Suggestions for those fighting Vitro worm...

Viruses and worms
1

Hi all,

First my story of what happened, then how I beat the thing which perhaps will help someone else who gets this B*&^H on their machine. For the first time in my life I was hit with a virus/worm/trojan etc etc. I am one that runs three firewalls (1 hardware, 2 software), a couple spyware and adaware tools, and a couple anti-virus/anti-rootkit tools. And even so, somehow I still ended up with something called the Win32:Vitro worm. I had temporarily turned off all firewalls and anti-virus tools because I was in the middle of debugging some code that I needed a basic clean and unhindered connection for to the internet. This was solely for the purpose of doing this test and I figured there was no way anything would or could happen in the short time I expected to be debugging this code. I have no idea how this worm works… I am not a virus person nor do I purport to have any know how on how they function or infect… never really cared as long as I did not have to deal with them I guess. That has sure changed.

I read a post here in this forum from someone that stated the Vitro worm cannot be gotten on systems running Vista. THIS IS NOT TRUE because all I run is Vista!

In fact, it hit so hard and so fast within minutes of infection I had a totally non-functioning machine. My first indication something was wrong was when I could not access any hardware information about ANY of my hard drives on my machine via a tool I use called Hard Disk Sentinel. HDS monitors real time hard drive temps, SMART data and more and I had gone to check transfer information and speeds for a test hard drive during debugging of some code. And this was the same for ALL drives I monitored this way. I thought it was a program error at first… Very shortly after discovering this however I got the second and even bigger idea that something was very wrong… My machine popped up a message stating it was going to reboot in 60 seconds. Ok… my machine is going to reboot… HEY! Wait a sec… WTF? I did not tell it that! Oh CRAP! (well I used a different word but due to sensitive ears…) Anyhow, nothing I did was able to abort that reboot. The machine shutdown COMPLETELY. OK that’s fine I thought, it is probably a good idea anyway in this situation. So I hit the power button and nothing but a BEEP BEEP BEEP came from my machine. To say I was shocked… well that is an understatement.

After getting over the “WTF” moment I experienced, I decided to think like a troubleshooter… just as taught in my military training. I immediately unplugged the system and ALL other machines from my network. I tried again to power up still only got the beeps. Then thinking about the fact that machines do not really loose all power when you turn them off, I reasoned that if memory was somehow retaining something that the only way to truly kill it was to really remove all power from the main board. So I did. After really pulling the plug, I waited a couple minutes then plugged the power back in but left this machine isolated completely from anything else. Hitting the power button this time, the machine came online.

I was able to get rebooted. Immediately I knew something was wrong when startup apps, especially the CCC app from ATI simply crashed upon load. No matter what I did whether uninstalled and reinstall, manual removal and edit of the registry… nothing worked to fix it.

I started googling for symptomatic information. I came across some posts about the Vitro worm and that only AVAST could find it although it could not kill it. I immediately downloaded the AVAST tool and installed it… and BOOM, hits all over the place for something call Win32:Vitro! It seemed almost every .exe file was infected! This included AVAST’s own .exe files even though I had just installed them!

I tried to clean things up not thinking anything of it… After hours and hours of chasing my tail trying to fix this, I finally decided this one was just going to have to die the hard way… a full format and wipe then clean install of Windows. HA! I would beat this thing and screw the idiots that made it.

Well… that did not work… all 5 times I tried! LOL

Every time I tried, it came right back within 30 minutes of me finishing a clean install. And it infected HUNDREDS of files within minutes each time… This bugger is fast to react and do its thing. I finally conceded something was really wrong here. And I have never known of any worm or virus this deadly to have actually been released yet into the wild. Well suffice it to say, finding some posts and threads here on AVAST, I quickly learned the errors of my ways… and that I was basically in a lot of trouble… for this machine contains 5.2 terabytes of information, MUCH of it critical code and/or other files. About half of that is actual data that is installed applications, i.e. VS2008.net and other tools. The remaining half, of course, is the important stuff… and since my primary backups are secondary hard drives IN THE SAME MACHINE, well you can imagine my … thoughts then!

I have changed my ways of course… I will now be adding more backup capability to my systems…perhaps blu-ray.

I reasoned that this thing was using the windows API directly and was somehow attaching/attacking any file being executed or processed via windows. I reasoned that this thing was either directly monitoring process lists or possible HD activity somehow - or maybe both in light of the first symptom I had with my hard drives. Whatever it uses for its madness, really did not matter to me. I just wanted it dead.

