Virut removal tool

Viruses and worms
1

Dear Forum,

I have found a Virut removal tool online. Please let me know if I should post the link here in the forum.

Kind regards,

Avastfan1

2

Sure, why not?
Does it really work? Is it from a trustable source?

3

Hi Tech,

I cannot attest to whether it works as I am not infected by Virut.

http://www.softpedia.com/get/Antivirus/Win32-Virut-Remover.shtml

I believe that Softpedia is a reputable website though.

Perhaps somebody who is infected can try the tool and post back for other users.

Avastfan1

4

If you trace this back it is from AVG, but its last update was 8th August 2008, so it is really quite old, so I don’t know how effective this might be. It certainly wouldn’t do much for the latest version which avast is calling virtob I think, a supped up version of virut.

So I don’t know if the DrWeb CureIt might be more up to date regarding virut than the AVG Win32/Virut Remover 1.2.0.342 version.

5

I feel the same as David… too old tool.

6

Such tools must be kept up to date since malware is constantly updated to circumvent such detections and cures.

7

Hi CharleyO,

The maker(s) of virut must have thought of everything, it is very sinister advanced destructive malware, that has two layers of encryption, we read now form Symantec’s blog report on Win32.CF Collateral Damage:

Polymorphic file-infectors have been around for a long time, with possibly the first one surfacing in 1990. This has proven to be an effective technique that malicious code authors have employed to give their code a better chance of survival in the wild. Since this type of threat showed up there has been a struggle between security vendors and malware writers. Every advance in antivirus prompted the malicious code authors to come up with new and imaginative ways to thwart these efforts and vice-versa. So with virut we are out on the tiles, or out in the trenches rather....

Currently we are seeing an outbreak of a particularly sinister file-infector, known as W32.Virut.CF. This threat has already compromised corporate networks and is proving difficult to remove from infected networks. Once this threat infiltrates a network it can spread quite quickly using open network shares. So, what is it that sets this file-infector apart from the others and what makes it so difficult to remove?

Virut went through many revisions before the CF variant surfaced. This particular variant uses many advanced techniques to avoid detection and removal. None of the techniques are new, but have been used effectively within Virut. Some of the techniques employed include an advanced polymorphic engine, spaghetti code, and encryption.

There are two layers of encryption employed by Virut. The first layer encrypts the code using a weak encryption algorithm. This layer also uses spaghetti code and junk instructions to make white-box analysis more difficult and time consuming. The first layer is also optional, which helps to make detection more challenging. The second layer of encryption is more complicated. It uses checks such as checking CPU speed, illegal instructions, and API address manipulation to detect analysis. This layer uses a custom XOR encryption algorithm, which is also weak, but built in such a way that makes it trivial for the author to change. Each change makes Virut appear entirely different to casual analysis.

Once on the system the threat injects itself into multiple processes on the system and hooks the CreateFile API. This allows the threat to execute whenever any process opens a file on the system. Using this technique, Virut can infect many files on the host system or on remote systems over network shares. It will try to infect Portable Executable (PE), HTML, and ASP files among others. (HTML-IFrame attack
for instance)

And, if that’s not enough, the threat also uses Entry Point Obfuscation (EPO) to help evade detection. The infection routine will point to the entry point of the first or second layer of encryption mentioned earlier. Alternatively, the threat scans for certain APIs in Kernel32.dll and patches these to have its payload executed. This EPO not only makes analysis and detecting the threat more difficult, it also makes it significantly more difficult to safely repair the infected files. It also will fill part of the empty space
left unused by the coder of an executable etc., this randomly and in a random bogus way

One further/additional thing that makes this threat so difficult to remove is the wide variety of executable formats now available on Windows platforms. This threat was not designed to infect all of these but will attempt to do so anyway. This makes the results of infection very unpredictable and the task of removal more difficult. With file-infectors, the code only has to be good enough to infect a large amount of files—if it corrupts some files and renders them useless, it rarely affects the desired outcome or purpose of the threat. We have also seen malware becoming infected with Virut, which adds another layer of complexity in terms of detection and removal. Our engine attempts to detect and repair every sample infected with Virut, but because of the complications outlined above there are some exceptional cases where this is not possible.

