Warning: In case if your target executable module dynamically links to C run-time library, don’t try to hook the functions that are imported from MSVCRT.dll. Instead, you should hook the API calls that C run-time library makes, i.e. overwrite the Import Address Table of MSVCRT.dll’s module.

Therefore, we are able to hook all API calls that are made by the target executable module, i.e.outgoing calls. What about the opposite task, i.e. hooking all incoming calls to some particular DLL module (say, kernel32.dll ), made by all modules that are loaded into the address space of the target process, including system DLLs?

Get a tool like APISpy and there you may learn a lot of what goes on there.
Read this the most powerful methods of seeing what goes on.
http://www.internals.com/articles/apispy/apispy.htm
http://www.codeproject.com/KB/system/api_spying_hack.aspx
Download the tool here: http://dl.winsite.com/bin/downl?500000030316 for older OS,
http://www.locohacker.net/jump.cgi?ID=62 Win XP and higher…

polonus

Great will do that. I appreciate the help…

BTW, I just read the article you sent me from Security Labs. That answered a lot of questions… and brought on more!

If I understand what is happening with the Vitro virus, would simply blocking access the URL it connects to be enough to stop it from being able to infect a machine or additional files? The way I understood the article, the virus actually downloads the needed files from a irc server when it goes to infect something. Therefore it stands to reason that if a hard I.P. block to that location is done then a machine cannot be infected… Is this correct or am I going down the wrong path in terms of how this thing actually works?

As for cleaning a machine, I now fully understand what it is doing and why it is not possible by easier means. I found it funny that supposedly the virus and its ability to damage files is due to a bug in the virus code itself. My first thought was, “are they sure it is a bug?”. If it makes the virus more deadly due to that bug, perhaps it is not a bug that some seem to think. Perhaps what they think is a bug in the virus code is actually by design for the very reason others think it is a bug. (dam I am confusing myself now! LOL)

My first goal however is to still find some way of live tracking this thing as it operates unchecked. I want to be able to see where/how it started on a clean machine.

Something else I was not aware of until your previous message and reading that article was in regard to infecting web pages and other files. THAT was part of what I was missing and why I was not understanding some of what this thing was doing. I was under the impression it only infected .exe files. Now I know better and it answers some major questions.

Is there any idea when or if AVAST will be updated to support finding and working with other infected files? Or is there another tool that can be recommended that can find this type of virus in those other file types that works alongside AVAST?

Malakie

Hi Malakie,

But unintentionally the infection is also spread by webmasters that are unaware, and spread by illegal download sites where users go to look for non-legit keys for games etc. These infected can reinstall their OS but are not gonna complain about the virus, because of what they were into, but there are also a lot of innocent victims infected by other malware vectors (USB, netshares, just visiting sites that were not being protected by an active script blocker, etc.
Also my hunch was that the source lies somewhere around Atlanta, because where the registry of the infecting sites were hosted - not in Poland as some would think,

polonus

HA! I was thinking the same thing about location as you were based on what I found… It will take more work for me to find out for sure but unless they are masking more than normal, it should be straight forward to verify their location. Once done, I can then go the next step for an actual physical address of the server.

As for the web page stuff… yep, that does make it harder. I still cannot figure WHERE I am getting it from though. With this test machine, I am doing the exact same thing step by step now so that I can isolate exactly at what point I get infected on this test machine. Somewhere in my process is a file that is infected. The only websites I visit for this is the windows update site and the Firefox website and a couple add-ons I use from that site. It has to be something there because I am clean installing to a clean one drive machine and ONLY installing AVAST and then firefox and windows update.

I find it hard to believe either of those sites would be a problem. The only other option is the Vista DVD but that is not really an option since I use it all the time and it is impossible for it to get infected after the fact. I have nothing else plugged into this machine. Not even a printer.