So I shut down completely and pulled the power plug and let it sit a good 5 minutes to be safe. I also insured that I had NO other devices or items attached that contained memory… ie, printers, memory cards, smart media, cameras, phones etc. Anything that could retain power to memory. I then removed ALL hard drives connections to the machine internally and externally as well as their power. ONLY the primary boot drive was left intact.

From here I booted again and did a full format and clean install of vista. Once that completed and I got into a fresh clean booted up Windows Vista, I installed AVAST, plugged in a single line direct connect network cable for my DSL and updated the AVAST engine and virus detection files. When that completed, I again unplugged that network cable and powered down the machine.

I then waited a couple minutes again after pulling the power plug. Once I started again, I booted but this time I booted into safe mode… NO networking, NO extras, no nothing… basic safe mode and that is it.

Once booted, I ran AVAST and of course it started reporting memory hits. Once that completed I then ran a FULL hard drive scan and deleted EVERY SINGLE FILE it reported as Vitro. This INCLUDED its own files again in fact! It was amazing how fast that thing had spread the last time I was in a full running Windows.

Once it completed, I ran it again. This time it found two more hits. I ran it a third time. NO hits. and a fourth and fifth showed clean. I powered OFF hard… in other words I yanked the power cord right out of the wall. NO shutdown.

I then used a dos disk and deleted the partition, fdisk’d the drive and formatted using a FULL format, not a quick format. I then rebooted into the Vista DVD and proceeded to start a new install again. When it got to the partition and format menu, I deleted the partition yet again and again formatted via the Vista DVD.

I then let it run and completed a full install once again.

I am writing this post on the machine that took me 28 hours to fix (much of the time took by scans). I am 98% sure I killed it finally but I will wait a few more days before I feel confident enough to say 100%. I have learned if I have missed even one copy of this thing, I will be right back to square one. Once I booted into this cleaned machine, the first things I did was to install AVAST, HD Sentinel, SpyBot SD, and a few other tools. I also re-engaged my hardware firewall and both my software firewalls. This time I ALSO kept the Vista UAC pain in the butt feature activated instead of turning it off. I am leaving it on for now as a last defense measure.

Once I did all that, I took an external USB case and plugged each of the hard drives I pulled out into this and in turn scanned each one using this machine, one by one. One drive contained two infected files. I cleaned them and rescanned 3 times. (this really sucks when drives contain a terabyte of data, believe me) The other drives all scanned clean. I reinstalled all back into this machine but have locked all those drives so that they cannot propagate anything between themselves nor can anything propagate to them without manual intervention…

As of this moment I am only having one issue however I am not sure what it is caused by so now I have a question for all of you being that I am not a virus expert nor have I had any experience with them. As I mentioned, I have installed AVAST. I am running full drive scans every few hours now and so far ALL have been clean.

BUT I keep seeing these little popups in the system tray from AVAST that says it has blocked incoming internet access to such and such URL?!? Exactly what does this mean? Am I still dealing with some kind of infection here? or is AVAST simply blocking a random attempt to reach my machine even though I have firewalls and more in place??

Second, what is the best way to tell if a hit from AVAST is valid or not? For example, on one machine I get a hit for soundschemes.exe and soundschemes2.exe in memory. Is this a valid hit or a false positive? How do I tell the difference?

Thanks for any help and I hope my experience is able to help someone else.

Malakie
(Todd)

2

Hi Malakie,

That was a close shave wasn’t it? And you said it lasted for 28 hours, would a full back-up and a re-install have cost you more time? And with the incoming network shares? Do you know what to block with a host file? Do not forget that in the small time that Vitro went on there like bushfire, your OS was being severely compromised, and it tried to infect every file it went through and was successful at some, half successful at others, and partly successful with just another bunch of exes and src files. The author of this malware must have been an advanced programmer and knew quite a bit about the Windows platform to have come up with such a devastating file infector, it sure was no script-kidie. Whenever it lures somewhere just like in total recall it will come to resurrect.

Please do not copy any HTML files from any back-up cause it contains the code to re-infest the virus onto your system!

Did you change all your accounts for passwords etc. Did you block all the possible network shares from this Vitro, did you protect from the autorun infection vector, did you thoroughly cleanse your temporal files? Protect your OS with all the updates and your third party software too (use Secunia PSI to do so), use a browser where you can block all third party script like Fx with NoScript, and avoid risky Internet activities like P2P, Irc, looking for illegit key-gens, etc. that is the royal way to get re-infected,
I still think the surest way to go is this cure: F F R ! meaning fdisk, format and re-install!

polonus

3

You have some good suggestions I did not think of doing. However, I DID full formats and clean re-installs… in fact 5 times or more.

