Win32/Virut.A

The removal tool is located here:http://www.avg.com/filedir/util/avg_rem_sup.dir/rmvirut/rmvirut.exe

This was found after having to completely reformat the computer in an attempt to remove it.

infector:

polymorphic

Names,aliases:

Win32/Virut.D (AhnLab-V3), W32/Virut.E (AntiVir), Win32.Virtob.2.Gen (BitDefender), W32.Virut.ci (ClamAV), Win32.Virut.5 (DrWeb), W32/Virut.E (Fortinet), Virus.Win32.Virut.e (F-Secure), Virus.Win32.Virut.d (Ikarus), Virus.Win32.Virut.e (Kaspersky), W32/Virut (McAfee), Virus:Win32/Virut.D (Microsoft), Win32/Virut (NOD32v2), W32/Virutas.G (Panda), W32/Vetor-A (Sophos), W32.Virut.B (Symantec), Win32.Virut.Gen (VirusBuster), Win32.Virut.E (Webwasher-Gateway)

Behavior:

Parasitic file infector of PE files with .EXE extension.
Acts like an IRC bot, communicating on TCP port 65520, it opens channel #virtu on the proxim.ircgalaxy.pl IRC server.

Its first step upon running is injecting the process (winlogon.exe), for this reason firewalls will not identify the virus. The virus will infect files on local and shared drives. It does not depend on usage of these files.

Infected files are approx. 9kB longer, and will not keep the original timestamp, (the timestamp will change to the time when the virus was written into the file).

The virus is activated in the "classical" way:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Note: the name of the infected file can be variable. It selects a name from the infected files in the folder %SystemRoot%\system32.

It doesn’t use any stealth or rootkit techniques for hiding infected files. It uses process injection technology, which provides good camouflage.

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.

Remover:

Usage:

Rmvirut (check and repair all accessible disk drives)
Rmvirut C: (check and repair the entire C drive)
Rmvirut C: D: (check and repair the C a D drives)
Rmvirut C:\Windows (check and repair files in the C:\Windows folder)
Rmvirut C:\Windows\explorer.exe (check and repair C:\Windows\explorer.exe)

Remover features:

- if AVG is installed, it correctly registers itself in the resident shield to avoid collision with it.

- If it detects a locked file (unable to open), the remover arranges removal for immediately after booting the computer – when system files are not yet locked.

- Files RMVIRUS.DOS and Rmvirus32.nt are part of the remover for repairing before booting Windows 98 or Windows 2000

- You must have administrator privileges to run the remover, the remover tests this at the beginning.

- Repaired files are usually different to the originals, but they are working.

- Due to the damaged caused to files by virut it’s possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

 

Jon Olsen

Mobile Computer Wizard
619 309-5355 Cel
619 255-1215 Office
Jon@mobilecomputerwizard.com