Got infected again!! "Win32/Virut" virus attacked my computer. I researched all the information of this virus from different sites and forums and here is the output.
Systems Affected:
Windows 200, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Win32.Virut virus is also known as:
- Win32/Virut (CA)
- Virus.Win32.Virut (Kaspersky)
- W32/Virut (Norman)
- W32/Virut (Sophos)
- W32/Virut (McAfee)
- W32.Virut (Symantec)
- W32.Virut.A
- W32.Virut.h (McAfee)
- W32.Virut.R (Symantec)
Win32/Virut is a family of file infecting viruses that target and infect .EXE and .SCR files accessed on infected systems. Win32/Virut also opens a backdoor on TCP port 65520 by connecting to an IRC server, allowing a remote attacker to download and run files on the infected computer.
Characteristics:
When W32/Virut.h is executed it injects its code into running processes.
W32/Virut.h opens up backdoor on the compromised machine at port 80 (HTTP) but uses it for IRC communication.
This virus tries to connect to IRC server located at:- eirod.zief.pl
It can then receive commands to download and execute other malware on the infected machine. Though the download location in the commands can change, at the time of writing, the virus tried to download malware executables from:
- http://85.114.[REMOVED]/ ~grander/[MALWARE].exe
Symptoms:
The following symptoms may be indicative of a Virus:Win32/Virut infection:
- Network traffic on TCP port 65520 with connection to IRC server proxima.ircgalaxy.pl, on channel &virtu
- Increase in file size of infected files
- Infected files fail during execution and have a recent modified date property
- Modified executable files (increase in the size of exe files)
- DNS queries to eirod.zief.pl and IRC related network traffic
Method of Infection:
W32/Virut.h is a file infecting virus. Infection starts with manual execution of the binary. Executables in network shares may also get infected if accessed by the compromised machine.
The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files. In those cases of misinfection in which repair data is present within the virus body, and has not been miscalculated by it, the current DAT set sill repair the virus as per the non-corrupted case. However, unfortunately, some W32/Virut.h infections are corrupted beyond repair.
When W32.Virut.A is executed, it performs the following actions:
- Creates the event named "VT_3", so that only one instance of the threat runs on the compromised computer.
- Attempts to infect any accessed .exe or .scr files by appending itself to the executable.
- It avoids infecting files with the following strings in the file name:
- WC32
- WCUN
- WINC
- Opens a back door on TCP port 65520 by connecting to the Proxima.ircgalaxy.pl IRC server on channel &virtu.
- The back door allows an attacker to download files onto the compromised computer.
Prevention
Steps
Take the following steps to help prevent infection on your systems:
- Enable a firewall on your computer.
- Get the latest computer updates.
- Use up-to-date antivirus software.
- Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
- Click Start, and click Control Panel.
- Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
- Click Change Windows Firewall Settings.
- Select On.
- Click OK.
- Click Start, and click Control Panel.
- Click System.
- Click Automatic Updates.
- Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready a notification ballon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources.
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
Removing W32.Virut:
To detect and remove Win32/Virut, run a full-system scan with up-to-date antivirus software such as the Microsoft online scanner (available at http://safety.live.com). For other security software options, visit http://www.microsoft.com/athome/security/downloads/default.mspx
Before running full-system scan, make sure you disable your system restore (Windows Me/XP).
To disable system restore:
Windows ME and XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must disable the System Restore Utility to remove the infected files from the C:\_Restore folder.
WindowsME- Right click the My Computer icon on the Desktop and click on Properties.
- Click on the Performance tab.
- Click on the File System button.
- Click on the Troubleshooting tab.Put a
- Check mark next to 'Disable System Restore'.
- Click the 'OK' button.
- You will be prompted to restart the computer. Click Yes.
Note: To re-enable the Restore Utility, follow steps one to seven and on step five remove the check mark next to 'Disable System Restore'.
WindowsXPDisabling the System Restore Utility (Windows XP Users)
- Right click the My Computer icon on the Desktop and click on Properties.
- Click on the System Restore tab.
- Put a check mark next to 'Turn off System Restore on All Drives'.
- Click the 'OK' button.
- You will be prompted to restart the computer. Click Yes.
Note: To re-enable the Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.
0 comments
Post a Comment