Vitut on the Rise

Discovered: April 11, 2007

Latest Rapid Release version February 10, 2009 revision 024

Virut spreads through every exe, scr, mp3, doc, dll, htm, ini, jpg, gif and pretty much every file on a computer. It’s polymorphic, which means it spreads faster than any antivirus can contain it. 99.99% of the time the only solution is a reformat and reinstall. Virut is so aggressive it even infects already infected files with itself. It’s a computer killer…

Viruses belonging to the Virut family also contain an IRC-based backdoor that provides unauthorized access to infected computers.

In short. There is no solution for this other than a reformat and reinstall.

Win32/Virut: Microsoft

Symptoms: The following symptoms may be indicative of a Virus:Win32/Virut infection:

* Network traffic on TCP port 65520 with connection to IRC server, on channel & virtu

* Increase in file size of infected files

* Infected files fail during execution and have a recent modified date property

HijackThis logs will have an F2 entry similar to this.

F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\TEMP\init.exe,

Dr. Web CureIt will show many files like this. Notice that these aren’t just some random files. Pretty much sums it up…

imagination studio.scr;c:\windows;Win32.Virut.56;Cured.;
xpnetdiag.exe;c:\windows\network diagnostic;Win32.Virut.56;Cured.;
cisvc.exe;c:\windows\system32;Win32.Virut.56;Cured .;
logon.scr;c:\windows\system32;Win32.Virut.56;Cured .;

It says cured but that isn’t true. Virut spreads back to the newly cured files so it’s a never ending process of cleaning and infecting.

It’s believed to have started from a p2p web site or sites. One malware removal forum is saying they are at about 40% of their users requesting help are infected with Virut right now. Since it also spreads via IRC the longer they wait to wipe the drive the more users there are getting infected.

Waiting or trying to clean it just gives it that much longer to infect others. Enough users have it now that the IRC-based backdoor part has zombified many who haven’t figured out they are infected yet. Even seemingly clean email/chat attachments from known good sources can be infected.

If you have a shared folder for your p2p then that is a gateway for the IRC to connect to you, spread itself, and zombie your computer or network.

There is NO safe cure for this. If you see one file infected with Virut immediately disconnect from the Internet and start reformatting and reinstall.

This probably won’t go away any time soon but all major AV vendors have supposedly updated to block this new variation.

Good luck!