So somewhere, somehow this is getting into my system. I will figure it out I am sure. I am thinking though it HAS to be external to the machine and the only thing external is the monitor, mouse, keyboard and direct connection DSL modem to the internet. I do not have anything else installed or online with this machine I set up.

Malakie

EDIT: BTW, Is there anything that can catch the Vitro in html, asp etc etc? Some way to detect other files that are not .exe?

I found it!

Well actually I found where it was coming from at least. I completely locked down my system. Wrote some code to monitor real time file access and then started from step 1 and did everything in order that I was doing previously up to where the test machine would become infected.

I had noticed a few times that AVAST reported some type of outside connection attempt which it blocked. Although I knew it was related to this situation, I had not any idea what caused the problem, rather what file or access was causing it. Being a novice at viruses, I was not realizing that I could use that to actually help find out how I was being infected.

Anyhow, I formatted and installed a clean copy of Windows Vista. After booting, I first ran the code I wrote to monitor real time file access. I also blocked ALL incoming and outgoing network connected and only opened them as needed, closing them after they finished being used… i.e. windows updates etc… I followed the exact same steps I had always done before after that. I installed AVAST, next installed Windows Updates and patches, rebooted.

After reboot, I installed Firefox, Daemon tools, ATI drivers, Creative drivers and Alchemy for my xFi card. After completing all that, I rebooted again.

Next, I went to install the tools and add-ons I use in Firefox. Only about 10 or so including FireFTP, Forecast Fox, ColorTabs and a few others. Ones that I have used for at least a couple years without problems before. So imagine my surprise when suddenly, AVAST starts warning me about connection attempts to the .pl URL!!

It appears one of the add-ons or the webpages for the add-ons is infected and THIS is where I have been getting hit from! The problem is I do not know if it is from the main Firefox site and the pages containing the add-ons or if it is from one of the pages that opens usually after installing an add-on. I will do some further testing to isolate more but for now, at least I have an idea of what is going on.

To test this out, I uninstalled Firefox completely. I then scanned the system and it came back still clean. I then opened both incoming and outgoing connections to normal traffic. I installed Firefox and ran it. So far no problems. I then start moving through the web pages installing the add-ons I use. Suddenly my little real-time file access tool started churning out hits and AVAST started showing those URL connection hits to the .pl address. And sure enough, within short order, I again started getting Win32:Vitro hits through AVAST.

Now here is the confusing part for me… Instead of letting AVAST delete everything or even attempt to do anything, I pulled the power plug hot. I booted up into safe mode and deleted and uninstalled Firefox completely again. I ran a scan and all came back clean then.

So I rebooted normally and ran another scan. It too came back clean now! In other words, ALL those hits I started getting for infected files were GONE without me doing anything except a hot power off and safe mode uninstall of Firefox and its plugins I had installed.

I then ran my file monitoring tool and again installed Firefox. This time I have not installed any add-ins at this point. For the last two hours now, I have been using the machine, websurfing, installing and uninstalling software and my tool is showing normal file access and not a single beep from AVAST has appeared nor has it shown any alerts for internet URL connection access.

Q: Do we know for sure that Vitro is actually infecting the files or was this just a fluke? Usually one has to actually execute a .exe file for the system to even process anything having to do with it. If the file is never accessed then how would it get infected? The only way a virus could even know about the file is if it were hard coded, if the virus could read the directory structure of the drive or of course if the file were executed.

yet MOST of the reported .exe files that are being reported as infected, I know for fact were NEVER executed or even looked at. First my real time code shows that clearly. The files were never logged during this. Second, some of the .exe files are files that are pretty obvious if they are run… Calc.exe, notepad.exe, and others. Had those been executed, it would have been obvious yet they were not and still the system reported them infected… until AFTER I cut power, rebooted, and checked again after safe mode uninstall of Firefox and its addins. In other words, after pulling the plug and simply rebooting, all those hits went away and those files again showed clean.

