win32:virut virus

DavidR · 2007-09-19T17:23:54.000Z

MeDIeVaL post:7:

SNOWHITE post:6:

You can enable URL blocking in avast and add this sites to be blocked.

This block url thing… is it in pro edition? I can’t find it anywhere in home edition…

It is in both versions and is part of the Web Shield, Customize, URL Blocking, ADD. See images.

system · 2007-09-19T17:49:02.000Z

This “Win32.Virut.q” really looks like a bad one. You can read about someone else’s problem with it on Spybot forum here:

http://forums.spybot.info/showthread.php?t=18075

It’s a variant of “W32/Virut.h” (McAfee’s name). See this link for particulars:

http://vil.nai.com/vil/content/v_143034.htm

system · 2007-09-19T17:52:35.000Z

Will this virus be covered in future definition updates, also if you can submit it to Avast that may help

DavidR · 2007-09-19T19:18:35.000Z

It is not so much the virus but the fact that it is a polymorphic (constantly changing) virus that makes it so hard to detect. avast has been working on new detections for polymorphic viruses as has been seen in recent improvements in av-comparatives.org tests, but there is room for much improvement.

system · 2007-09-19T20:48:02.000Z

sanctuary24 post:10:

Will this virus be covered in future definition updates, also if you can submit it to Avast that may help

Sample is already sent to Alwil team, its up to them when they will add detection. All other av vendors that got this sample responded to the email that was sent, except Alwil team : but thats nothing new cause they never respond :-\

It would be good if they add detection sooner, so at least it can be prevented from installing at first place. So far the antivirus programs that detects this, they cant clean the files and instead of that they delete all files that are detected.

system · 2007-09-20T08:22:51.000Z

Hi,

my comp seems to be heavyly infected by this virus. I now intend to by a new harddisk, install on it a new windows xp and then use the old disks only for grabbing data (no exe or scr files). It could be that I sometimes have to run the old infected OS to look for older emails and/or run some infected files just for looking some older data where i do not have the install files anymore. Is it possible to run those files without infecting anything on the new hd?

system · 2007-09-20T11:12:45.000Z

Steffen-Lekies post:13:

Hi,

my comp seems to be heavyly infected by this virus. I now intend to by a new harddisk, install on it a new windows xp and then use the old disks only for grabbing data (no exe or scr files). It could be that I sometimes have to run the old infected OS to look for older emails and/or run some infected files just for looking some older data where i do not have the install files anymore. Is it possible to run those files without infecting anything on the new hd?

I wouldn’t do it this way. The virus could easily spread to your new HDD. A better way would be to back up your data to a CD first – scan that CD to make sure it’s not infected, then transfer the files to your new HDD.

system · 2007-09-20T18:36:01.000Z

I now bought a new hdd (300 gig ;D ) and additional 1 gig ram… hehe. So its not only bad…

I dismounted the old hdds and installed a fresh os (xp-home), then avast, reg-cleaner and so on. Now I am going to switch between the new and old (infected) hdds to not loose needed information.

Even my burn-prog is infected and won´t let me burn dvds. Only way is to create data folders and transport them with usb-stick. Shit, I only have one with 1 gig. So its becoming odd. Maybe tomorrow I´ll buy one with 4 gig. Or has someone an idea to transfer th old data faster?

I don´t transfer exe or scr files and always check the stick with avast before I transfer the data to the new hdd. Did I forget something? If someone notices such, please post here, I am checking this thread ongoing during the transfer.

Thanks for reading and any help, if given.

Lisandro · 2007-09-20T21:40:11.000Z

Steffen-Lekies post:15:

Now I am going to switch between the new and old (infected) hdds to not loose needed information.
Or has someone an idea to transfer th old data faster?

Use Mozy (see link at my signature), upload up to 2Gb of files and then download in the new HDD.
Or, you can use the two HDD in the same computer, one of them as being slave and the other master.

system · 2007-09-20T22:15:45.000Z

Tech post:16:

…, you can use the two HDD in the same computer, one of them as being slave and the other master.

