win32.virut.5

Hello,

I have had a really serious problem with a virus called win32.virut.5

I had to rebuilt many times and finally the only thing to clean the associated infected files (nearly all my .exe files) was dr web cureit. Can anyone tell me more about this virus. Also, I downloaded comodo anti virus for real time protection but it does not recognize the above virus even with the latest virus files downloaded which doesn’t provide me with much peace of mind about the product.

Thanks

Andrew

As cLittle Mac said the CAVS database is still growing and it would be great if you could submit the suspect file to Comodo so the nasty can be added to their database.

The only real information I can find about this malware is on the Dr Web site and the AVG website:

http://info.drweb.com/show/3143/en

http://www.grisoft.com/doc/virbase/us/crp/0?nam=Win32%2FVirut

:SMLR

Andrew,

Thanks for posting about this virus. There is more info here:

http://www.grisoft.com/doc/virbase/us/crp/0?nam=Win32%2FVirut (looks like AVG should detect and remove it as well.

You may also want to snag BOC. It operates differently than a traditional file scanner (which watches hard-drive activity) by monitoring memory for CPU access. Malware cannot execute without using CPU time; that is when BOC will grab it. Thus, provided that BOC has a definition that will allow detection, the malware cannot get by it; it will be stopped, and you will be prompted to allow BOC to remove it.

If you would, please submit the file you have (which you noted in the other thread is still infected) to Comodo for analysis and inclusion to their database. You may do so either thru CAVS (in the Quarantine tab) or by compressing the file to a password-protected zip archive (“infected” is the established norm), and email to malwaresubmit [ at ] avlab.comodo.com Give the virus name in the subject line.

LM

Edit: Oik! NTTW beat me to the AVG link! :wink:

Detailed information about this malware is hard to find,however it is detected by most AV scanners.It comes under different names according to the AV used,which confuses the issue. (I wonder why more effort can’t be made toward giving these things a generic name?)

http://www.viruslist.com/en/viruses/encyclopedia?virusid=156259

Hello guys,

Thanks for the reply.

AVG did not detect it. This is where my problems started, the free version of AVG didnt detect it (it was up to date) so it got into my system, through AVG, Zone alarm and Spybot and then somehow caused AVG problems with start up. Everytime I tried to launch AVG I got an error that the electronic certificate couldn’t be verified. After that thats when I started to reinstall, without knowing that my backups all had been infected too! Literally a very high percentage of exe’s and system32 files had it. Bit of a nightmare but seems to be ok now. I scan all the files I restore with Cureit before that go back on - seems to work a charm. Bitdefender caused me more problems that solving them.

With regards to BOC, I have installed it, don’t really know what it’s up to because it just sits there happily in the tray and doesn’t do much? Is it supposed to do something? I thought it was like Spybot where it would check possible changes to the registry and alarm me on those but so far it hasn’t done anything and I have been installing software all day.

Thanks again,

Andrew

PS I have set the comodo anti-virus to send all possible problems to comodo but will physically send them a copy of an infected file.

Just to add, it also ■■■■■■■ up Avira too when I tried it. Avira couldnt run and provided an error something like:

Avira cannot run (process) installtion file is either corrupt or
infected by a virus/trojan, please download a new version

Somthing along those lines.

Andrew

You won’t “see” BOC doing anything unless it has something to do. I’ll explain briefly.

BOC works on malware definitions (DAT), just like an AV or AS does. But it works a little differently. The standard DAT is built around how the malware is packed (put together); a new packer and the malware is no longer identifiable. BOC’s DATs are built differently, such that it can identify multiple variants (ie, different packers) because it doesn’t just look at the packer.

Right now “38175 trojans are covered in your current BOC425.XVU file.”

Listings do not include variants which are already covered. As of this date, COMODO's BOClean analysts have seen a total of 296,993 specific variations of various malware and behaviors as well as additional characteristics and components, all of which are covered in the Update file.
from here: http://www.comodo.com/boclean/trolist.html

Traditional AV/AS scans the hard-drive for known malware/activity (whether on-access or on-demand); some monitor downloads/email/etc as well. BOC monitors Memory only, and does no file scanning. This is because in order to do something, malware has to execute (load in memory, access CPU), and to do that it has to unpack. When it unpacks to access CPU, BOC will see it, stop it, and give you the chance to remove it.

BOC still has to have a matching definition, but it works a little differently (as per the above).

LM

this little ■■■■■■ of a virus is causing me more problems. I run drweb cureit to heal the files (almost all .exe’s) which is does so successfully but as soon as I shut down and boot up they are back again. Any advise would be appreciated please.

Andrew

Have you submitted a copy of the virus to Comodo, as per previous instructions?

If so, there should be a definition coming thru the updates, for BOC. That should allow you to successfully stop this ■■■■■■. From what I’ve seen, Comodo responds very promptly on these.

LM

Did you turn off system restore prior to removing the nasty with DrWeb. This may stop it returning on reboot.

:SMLR

Presumably you ran the scans in Safe Mode? If not it can be difficult to remove all traces of this kind of malware.

In my experience the best way to remove really stubborn malware is to use a BartPE boot cd,such as Ultimate boot cd for Windows.It contains numerous anti-malware tools and since it runs on its own operating system it’s far easier to remove all traces.Full details on how to create the boot cd are available here:

http://www.ubcd4win.com/

You will need an original Windows cd to create this disk,if that’s a problem then a DOS type boot cd called Ultimate Boot CD will do the job,although with lesser control.

Unfortunately sometimes the malware can overwrite system files and removal can cause issues in itself.It’s best to back up important files first so if there’s a worst case scenario you won’t lose precious files.

Hi awilson3rd, it,s very nasty virus. Don,t waste ur time and just do a foramt and install OS from scratch. If any of ur backup files are infected, it will appear again and again.

Turn your system restore function OFF. Its probably already infected anyway and will only lead to further frustration. Use SP2 XP installation CD. This will give you a slightly more secure system than a non SP2 version.

If it was my PC I would disconnect all HDD except the one containing the primary active partition. If its a multi-partitioned drive I would destroy all other partitions and make it into one large primary job. As painful as losing years of personal data is, a infected PC is not a useable PC at all.

1- Don,t connect to network/ internet during and after a format until u install ur AV and FW.

2- Don,t restore any backups/ any files from any external media( CD, DVD, USB, external HD) until u install a FW and ur AV.

3- Disable all autorun features on ur sytem( autorun for CDs and USB devices) after u install new OS.

4- Install a good AV( I suggest Antivir free). Update ur AV. Install a FW. Install ThreatFire in addition to the AV and FW. It,s free as well.

5- After u install an AV and FW, update ur AV and do in-depth scan each of external media storage devices with ur AV before opening anyone of them.

6- Format ur external HD as well, if u have any.

I am not sure if u can handle popups by HIPS or not. But if I am in ur place, after step4, I will put a HIPS in paranoid mode( with file protection feature) to see if there si still any source of this virus anywhere- CFP v 3 beta or EQSecure. Very effective in such situitions.

If u can,t handle it, just after installing ur AV, try adding ThreatFire as an extra layer of protectiuon in addition to ur AV.

Don,t trust any files/ back/ media u have ATM. Everything might be infected. Consider everything infected unless proven otehrwise. A single copy of it comes to ur PC and u will reach the same point form where u strated.

Hope it helps!