After writing that post, I have again come across something on this system…and now I am truly starting to wonder what the heck is going on here. I cannot think of anything else I can do to defeat this thing outside of throwing away the hard drive. The system is now isolated; only one boot hard drive and after a CLEAN format and install, this thing or something that AVAST is reporting to to be it, is corrupting my files and Windows.

I have noticed one thing though… it does NOT happen until AFTER I use Windows update and bring everything current. It is then that everything starts falling apart…

I am really at a loss now on what the heck could be causing this…

4

Hi Malakie,

You should not bring in the Windows update download through that particular machine, the updater exe may be one of the Vitro infected if it connects to shares somehow - bingo re-infection, so have the updates from a non-infested machine and put it on a secured USB stick (with usb firewall on it and Flash Disinfector run). What can be done also to defeat it is to work from Windows on a linux distro and toggle in between platforms to cleanse. If just a faint remainder or executable or online vector of this file infector is contacted, the re-infection starts all over again, you see? There are some rare damaging viruses where we malware fighters have to throw in the towel, I know this sounds awfully frustrating, but it is reality for the time being, best not to get infested and find protection,

polonus

5

I had to chuckle about the throwing in the towel comment! :slight_smile: Here is the irony of all this… I spent part of my life serving in the U.S. Military where I got much of my computer knowledge to start. For me it (computers and code) was always ‘easy’ to understand. Over the last 25 years I have learned and self taught myself much much more. From the days of my first Commodore 64, I have continued to have the love for computers and how they work and think. And even though my careers path choices were completely outside the industry, they were somehow always part of even that. After military service I spent many years in federal and then civilian Law Enforcement and the one thing on the street I learned quickly is that I will NEVER give up… I will NEVER throw in the towel and although it may take time, everyone can be found and everyone gets caught someday! :slight_smile:

I was recently retired from all duty due to injuries in the line of duty. For the last few months I have been trying to figure out what I was going to do with the rest of my life. At 46 years old, it is not an easy thing to start over when you find yourself unable to continue in your chosen profession. Going from a military and law enforcement background to working in a some corporation? Nope just not going to happen.

In these past few days, I HAVE figured out what my new obsession is. I am joining the fight full time against these SOB’s that create this stuff. I am going to take all the knowledge and training I have been given and I am going to throw the full weight of that against these people. AND I am going to use every contact and law enforcement connection I have to pursue any and all leads I can find no matter what country they lead to. I know there will be many that I will not be able to get to directly because of location or the way they are organized… but for every ten of these pro’s I am unable to reach there will be one that I can reach… and that one will feel the full brunt of my capability. If I do not know how to do something, I will now learn. If I am unable to figure something out, I will not stop until I do. I may not be able to stop all of these people… but the ones I DO stop WILL make others think twice and eventually wonder if they will be next.

I am sure some of those people who create this stuff are reading these threads and perhaps even this post. To them I say Be warned, you might sit behind your keyboard laughing at what am saying, but in reality I have just placed my first ‘worm’ in your reality… that one little spark of fear… that one little ‘what if he can do this… and does do this? Is he serious or just talking?’. Now they will need to wonder and question… what if?

Who knows, perhaps I will get no where and accomplish absolutely nothing in this endeavor. There is more of a chance of that happening this moment than anything else. But what if? I have nothing to loose in trying. Perhaps they send me more viruses and I loose files or computers… so what? And of course were they to be foolish and come visit in person because I got to close… boy would they have a big surprise. I have all the time in the world now and all the resources I need.

Because of my retirement, I am lucky in that I will have the means to do this financially not to mention the time. Perhaps this is or was meant to be so that I would find the path I am to take for the second half of my life. I have been well trained and my computer knowledge, although novice when it comes to viruses, is not so when it comes to much else in this area. What I do not know about this specific area of computers, I will now learn. What I am not knowledgeable in regarding the underworld of hackers, virus writers and such, I will become so.

In short, these people just created a new monster. ME. They now have a very determined and well trained enemy arrayed against them. One that has seen combat in the field as well as in the street… and one that is well trained in the field of electronics and computers as well. I will not be able to bring them all down nor catch everyone that does something like this. However I WILL make a dent and if I selective choose my battles, perhaps just perhaps I can put the fear back into their lives just as they have done to all the innocent people infected by their creations.