Thats what I intended to do, but Rick F advised me to walk on the secure way and I think he is right. So for now I use both sorts of hdds each at a time. The old two hdds which are infected with their old os for storing data on stick, dvd if possible or Mozy like you advised and then after dismounting those hdds I mount the new hdd to check and store the data on there.

system · 2007-09-21T02:21:07.000Z

Steffen,

When you said you couldn’t make a CD because even your ‘burn-prog’ was infected, I was trying to think of an on line storage service you could use. Tech offers that exact solution with Mozy. I’ve never used it myself, but this could work for you.

Since you said 'both of your old HDDs were infected, I’d be afraid the infection could spread if you plugged in your old HDD to txfr files. I could be wrong, but I like erring on the side of extreme caution myself.

Tech is very knowledgeable and helps many folks here on this forum.

Lisandro · 2007-09-21T02:24:07.000Z

Rick F post:18:

I’ve never used it myself

You’re losing the best free on-line storage method.
Safe (encrypted files), fast, reliable, saved me a lot of times.
Also, both you and I receive an extra space if you click in the link on my signature 8)

Maxx_original · 2007-09-22T17:31:10.000Z

hello guys… i’m back on track (after an bussiness trip), so the update of the Win32:Virut detection will be done asap… sorry for the delay, but it was difficult for me to work remotely at this hihgly complex task…

essexboy · 2007-09-22T17:49:38.000Z

From the examples I have seen of this virus so far a reformat is the best way at the moment, once it has infected your system. It does need to be stopped before it gets that far

system · 2007-09-22T22:40:42.000Z

Maxx_original post:20:

hello guys… i’m back on track (after an bussiness trip), so the update of the Win32:Virut detection will be done asap… sorry for the delay, but it was difficult for me to work remotely at this hihgly complex task…

Thanks for heads up.

Until update is released add in url blocking this one too:
leon.htn.pl

Or put them into hosts file:

127.0.0.1 proxim.ircgalaxy.pl
127.0.0.1 leon.htn.pl
127.0.0.1 ntkrnlpa.info
127.0.0.1 xp.attrezzi.biz
127.0.0.1 l.mezzicodec.net

oldman960 · 2007-09-23T17:17:19.000Z

When playing around with the webshield url blocker, I found that entering sitename.com and letting avast add the http and, http://sitename.com*, that perticutar home page could be reached. Anything beyond that was blocked. By adding the www, http://sitename.com*, the homepage then would be blocked.

When adding the above urls to the blocker would you suggest using http://www?

system · 2007-09-23T18:29:32.000Z

Snowhite’s suggestion about blocking those listed sites OR putting them in your ‘Hosts’ file is a good idea. It reminded me about the ‘Hosts’ file that I’ve been using for over 2 years.

The “MVPS.org” ‘Hosts’ file is updated about every two weeks. It’s a free service with free notices of updates. It blocks many pages that contain spyware, adware (malware) from loading by just sending you to the ‘localhost’ 127.0.0.1. When you go to a page that contains frames and one of those frames is on the ‘hosts’ list, you just see a local host image in that frame (the rest of the page is fine). Any site that uses tracking cookies (like doubleclick) is passed over and you get to the site you’re trying to get to (minus the tracking cookies).

I think everyone should have an up-to-date ‘Hosts’ file on their computer. For more info on this one, see this link:

http://www.mvps.org/winhelp2002/hosts.htm

I just updated my MVPS ‘hosts’ file today and checked those entries that Snowhite listed. All but one of them were already on it. MVPS also offers a ‘bat’ file that you can use to turn off the ‘hosts’ file if you want to (it’s renamed temporarily). Clicking on the bat file again toggles it back on.

Hope this helps.

Maxx_original · 2007-09-24T09:30:30.000Z

Virut detection updated to support the newest variant… wait for the next VPS

oldman960 · 2007-09-24T09:32:21.000Z

Maxx_original post:25:

Virut detection updated to support the newest variant… wait for the next VPS

Finally some good news in this thread. Thanks and keep up the good work!

system · 2007-09-24T13:30:36.000Z

Maxx_original post:25:

Virut detection updated to support the newest variant… wait for the next VPS

Thanks Maxx,

Wow, that last VPS was over 250K in size! I’ll have to go see what detections were added. Last vps ver 776.0

Announcements