Something here is not making sense to me. I was taught in my training in the U.S. Navy one very important acronym… B.I.T.E. ALWAYS TRUST BITE! So you ask, what is BITE? It stands for - Built In Test Equipment. In this sense, AVAST and my real time monitoring code is my BITE test equipment. If I trust both of those, then something is causing them to report false positives which leads to users deleting and corrupting numerous system files and so forth.

If I do not trust BITE, then this virus/worm is indeed infecting but doing so in a way that makes us think it is doing more damage than it initially is. A trojan horse. While we look one direction, it is actually going another direction. And by us following that one direction, we in essence unknowingly cause the actual spread through out the machine as we click on and actually execute files.

You see that is where I was so confused. Not only was I not understanding where it was coming from (with your help was able to learn and figure that out) but I was not able to understand how within 30 seconds or so, HUNDREDS of files were suddenly being corrupted! THAT was what was throwing me for a loop.

Based on what you have told me, what I have read and what I have been experiencing, I think it is NOT infecting all those files that quickly, rather it is not infecting all of them initially. By attaching itself to the system processes, you start getting memory hits right and left yet the actual hard copy may not yet be infected until you somehow actually access the file, whether via the virus scanner or manual execution. When I pulled power hot, it cleared memory. By uninstalling in safe mode, scanning and removing anything it found, which in this last test was nothing, I was able to boot again and not get infected because 1) I figured out WHERE I was getting infected from and 2) because in reality the hard copies of all those files being reported were not really infected yet. The copy in memory was.

I may be totally wrong especially in that I am just starting to learn about viruses. Looking at this from a common sense approach along with what I have done and seen, leads me to this point. For now I will keep playing around. I now want to find an actual hard infected file so I can dissect it. That may lead to more information although, I am not at all a assembly level programmer which I have been told is what a lot of viruses are written in. If they are in VB or C++ then we are in business but if they are in assembly, forget it!

So oh great teacher, am I on the right track, way out in left field or somewhere in between?

BTW, I agree with you… Atlanta. I have a ‘friend’ from my last career that is also very well versed in this stuff. He is doing some tests of his own now for me. I am looking forward to seeing what he comes up with.

I also wanted to mention that I really do want to learn this stuff because it is getting serious now. I do not know if you have seen the news in the U.S. today, but it is now being reported that our entire electrical grid and infrastructure has been compromised by just this kind of thing. Hopefully those like me who are still in government service and the military have been able to defeat whatever was introduced by the hackers. Still, things are changing and although I am far from an expert in this field right now, people like me with the real world experience who can switch over and get involved in the cyber world experience are definitely needed from what I can see. We just need some help in learning about this area when it comes to viruses, worms, trojans etc…

And who knows maybe something those other people who are like me do or perhaps some of the dumb questions we ask just might trigger a thought in someone else that can lead to defeating a virus that has been tough to kill. Perhaps something we do that is unorthodox or not the ‘norm’ in the civilian cyberspace can actually help those companies and people like you come up with better and better tools and software for the rest of us to use. I have learned that sometimes it takes not only another set of ‘eyes’ to look at something but also a completely different ‘view’ by someone who looks at the same thing from a different perspective.

Malakie

In my own research against this virus which I did after becoming infected from a USB drive and having to format, I found a blog post that might give some clues as to who wrote this virus (Virut = Vitro): http://www.teamfurry.com/wordpress/2007/09/04/so-who-is-behind-virut/

Maybe that will be of help to you Malakie? As you certainly seem to know what you’re doing, whereas I just don’t have the knowledge to actually fight this virus, all I can do is try and stop myself from being reinfected. I wish you much luck in your fight against Vitro, as the people who made it really do need bringing to justice.