Some people who read this might laugh a bit or think I am just angry for the moment. In actuality I am no longer angry. And believe me, if you knew me you would realize I mean what I say. My girlfriend happened to look over my shoulder reading as I typed this… and she has now simply said to me, “I understand and will support whatever you choose to do. Perhaps this is what you are meant to do next.” I do not make statements I cannot and do not back up. I now know what I am going to do for my next ‘career’. I have spent many months trying to figure that out. And now I know. In some small way, perhaps I can do some good still as I have done all these years in both my military and law enforcement careers.

I look at it this way. There are many many companies creating anti-virus software, anti-spyware tools and so forth. There are many people who study these viruses and worms and try to warn the public. There are very few that actually take the fight BACK to the people who write these dangerous viruses and worms. I am now one of them… and the difference? I intend to take the fight back to them not only via cyberspace but in real space as well. I have the means and the capability to locate and track down suspects. Law enforcement only goes after someone once a really big crime has been committed. They just do not have the resources to go after all the ‘small’ operations. That is where I will be focused. I will select one and dedicate my search on only that one until either I find them or come to a dead end that I am unable to get passed. I intend to use their own tools and their own strategies against them.

No one can hide completely unless they go entirely off the grid. If you are on the grid for any reason no matter how protected you think you are, you can be tracked. One way or the other, anyone I am able to find and catch will be prosecuted if at all possible. And if not, perhaps some way will be found to, at the very least, destroy the equipment and any files and archives they would use to create these bits of code. That might not stop them but it sure as hell would slow them down and send one big message to the entire world… they are no longer invulnerable.

Many people might not look at these damaging programs in a serious light. If you take a moment however and step back and look at the reality of this, if viruses and worms were not really something to take seriously, why would and why does every nation on this planet have dedicated parts of their military actively working on both offensive and defensive tools in this very fight? What happens someday when someone finally releases a worm that is truly deadly? One that gets into a hospital’s systems, or the energy grid during winter? How many people will have to die before anyone takes this seriously? I say instead of waiting for that day, now it is time to take the fight back to them. And because of this one situation, I intend to do just that. Call me crazy? Call me nuts? Fine by me. Someone needs to finally step up and at least try. I will.

I think I will create a website and will post my progress and experiences in this endeavor there. I will say again, I realize what I have chosen to do is not going to be easy and for every one I do find, there will be 100 more out there I do not. Sometimes though, it is not catching one that does the most damage, rather it is the path and publicity taken and used that does the most damage. Think of it like psychological warfare. If I succeed in even bringing down one of these idiots, the rest will have no choice but to pause for a moment…and from that point on I will now always be a little thought in their minds… that little nagging worry for ever more.

Anyhow, back to the worm I am fighting now, I AM going to beat this thing if it takes me the rest of this week to do it. To be honest, I think after I posted last I have done just that. I had to adjust the method of my madness. I repeated much of what I originally posted except this time I took a small 60gig hard drive and placed it in the machine to create a temporary boot HD. I went through the entire process again but before doing so, I attached the original boot HD to the machine via a USB connection and I wiped and formatted it clean.

So far since using a different drive, I have seen no indication of infection. So that begs the question, how the hell was that worm able to re-infect that drive over and over even after a full format and re-install clean? And remember, there were NO other drives attached to the system and it is isolated from the network.

I am missing something. That worm has to be hiding somewhere for that to happen. or… because this seems to occur shortly after uses windows update, the problem is not on my end rather it is downloading onto my system while updating somehow. I am now going to swap back to the original drive again and reinstall windows and see what happens.

I will keep at it and I will post as I figure more and more out.

6

Hi Malakie,

Seems you have it in you to be a real malware fighter. Mind you that the maker of this so-called devastating file infector must be a hell of a virus author, a malcreant who has turned making this virus into an art, and who knows the limitations and the weaknesses of the Windows OS very well. Just one HTML file left behind on the infested machine and the re-infection will materialize. Don’t forget this buggy random file infector that tries to infect, half-infect, randomly not infect every file on the system, is successful with some file extensions, and cripples loads of files beyond repair. It uses various infection vectors: network shares, silent drive-by downloads, peripherals, infested websites. The only thing we can say for sure is that the bushfire infection rate halts the moment that the system runs in SafeMode, so it creates a process that has the same trust on the system as system rights have, and system rights are SUPER rights, another aspect is that Vista has some additional file protection schemes on top of the normal Windows File Protection, that this file infector abuses to the extent in XP this protection is “broken”,

polonus

7

I agree with you. The good news is I beat it using the method I described above. The sad part is that I ended up doing what I did not want to do which was clean install an entire system. Should I get this again, next time I will simply use a second drive to boot and install clean, then add the original drive via USB connection and clean it that way. By doing it that way I was able to kill it the first time.

