INTRODUCEMENT
Virut has been standing as dangerous malware since 2009 besinde Conficker and Alman. This virus is spreading in the computer slower than Conficker, but the causes are more serious than any Malware. Actually this virus was first time spreaded at early 2007, but it became more popular in 2009.
The special characteristic of Virut is not only infects .exe (executable) and .scr (screensaver) files, but also infects web files like .asp, .php, .htm and .html as well as host files and drivers. In addition, if you connect your computer to the Internet, Virut will contact a remote server (IRC server) and connect to multiple addresses zombie servers to download a bunch of malware (viruses, trojans, spyware).
SPREAD METHOD
Virut has many ways that attempted to infect the victim's computer. Some things are done is as follows:
Infections of the crack / keygen that existed at crack sites. This method is the most effective way for virus to spread itself. Many people choose to use crack to avoid paid software without think their own computer safety, rather than buy the software safely. Though the tool is a fake crack tool and contains a virus or even true crack tool but been infected by a virus
Drive by download technology is also the most effective way, many people think that using drive download technology is more efficient.
Read and open attachment from anonymous or unknown sender is a tricky way, people who curious with an attachment will open and download it.
F
ile sharing (especially executable programs) on the network is the fastest way to infect a computer to the other computers, will be worse if the shared computer has right to do 'write' to the other computers. It will be better if every computer on a network has a access password.
The use of removable drives such as USB, Card Reader, and other writeable media is an usual method for most of viruses. The autorun script on a writeable media will be trigerred and spread virus from media to the computer.
CAUSES
Like the other viruses, the virus infects .exe and .scr files, and also webfile and driver files. The Windows will fail when run .exe files (program) and also adding little malware download link script to saved webfiles.
Once the computer infected, it will not be able to open anti-virus sites website from the computer, also not be able to download anti-virus or even update an installed anti-virus. The computer keeps trying to download malware from the internet and change the computer to zombie which automatically 'breed' and spread the virus to other computer by autosending email. These are the IP address where the virus downloads malware through the various ports:
* 211.95.79.170:80 (HTTP)
* 65.54.82.160
* 218.61.7.9
* 64.4.20.174
* 216.32.90.186
* 59.30.90.84:3128 (Proxy)
* 77.93.21.45
* 76.31.92.235
* 123.236.125.64
* 93.114.249.122
* 217.11.54.126:3954 (AD Replication RPC)
* 66.90.104.13:443 (HTTPS)
* 211.95.79.170
* 216.32.90.186
* etc.
Which uses 91.212.220.156:65520 and 91.121.221.157:65520 as the IP addresses and these as the domains:
- dns2.zief.pl
- nss2.ircgalaxy.pl
- proxim.ircgalaxy.pl
- proxima.ircgalaxy.pl
- sys.zief.pl
- gidromash.cn
- core.ircgalaxy.pl
- jl.chura.pl
The virus has ability to disable the Windows Firewall which makes the computer can be accessed by downloaded virus easily. Windows files are also will be infected and makes the Windows File Protection disabled. Beside, various Windows Processes like explorer.exe, winlogon.exe, svchost.exe, and etc.
PROBLEM SOLVING
Virut makes these files as the main files:
- C:\Documents and Settings\%user%\reader_s.exe
- C:\Documents and Settings\%user%\%user%.exe
- C:\WINDOWS\fonts\services.exe
- C:\WINDOWS\hh.exe
- C:\WINDOWS\SoftwareDistribution\Download\[Random Folder]\[Random Name].tmp
- C:\WINDOWS\system32\reader_s.exe
- C:\WINDOWS\system32\servises.exe
- C:\WINDOWS\system32\regedit.exe
- C:\WINDOWS\system32\[Random Number and Alphabet].tmp
- C:\WINDOWS\Temp\VRT[Random Number and Alphabet].tmp
- C:\WINDOWS\Temp\~TM[Random Number and Alphabet].tmp
- C:\WINDOWS\Temp\[Random Number and Alphabet].exe
- C:\WINDOWS\Temp\[Random Name].dll
The virus also adds these strings on the Windows Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
22951 = C:\WINDOWS\system32\[Random Number and Alphabet].tmp.exe
reader_s = C:\WINDOWS\system32\reader_s.exe
Regedit32 = C:\WINDOWS\system32\regedit.exe
servises = C:\WINDOWS\system32\servises.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Policies\Explorer\Run
servises = C:\WINDOWS\system32\servises.exe
exec = C:\WINDOWS\fonts\services.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
reader_s = C:\Documents and Settings\klasnich\reader_s.exe
servises = C:\WINDOWS\system32\servises.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ Explorer\Run
servises = C:\WINDOWS\system32\servises.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\ Windows
load = C:\WINDOWS\system32\servises.exe
run = C:\WINDOWS\system32\servises.exe
Virus add these to hide itself:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\Advanced\Folder\Hidden\NOHIDORSYS
CheckedValue = 0
These strings which make Windows Firewall disabled:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandarProfile\AuthorizedApplications\List
\\??\C:\WINDOWS\system32\winlogon.exe = \\??\C:\WINDOWS\system32\winlogon.exe:*:enabled:@shell32.dll,-1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
EnableFirewall = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\ StandardProfile
EnableFirewall = 0
Run Registry Editor (Start - Run - 'regedit') and find "VRT" and change every value to '0'.
Download
Norman Malware Cleaner and
Kaspersky Virut-Killer. Run Norman Malware Cleaner, and select option and disable the Quarantine, then do a full scan until it finish. Then, run the Kaspersky Virut-Killer and let it run to clean the rest until finish. Do not run any .exe and .scr files to avoid the virus spread itself. To ensure the computer clean, check the virus main files that is listed above and make sure those files are not there anymore. If you still find those files, you need to repeat the scanning.
To repair the Registry, you need to copy the script below and paste it onto Notepad.
[Version]
Signature="$Chicago$"
Provider=None
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0x00010001, 1
HKLM, SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile, EnableFirewall, 0x00010001, 1
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Run, reader_s
HKCU, Software\Microsoft\Windows\CurrentVersion\Run, servises
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU, Software\Microsoft\Windows NT\CurrentVersion\Windows, load
HKCU, Software\Microsoft\Windows NT\CurrentVersion\Windows, run
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, reader_s
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, servises
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, 22951
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Regedit32
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS
HKLM, SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandarProfile\AuthorizedApplications\List, \\??\C:\WINDOWS\system32\winlogon.exe
HKLM, SOFTWARE\Policies\Microsoft\WindowsFirewall
Save as "Repair.inf", place it on C:/ and desktop, afterward restart the computer. Do those steps repeatedly.