Hi Malakie,

First we have to block the malicious Virut URL, malicious ads and banners: http://bytesandbadges.wordpress.com/2009/02/11/virut-personal-reflections/
http://myitforum.com/cs2/blogs/cmosby/archive/2009/03/10/crack-sites-distribute-virux-and-fakeav-trendlabs-malware-blog.aspx

Very important info here:
http://stevekarma.blogspot.com/2009/02/virutcf-part-5.html
and here:
http://www.raymond.cc/forum/spyware-viruses/10136-virut-new-strain-beware.html

We have to take the top nodes out or block these (the generic downloaders) to be effective:
re: http://forum.avast.com/index.php?topic=44128.0
and read here: http://www.msfn.org/board/index.php?showtopic=128757

So NoScript and ABP with specific block lists can be important protection, but somewhere the infection Vector = V_1, V_2 etc goes under the radar via the royal protected Windows system way so it is not even alerted and protected by Windows protection and also uses the Protection to get passed the Windows Fw.
You should SafeHex these infection vector(s)- Use Salamander, a brilliant Czech made analyzer: http://www.altap.cz/

Re: http://www.bleepingcomputer.com/forums/lofiversion/index.php/t213533.html
Virut/Virux are contracted and spread by visiting remote, crack and keygen sites. These kind of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

QUOTE
…warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files…quick links in these sites also lead to malicious files. Ads and banners are also infection vectors…

Interesting is the infecting vector search like this: hxxp://www.google.com/search?hl=en&q=www.zief.pl%2Frc
Some interesting observations if true: http://forum.avast.com/index.php?topic=42709.msg369288#msg369288

And finally speculation: It’s speculated that this virus was not created for money but instead for notoriety since many systems infected with it become so unstable they are useless.

It’s also believed to have started from a torrent site or sites,

polonus

Nice thanks! I will take a look at this right away and see what I can use.

Malakie

Wow! Thanks for all the links!

The one thing I see is that many are getting infected by using or going to sites that host cracks, keygens and such for pirated software. I mention this because I am not one to visit those sites nor would I need to for any reason. IF I am getting this from an outside location, then figuring out where that is 100% is going to be next to impossible. I am thinking I got my infection from some website but I have no idea now where or what site it could have been. Since I have cleaned and so forth many times, I am at a loss on where I get infected from since as I posted I am following very deliberate steps now to try and figure out where it is coming from.

We really need a detector of some kind that can detect this virus in ALL file types that it infects. If there is one, what is it? AVAST does a good job with the .exe files and detecting them. I personally hope it is being updated to support more. In the mean time, having something that, at minimum, detects any file type that is infected would at least allow us to hard delete any infected file whether .exe, html, or whatever.

As wrote earlier, I did another run at this on the test machine. Everything went fine until I installed and downloaded some add-ons for Firefox. It was then that I started seeing alerts for attempted connections to the .pl site and shortly after the machine started acting up and so forth. This last time it even knocked out the Window Genuine Validation so that windows started telling me it was not a valid copy itself! LOL I am now doing another install and this time will install only Firefox and run it for a while. Then I intend on logging every step, website, file I run, etc from that point to see if I can find the exact moment/cause.

One question for clarification: Scanning with AVAST… can it, or can it not cause the virus to activate? In other words, I hook one of my other HD’s to another machine for the purpose of scanning it. IF that virus has infected a file on that other HD, by scanning that HD with AVAST, can that action cause the virus to activate in an infected file? I had intended on starting to scan other drives that used to be hooked to this first machine but I have held off now because the last thing I need is to infect my entire network and other systems.

As I have continued to mess with this I have also noticed a pattern. Something we look for in law enforcement. If I let an infection spread on this machine for a while, a pattern emerges. The pattern is seen in WHAT files are infected and the order they start being infected in. I had noticed this before when I first got involved in all this but I never thought anything of it being that I am novice in the virus world. But the patterns I am watching now are the same I had noticed originally.

Every single infection is infecting the same files every time and in the same order. Common sense can tell us that it is simply due to the order in which they have been accessed while Windows is running. However there is a problem with that theory.