Basically the steps are:
0) power down COMPLETELY. This means OFF. UNPLUG power from wall to insure no memory retention possible. (very important as I learned)

  1. remove infected drive from machine. UNPLUG ALL OTHER HD’s, MEMORY STICKS/MEDIA!! (VERY important!!)
  2. Boot and install windows on completely different HD.
  3. install virus scanner that CAN detect worm/virus i.e. AVAST.
  4. Plug in original drive via USB
  5. boot into safe mode, NO networking.
  6. Scan ORIGINAL drive first before doing anything else. Allow scanner to DELETE FULLY any infections period. Do not skip anything. If something is not backed up, too bad it is lost. You cannot allow even one file to remain no matter how important.
  7. Scan new boot drive.
  8. Power completely down again, pull power plug.
  9. boot again to new drive, repeat scan of both infected drive and new boot drive.
  10. if scan clean, backup any data on original drive you want to save.
  11. power down again, remove new boot drive, install original drive back into system
  12. Boot to Windows. If Windows install damaged due to files being deleted, use original Windows install DVD to repair or install clean copy.
  13. run scan again.
  14. if clean, add all other drives you disconnected ONE AT A TIME. Boot then scan them a couple times repeating as necessary. SCAN FIRST UPON BOOTING before doing anything else to insure you do not spread anything that might be on them. Do not execute any files or even open the drive. Boot up, scan that drive before anything else. Do EACH disconnected drive separately. Do not plug them all in and do this. You must do it one drive at a time.

After MUCH trial and error, I was able to beat this thing using that methodology. I found one drive had a couple files infected so after cleaning things, I allowed the system to let its boot drive once again become infected. It still amazed me at how FAST hundreds of files were infected within minutes. After letting it go again, I followed the exact procedure I outlined and killed it dead in one try. This machine is and has been free and clean for almost 48 hours now.

The fact this worm goes right past the UAC, DEP, all virus scanners, trojan/worm scanners, malware and adware scanners means it indeed has to have been written by someone up top the food chain. Add to that there is NO way any virus software will be able to clean a system infected by this and I put it in the category of, if not the most deadly, then close to the most deadly worm/virus out there now.

I am taking one of my older machines now and building a dedicated ‘Virus Hunter’ machine. With this I am going to learn how to track these things within the OS and perhaps find a method of being able to monitor a foreign file and its movements live. ‘IF’ I can do that, it will go a long way toward coming up with some actual workable method of defeating them before they destroy a system once infected. Ironically, I have been working on some software for another purpose that can ‘live’ monitor hard drive access of files… in other words can tell you live what files are being accessed at any time on a machine. I got tired of watching my hard drives run and run and grind away for minutes and not being able to figure out what the hell they were doing… and so I started coding something that could tell me. I am thinking I can modify this code to work for tracking a specific file or routine this way. I might have to design this so that once an infection happens I can pull the memory address and then monitor everything it makes contact with… of course this is much more detailed in practice but I think you get the idea of what I am thinking here.

I have no idea if tools like this already exist so I am going on the premise that they do not and I have to create my own…which I am now starting on the road to doing.

Like I said, they have now created a new enemy… ME. And people that know me can tell you I do not ever quit or give up even if a task appears impossible. What I like the most is that after months of no real direction in my life… after not having any idea what I would now do, I again feel that drive and that purpose that one looks for. In essence I may not be on the street anymore arresting criminals and gang members… instead now I will be doing it via cyberspace - and although the venue has changed, the game has not! Only my tools have changed now but the fight in essence is the same. I have always written and even sold software I have written on the side. Now I will continue to do that and will take advantage of that to help in my new war against the miscreant virus writers. Plus I can now use some of the income from that stuff to help pay for costs associated with this endeavor! The fact that it entails a long time hobby of mine helps immensely!

