What about Virut?

Introduction

Virut is a polymorphic file infector virus, that infects all executables (.pif, .exe, .scr), compression formats (.rar, .zip), HTML/web documents (.htm, .html, .asp, .php), Microsoft Office (classic) Documents (.doc), JPEG images (.jpg), and PDF (.pdf). Removing Virut requires a reformat and reinstall, because even if Windows files get fixed, they are still damaged due to the buggy code/damage (spaghetti code) done to the system. Once infected, it injects itself in to many processes & hooks CreateFile.api

More information of typical (not always) characteristics

[list]

  • Typical HOSTS: 127.0.0.1 zief.pl
  • Opens backdoor: TCP Port 65520

[li]Uses Entry-Point Obfuscation

  • Uses XOR encryption algorithm


So, what is Comodo doing about this deal?

A “Virut” probably would trigger at least one D+ alert.

CAV (and of course CIS) able to detect it.
But it doesn’t have ability to disinfect or repair the infected file.
Just only delete or quarantine.

I wish the next version will solve this problem. :a0

Even if it repaired the infected file, the file will still be corrupted. Read my writeup: http://www.helpmyos.com/malware-threat-removal-f6/virut-information-t879.htm

Wait wait…I doubt this Virut thing could infect any files without triggering a D+ alert. So if you just block that alert, you’d probably be fine. And the AV might be able to detect the program that tries to infect other files.

Once the machine is infected, which is by the consent of the user (P2P download, etc), it begins spreading. By the time it has taken over the system, Defense+ ‘might’ see it.

The problem with polymorphic file infectors is this:

[b]Polymorphic virus[/b]

Virus that re-encrypts itself with each infection

A polymorphic virus is one that encrypts its code differently with each infection, or generation of infections.

The aim of this behaviour is to make it difficult for anti-malware software to detect all files infected with the virus, requiring much more sophisticated detection techniques than simple file-infecting viruses, which insert their code unchanged into each infected file.


Source: Virus Bulletin :: Resources

Yes, once you are infected with it I doubt CIS would be able to completely remove the infection, without corrupting a lot of files.

Virut may be able to spread faster than an AV can detect it, but unless it is able to do all these things without one suspicious action that D+ picks up than a good HIPS can probably stop it. Of course, if the user thinks it is safe then even a good HIPS couldn’t stop it.

Exactly. If a user downloads the file from a P2P, then installs it. They are accepting it in its form. They cannot see the contents of it, but inside there is a deadly trap for their computer. The user will think the file is safe, because what they were looking for, is exactly what they have (they think). Normal users will not check the files using a context menu (shell-ext.) scan. So, the user installs it, and the virus executes without them knowing. They see that the file they downloaded did not work properly, so they go back on to P2P and search for it again, etc.

This method, as described above is the most typical P2P trap. Deceit, and craftiness by the malware writers. Constructing a “safe looking” file, to actually be an invisible trap. This is how Virut works its best crime.

I guess ThreatCast could help there a bit but…hmm.

(That’s why I only download P2P/Torrents if they are popular, and if they aren’t, I keep it isolated with Sandboxie or GeSWall. :))

You can easely kill a virut with defense+

eXPerience

He removed Virut before installing CIS.

But yes i know CIS will give multiple popups for virut. ;D

he removed the parts that drweb found ;). but it doesn’t matter, CIS should be able to protect you

XP

Has anyone purposely infected a test machine to test CIS’s capability?

If you have machine infected by a patching virus anything you install will get infected, before a restart. CIS D+ and the firewall would still run since its Kernel bassed (I think), but the AV and GUI would all become useless.

This is why you have to use a Bootable CD to remove Virut.

But yes, CIS will prevent virut and many more from running the first time.

BTW i have infected a Virtual Machine before to test CIS.

I do have a small warning on infecting VMs. If you infect a VM, it can pass through to the host and infect the host. A definite careful note there.