What I cannot understand is how files are being infected THAT ARE NOT EXECUTED at all yet are being reported as such by AVAST. Some of those files include: calc.exe, notepad.exe, regsvr32.exe, iscsicpl.exe, iscsicli.exe, hh.exe just to name a few. How are these files being infected on a just clean install especially when none of those files have even been executed once by me or anything else?

AVAST is first reporting them in the memory scan as infected then if you scan the same file on the drive, it comes back infected on its hard copy also. I cannot figure out how these files are even getting infected let alone in memory when I have not run them even once. What am I not understanding here? As a programmer, this is not possible unless you actually execute the file - at least I am not aware of that ability if it is possible. BTW, I am NOT scanning via AVAST so it is not causing this. I get the memory hits when I open AVAST and then manually check a file using the right click context menu. But I am not doing any drive scanning from AVAST.

What is it here that I am not seeing or understanding? How can AVAST report a file in memory as corrupt when that file has not even been executed once yet? i.e use Calc.exe or Notepad.exe as an example for this question.

Malakie

Hi Malakie,

To keep track as what goes on inside Fx, get Mozilla CacheView: http://www.nirsoft.net/utils/mozilla_cache_viewer.html

The thing you did not fully understand is that malware can only infect when ACTIVATED by a user or a script or process that is being executed, and here apparently the executables in the Windows start-up routine give it the royal way in, and one needs executables at start up else the system won’t start, so you are in between a rock and a hard stone there, because the malware was developed so it is handled by the OS as System and System has full rights, else a av scanner etc. would not work, so these should be altered in such a way the malware does not have these rights any longer, encryption won’t do, but some files are restricted archive files etc., the magic word for me still is SafeMode no activation, but still it is not away and is there slumbering to be aroused and attack again, there must be a simple routine in the HTML infector that makes the system let it ride on its back, also the registry in case of the Windows fw should be hardened against this, so upon infection the registry should be cleansed or restored.
The api-hooks on the dlls is another question, and the hidden driver infections as well.
You should know that by doing this you are playing kind chess against the malcreants, and they also learn greatly from what the opponent is trying to bring in against them, but the ostrich approach never brought any good,

polonus

Interesting… I agree that safe mode is the method to use when cleaning. Let me ask something. If a scanner like AVAST detect a virus active in memory while running in safe mode, how is that possible if the virus is supposed to be dormant? When opening AVAST while running windows in safe mode, I still get hits during the memory scan before it opens. Are we sure this variant is dormant during safe mode?

Malakie

Hi Malakie,

Because the infector is already inside the scanner executable before the OS is set to SafeMode, that is why rather better results were found working from a DrWeb cd or DrWebCureIt downloaded clean fired from a US firewalled or autorun protected USB stick or pen drive!
It is active in boot memory = lie dormant, but the question is here where is the bar-steward that causes the infection, the general dropper so to say and why it cannot be halted on any Windows OS? You could also experiment with a change of extension ending changes exe to bat or com, etc. Somewhere it must be something so specific in Windows that beating the virus equals ruining the functionality of Windows. As a linux worm cannot do anything on a windows platform and this virus nothing against linux. So one conclusion it is a Windows-specific file infector, re: http://forum.avast.com/index.php?topic=44035.msg369522#msg369522

polonus

That makes sense. I had not wanted to go the approach of using an external USB or pen drive due to some other nasties out there that affect autorun. But perhaps I need to create one anyhow that can be used in this case.

And you ask exactly the question I have been asking… Where is the ‘ground-zero’ file… the mother of this residing. It has to be somewhere but finding it so far has been the problem. We know some have found it else they would not have been able to disect it. Perhaps contacting them might shed light on this. BUT it is also possible they simply named the file something common and so we are looking right at it without even knowing. Perhaps some rarely used exe file that when you come across it, a simply copy over to your machine is made overwriting that file of the same name. Since nothing monitors every single file in real time, this could be why it is so hard to find.

Malakie