8

Well I think that there is a slightly easier and quicker alternative to:

The sad part is that I ended up doing what I did not want to do which was clean install an entire system. Should I get this again, next time I will simply use a second drive to boot and install clean, then add the original drive via USB connection and clean it that way. By doing it that way I was able to kill it the first time.

That is by having a recovery strategy in place before the dark brown stuff hits the fan, I will show what my back-up and recovery strategy script is. It will not doubt be teaching you to suck eggs, but is designed for those with less technical experience.

– SYSTEM BACK-UP & RECOVERY
If you fail to plan, then you plan to fail.
If you have a back-up and recovery plan, you can recover from anything in minutes, not hours or days.

  1. back-up all the things that you don’t want to lose, data files, like documents, spreadsheets, emails, email account details, registration keys, address book, favourites/bookmarks, downloaded files/programs, etc. the list goes on and on but if you don’t want to lose it back it up. There are many back-up programs that can simplify this task and run it every day.

  2. Recovery - re-installing your system really is a poor choice and one of last resort. There are tools (Drive Imaging software) that take exact images of your Partitions or Hard Disks and these images can be restored in minutes if you suffer a major catastrophe and that doesn’t have to be a virus attack.

I do a weekly image of my partitions and save them to my 2nd hard disk, they can also be saved to off-line storage, DVD, USB external hard disk, etc. as part of my weekly system maintenance.

So if the worst comes to the worst at most I lose:
A. 6 days worth of program updates or new installations, but with my daily back-up I can recover most of that.
B. less than one days data files, emails, etc.
None of these is a problem and much quicker than a system reinstall and I don’t have to go on-line to download the myriad of security updates needed to secure my system where there is a chance to get reinfected whilst my system has vulnerabilities because of these missing patches. Not to mention all my system tweaks and program settings are retained and I will have saved myself many hours of work and a huge amount of stress.

Many of these programs cost, there are some free ones, but it will take some research on your part to find these tools and decide on what is best for you from reviews, user feed back, etc. good luck.

If I ever experience a problem that is likely to take more than 30 minutes to resolve and I've had a few, none virus related, then I get straight to a restore of the last image back-up and I'm usually done in around 15-20 minutes.

****
This is obviously of little help in a support environment unless the user has a recovery strategy in place already, but it is something I would recommend to all. Having seen some of the problems people experience not to mention virus infection, they go through a world of pain getting their systems back up.
9

Hi Malakie,

It is all a rather theoretical discussion here. It all comes down to the fact that this latest of the virut family file infectors is designed to bring a Windows OS to its knees as fatally as can be and be as ruining as can be. Then the discussion can only be: do I have the right strategy to re-install and restore from back-ups, and is all I want to use for back-ups file infector free.
I think for the normal user an infection with this malware will take cate in the future a good back-up routine and protection regime will be upheld. They have learned their lesson well or even change platforms after the experience. Anything else is the proverbial “crying over spilled milk”, just adding to the agony…

polonus

10

Yes I agree with you completely. For most users this is or would be a great lesson about why backups are so necessary. The tough part is due to the size of drives today, it is not feasible to keep everything backed up in some cases. Additionally, many use RAID or similar setups as their backup engine… and they can and would be brought down by this thing.

It would be easy for me to just chalk this up to my first experience like this and continue on. Sometimes things happen for a reason and whether it was something I missed, something I changed or something I did, I got hit hard. HOWEVER I am one of those few that CAN do something about it and has the ability to join the fight against all these miscreants that create this garbage. They cost me some data and 4 or 5 days. I intend to cost them much more. If some of us do not seriously start fighting back, I can only imagine what the future with bring.

11

Raid was great when it first got introduced speed, redundancy, etc. unfortunately once one raid drive is infected they are all effectively stuffed (I know getting technical).

12

@Malakie,

I admire your effort but you overdone it. You could have cleaned it with much lesser effort. I would like to share to you the only steps that are just enough to render it harmless. I posted it in the following link:
http://forum.avast.com/index.php?topic=42709.msg369177#msg369177

I need help! Can you confirm that Vitro also infects video files (AVI) and MP3? The files are just sitting in my hardisk and I won’t play them unless somebody can confirm they’re safe. I’m already tired of experimenting by purposely infecting my OS then reinstall it again many times! thanks

13

Hi,

I understand what you are saying and the logic behind it. However there is a big problem. First, the fact that there is no way to detect the virus 100% whether in .exe or web page files, i.e. html etc. The reason that is an issue is because in my situation, I have over 3.7 terabytes of data. At least 2.3 terabytes of that data are critical files.