All of this sounds quite grim, but this threat can be removed from infected networks by following best practices. The infected machines need to be isolated and then scanned with avast antivirus, preferably in “Safe Mode,” in order to remove the infected files. Scanning in safe mode allows us to repair files that may be in use (for example, system files). Additionally, the virus will not load in safe mode. Non-repairable files may need to be restored from backup. Remove network shares, or make them read only at a minimum so that the virus can’t spread to them. As a last resort, highly compromised machines may need to be reimaged. Often still fdisk - format -re-install may be the only way out…

The websites associated with this threat should also be blocked at the network boundary. See the W32.Virut.CF write-up for further details on this. There is an online script for doing this I linked to in another posting with which webmasters can cleanse their websites…

Firewall logs should be monitored for outgoing requests to those sites that can give a good indication of the location of any infected machines within the network. If possible, the affected machines should be re-imaged from trusted media. When the machines have been cleaned they should be reintroduced into production networks with caution.

That is why do not trust special removal tools for this much, standard nor online…until I have seen the cleansing performed in real time…In the above txt there is no mention of the way in which the virus beats Windows File Protection through the in-mem-winlogon service adding code, there is a virut variant that infects notepad.exe on a pendrive, etc. etc. even infecting through linux (wine)…
so in two words a formidable opponent,

polonus

8

Yes, Polonus, I think they did their “homework” very well. I also think they know Windows OS’s as well as MS does … and maybe even better than MS knows it’s own.

9
All of this sounds quite grim, but this threat can be removed from infected networks by following best practices. The infected machines need to be isolated and then scanned with avast antivirus, preferably in “Safe Mode,” in order to remove the infected files. Scanning in safe mode allows us to repair files that may be in use (for example, system files). Additionally, the virus will not load in safe mode. Non-repairable files may need to be restored from backup. Remove network shares, or make them read only at a minimum so that the virus can’t spread to them. As a last resort, highly compromised machines may need to be reimaged. Often still fdisk - format -re-install may be the only way out.

Are you saying that Symantec’s blog recommends avast? :wink:

10

Damn my other PC is infected with win32/virut.NBP virus, I’ve done some research, and tried removing it by every means possible, but my final conclusion is I gotta reformat the PC.
I know this infects more than exe, scr. it infects htm, html, php too, and it also infects uninstalled exe files, exe files compressed in rar or zip, and it can spread via a pendrive, network etc… LOL and it can infect other malwares :slight_smile: It might as well be written by invading aliens? What are the virus writers working on now? infecting doc, txt, jpg and mp3 ? :slight_smile: Can anybody tell me if it infects a CD ROM (a closed one, and not a rewritable one) put into the drive?
Anyway, the final suggestion by all antivirus companies is to do a complete reformat, and antispyware companies just bullsh*t about removing it, I’m using Eset Smart Security+trojan remover+malwarebytes+unhackme to just keep the "mother"virus at bay:) (removing the trojans downloaded by it, or blocking chinese IPs trying to connect), but the win32/Protect.C virus - could this be the mothership?!:slight_smile: - embeded in C:\Windows\system32\drivers\ndis.sys is UN-CLEANABLE by ESS or Antispywares, unbelievable, but I think this means the end of online security, the 2009 award should be granted to these folks instead of some antivirus, antispyware company :slight_smile: BTW I could swear the mid-2009 report of government portal intrusion in many countries being sourced back to “China” could have been one of the viruts.
And to our dear friend AVASTFAN1, could you please check which “virut” are you infected with? Coz’ from what I know the “AVAST rmtool” is good for virut.A, if you got virut.A or virut.B you might as well check if you’ve updated the Windows Malicious Software removal tool http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en (search for KB890830 v. 2.13) coz’ it stated it removes these 2. I just dunno what is the alias name of virut.NBP >:(

11

K everyday we learn new things, now I just learned that virut.NBP is not a virut, but a virux ::slight_smile: :stuck_out_tongue: because it has the 2 parts PE loader+iframe sht (not mentioning the backdoor port it opens to call the chinese folks) apart from exe, scr it infects htm, html, php files too >:(
Forget it, what would you do if your memory, system restore, all running system32 processes and all installed and uninstalled exe files and the rest are the virus themselves ? This sht injects its code into these files, so you either delete half of your drive and have a “Frankenstein” pc, or reformat :slight_smile:
And now, hold on to your seats, there are reports this thing survives a total reformat of the hard drive in some instances :o (I think because it also resides in unpartitioned parts of the drive) So I may be wiping the drive with DBAN (google it) and then doing a deep format.