With that much data, it is not feasible to maintain a constant backup as some suggest. What we do is some RAID and some mirror image drives in case of failure. We also back up some data to DVD’s. And that is where the problem lies because being forced to maintain backups in this manner means that the virus can migrate to ANY of those locations except the DVD that were burned previous to infection.

Somehow a method needs to be devised to find this virus in any infected file. I do not care if it can be ‘fixed’ or cleaned. BUT if I can determine exactly what files are infected somehow, THEN I can use your method to clean a system.

The problem I am dealing with now is that I have a number of drives that I cannot trust and am sure have most probably been infected. I have no way to scan and safely find the files that are infected. THIS is a major problem. With the amount of data we are talking about, there is just no feasible way for me to check each and every single individual file by hand for infection. It would take me years to do that.

So now after a lot of trial and error, I have found a method to clean a boot drive. From there though, what else can be done to clean other additional drives and be sure infection will not occur again? So far, nothing.

One question bouncing around in my head is why AVAST and other anti-virus programs are not able to detect this this thing in all file types? If it could at least then we could have a way to manually clean systems and drives infected even if it means hard deletion of infected files.

Malakie

14
One question bouncing around in my head is why AVAST and other anti-virus programs are not able to detect this this thing in all file types? If it could at least then we could have a way to manually clean systems and drives infected even if it means hard deletion of infected files.
The files that Vitro attacks are already identified so no need to scan them further with AVAST or other antivirus programs. There are only four types of files you are going to delete. Requirement: "Ultimate Boot CD"

  1. system files- All can be viewed if you uncheck the “hide system files” in Tools,Folder-Options,View. Delete them all and make sure you also delete the directories [recycler] and [system volume informaton] because Vitro can also reside there.

  2. Web pages files–Delete all web page files such as HTM and HTML. Use search to easily find them all and just delete the results.

  3. EXE files below 100KB in size - I can assure you that EXE files above that size are safe. Use the advaned option in search and specify the size and locate them all! Make it < 111KB for extra assurance. then delete the results.

4 Auto run files- Such as Autorun.inf and desktop.ini files.

All these steps take much much shorter time than formatting alone. So simple and you there’s no reason to call it hard.

I would like to repeat that Vitro in the infected EXE file doesn’t start unless it’s executed! That’s the LAW in Computer Science and the myth that Vitro to overule that LAW is mere Fantasy! That means you can safely view or copy infected backup files if you want (assuming you’re done with the steps above). If you know that law then you’re fine.

15

And in that lies the problem. A lot of my files ARE HTM, HTML, ASP etc due to source code and programming projects over the years… not to mention entire web sites. For someone to delete ALL of those would also mean deleting their years of work and so forth. That is not feasible at all thus the reason something is needed to detect the individual infected files. Using me as an example, over the years I have coded many things for my career that use both standard VB or C++ code PLUS htm, html, asp etc etc. I keep my source and archives because I never know when I might need that same code again. Plus should I ever need to support something I wrote previous, well kind of hard to do if you do not have the source code.

Add to this that now that I am moving into a new phase of my life and will be doing much more coding and work like that, not being able to see what might get infected could be disaster should it ever happen in a manner that I did not catch in time.

A newer boot drive that really has nothing on it I can see what you are doing MIGHT work. However again, that depends on WHICH files are infected. If they are required for the OS to function, then regardless you will end up doing a reinstall.

So to be honest, I am not sure where your method is saving any time?! If I simply delete all system files as you suggest, I end up doing a full install anyhow. Am I missing something here?

Malakie

16

Atleast the infections in HTML are easy to remove. I assume you already know how the malicious link look like attached at the bottom of every html. You can batch delete all that link in all files using replace-all command in some editor. I think Visual Studio can do that but maybe you need to load the projects first. It I remember it was just a link so disabling internet connection won’t trigger it as safety.