12

Hi all,

been a victim of this too,
(don’t know which version,
this is what happens:

  • windows firewall goes down and notifies (with a beep of the motherboard,
  • 3 porn thumbs appear on my desktop (porntupe etc I think),
  • reader_s.exe appears in the C:\Documents and Settings"USER" and Windows\system32 folder,
  • some VRT2.tmp and numbers tmp files (137.tmp) appear in processes (+ a whole lot of duplicated normals windows processes!)

about being re-infected after formatting ur Windows partition:

  • you need to delete the hidden system folder: ‘System Volume information’ and ‘RECYCLER

I’ve noticed that the ‘System Volume information’ becomes accessable after infection…

to do so, I boot Ubuntu live cd, and delete those folders from all my partitions…
thanks Linux, especially Ubuntu, loving it !!!

also check all ur usb storage drives u connected to the infected pc, there will be autorun hidden files which will load on connection…

the infections seem to be pretty much undetectable:
I used the latest version of AVG and scanned a winrar.exe installation file:
no threats detected…
after installing it detected the activated virus (in uninstall.exe and somewhere else),
so my windows processes were infected (but AVG did stop some activities…)

so to be sure, delete all the .exe files (and in archive files, zip etc) on all your drives…
other files: html etc I have not yet checked…

pls spread this info around…

13

Norman virut remover http://www.norman.com/support/support_tools/68989/en

Norman Support Tools http://www.norman.com/support/support_tools/en

14

Hi pondus,

This is an ever evolving story. With virut the threads get longer, the actual recovery stays poor.
A few observations here in the long contemplation about this destructive file infector, upon detection do not reboot, immediately go into safemode, because the file infector is buggy and randomly tries to infect various file extensions haphazardly cleansing routines can be very unsatisfactory. Haven’t seen the silver bullet proggie presented here to kill this werewolf, the file infector is out on the “steppen” and it kills Operational Systems called Windows…

polonus

15
upon detection do not reboot, immediately go into safemode,

stupid question, but how do you go into safemode without rebooting?

16

Hi pondus,

Right question. I have to precise this, off course upon detection you will have to go into SafeMode to make the file infector not rush through all the executables etc. One reboot to do this yes, but then the best routine is to make it one gigantic cleansing session. No intermittent reboots -that is what I meant,

polonus

17

For Virut there is only one solution - reformat and reinstall - any time I find it this is what I post

Well, I’m afraid I have bad news for you.

You have been infected with a polymorphic file infector named Virut. This infection will spread to every executable file in your computer, and unfortunately the only cure for it is to Reformat and Reinstall.

Right now, the best thing you can do is to backup, preferably to CD, all your important data, documents, pictures, movies, and songs.

DO NOT backup any applications or installers and DO NOT backup any files with the following extensions:
[].exe
[].scr
[].htm
[].html
[].xml
[].zip
[].rar
[].doc
[].jpg
[].pdf

For more information on Virut, and why you need to reformat, have a read of miekiemoes blog here.

To find out how to carry out an XP Reformat and Reinstall, please see this page. If you are using Vista, then check this page instead.

Once you have reformatted and reinstalled Windows, have a look at this page for some useful tips on staying clean, along with links to some freeware to help.

To find out more information about how you may have got infected in the first place, you can read this article.

I am sorry I cannot give any better news.

18

Thats excellent advice Essexboy ( as always ), given the number of people posting about virut/vitro, they should make it a sticky

19

Actually I have read that the FDISK utility is necessary to remove the infected partition then add it back but I can’t remember where I read this.

20

No a straight forward reformat will cure it - but don’t re-introduce it with a dodgy flash drive