17

Hi boybawang

This is also recommended in the course of the scanning routine:
http://www.majorgeeks.com/download4899.html
Symantec has come up with a removal tool and removal instructions:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-022016-4444-99Then an SFC /scannow and a reinstall of SP3 to do most of the fix. IYou should have to do the regedit for the phantom network stuff.
Things that seem to reappear and reappear in the cleansing are":
c:\randomname.exe
i:\temp\startsvr.exe
i:\WINDOWS\retadpu.exe
i:\Program Files\MSN\ryfowy22011.exe
HK LM > software > microsoft > windows > current version > runs a dose of crap
Simial thing for HK CU

and in documents and settings > start menu > start up > 1.exe en 2.exe
The website html infection is a IFrame injection at the end of the page, see http://securitylabs.websense.com/content/Assets/BlogMedia/020609-htmlinfection1.jpg

From a cleansing report:
First, Block the maximum IP and DNS used by Virut.
Then, clean the infected files in safe mode. If system files are infected, use DrWeb or other bootable cleaner.
Third, reboot directly in Safe mode and:

  • Deleted all registry keys use by virut. (HiJack and Autorun can help… but don’t forget service and “ghost” lan or wlan adapter, also the winlogon firewall configuration, and WinsockFix (to correct the HOSTS file), and deleting this registry entry:
    In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
    FirewallPolicy\DomainProfile\ delete this entry:
    AuthorizedApplications\List ??%System%\winlogon.exe = “??%System%\winlogon.exe:*:enabled:@shell32.dll,-1”)
  • Clean ALL temporary files, in all user profiles, delete all the content of “temporary internet Files”
  • Clean the RECYCLER folder, on ALL partitions.
    Four, On some machine, Windows Files protection is corrupted or desactivated. So Clean ALL Cache folders: dllcache, servicepackfiles, i386 (if present and set has source path).
    Five, check manually windows and system32 folder. (dll, xx.exe etc…)
    Six, fix in deep every windows part manually or with your favorite tool/script
    Then do all the microsoft updates. (and/or SFC if your a sure that all “cache” folder are empty…)
    That works for some, on some computer something was wrong but now it has been fixed. I think we located a new “dropper”.
    Check on Virustotal: result= 0/39. I saw them when virut reinfected a monitored computer.
    Uploaded file to AV editor and it came back to inform and eventually give more details.
    With a minimum of organization at least 2 hours were being spent on cleansing one machine. But one can cleanse more computer simultaneously, totaling up to 25 a day…

polonus

18

Great post/thread!

I was hit with the vitro two days ago. My experience was very much like yours, except I only had to format once (holding my breath as I type), and I don’t have anywhere near the amount of data you have. I have a 500gb Buffalo Linkstation Pro NAS drive with a Buffalo Terabyte USB attached to it for back up. Nothing there was affected. Buffalo rocks, imho. But as someone pointed out, drive imaging is important and time saving.

This is the first time a virus(s) took control of MY computer. I have earned a living fixing other people’s infected computers, and right now, I hope to do more of that. I have moderate to conservative surfing habits, practice 99.999% good computing…

I used to swear by Avast! Then, I started working for a guy who ridiculed my Avastness and handed me an expensive copy of Symantec AV. Long story short, and I guess y’all know this, but SAV didn’t see the files infected by win32.vitro. It kept finding and deleting something called backdoor.paproxy (how could I make this up?), virtumonde and a few others, but not the one that was attached to 633 files on my HD. As I got deeper into this mess, I started to realize that this was no simple virus. It was a side-winding snake.

There were processes that wouldn’t die, registry entries I couldn’t delete. Then I couldn’t open regedit. And on, and on. So, I installed Avast right on top of SAV because the Add/Remove Programs wouldn’t work. Rebooted and watched the hits of infected files.

It is too bad some of these people are never caught. It really is a crime. It cost me about a day to recover. I don’t believe I deserved it.

Thanks for the good info, and for letting me vent.

19

Malakie

7 years ago I would have leapt to your aid with everything I had, I would have traced/tracked/printed every byte of information I could find. Now things are different, but my tenacity is not.

If you need help or information please feel free to email me at any time, it may take a day or so for me to reply but know that I will try to help in any way I can. This virus has rekindled the fire of my crusader mindset.

I am going to attempt to find out who created this virus. When I have some results I will name and shame the person responsible, with complete details on them. This will be posted in an open forum here under the title of ‘Fnords Results: Vitro’.

I don’t care if I am behind the times and I don’t care what I have to do. If nobody else finds them I will!

BTW: Looks like the virus I had changed slightly when I started tinkering with the repair settings. Going to try something stupid, will let you all know if it works.

20

Hi Fnord,

These analysis links are valuable: http://www.threatexpert.com/report.aspx?md5=74d580019f5b4625c580d95eed8ef6f3

http://www.threatexpert.com/report.aspx?md5=0b1a813e83c4be155f720c776c588738

and
http://www.teamfurry.com/wordpress/2007/02/15/under-the-hood-virut/

polonus