Virut Virus -- Here's a humdinger.

The constant threat: viruses, trojans, spyware, ... the list goes on

Virut Virus -- Here's a humdinger.

Post by Primux on Wed Mar 17, 2010 7:18 pm
([msg=36960]see Virut Virus -- Here's a humdinger.[/msg])

Hello everyone. I recently got a job with a big online computer repair company. I cannot say who, but I will say this. When we remote access in to customer's computers the first thing we do is run some software that checks out some information about the system. One of the things that it checks is weather or not the customer is infected with Virut. If they are, we simply tell them that we cannot help them.

Upon hearing about this, I thought it was rather lame. To me it seemed stupid to say "Oh, that one's too hard, I'm not even gonna try", but then I did some research on the virus. As it turns out, if the system still does boot, the only way one can really fix it is by using a bootable rescue CD with a remover tool. I was curious as to why this was the case, and found it to be because Virut is a "Polymorphic Virus" i.e. it mutates itself each time it makes a copy of itself, and because it apparently copies itself onto/into every file that is executed while the system is infected. Methinks that's rather evil . . . and genius.

Essentially I'm looking for any more information I can find on this virus. Information about how it actually works, vectors of infection, how to remove it (if at all possible) without having to use a rescue CD. It'd be interesting to actually be able to see the code for the virus, although if it's in assembly I really won't be able to understand too much of it, but if it's available in C or even java, that would be pretty neat.

Just one more little tidbit of information: My research didn't exactly say specifics for Virut, but it would seem that other polymorphic viruses encrypt their payload and use a different set of keys with each copy to en/decrypt the payload, and also make some other random junk code that doesn't affect anything just to throw off AV engines.

Does anyone have any more info on any of that, or any thoughts in general?
Primux
New User
New User
 
Posts: 10
Joined: Mon Aug 03, 2009 1:57 am
Blog: View Blog (0)


Re: Virut Virus -- Here's a humdinger.

Post by DamegedSpy on Wed Mar 17, 2010 10:22 pm
([msg=36979]see Re: Virut Virus -- Here's a humdinger.[/msg])

I am really sad to tell you the reason for using a boot cd/dvd/bd is that if you boot normally the virii loads into the memory. However your research is very good and you learned a lot of good things ;) .

Something you may want to do is start with simple malware and move yourself up.
DamegedSpy
Poster
Poster
 
Posts: 273
Joined: Sat Dec 19, 2009 1:40 pm
Blog: View Blog (0)


Re: Virut Virus -- Here's a humdinger.

Post by Primux on Wed Mar 17, 2010 11:41 pm
([msg=36989]see Re: Virut Virus -- Here's a humdinger.[/msg])

I'm far beyond "Starting with simple malware and moving myself up". I've been working with removing viruses and spyware for about ten years now. I'm just particularly fascinated with this particular virus. Ive encountered other viruses that I've had to remove by using a bootable CD, although I imagine there's a way I could have done it without having done that.

Here's a question to which I know the answer: What's to keep you from simply removing the registry keys/other startup entries that are loading the virus?

And here's a question to which I don't know the answer: Why can't you use something like pendmoves or gmer to perform a delayed-write operation to delete the files that the virus has infected before they're loaded at the next boot? Now obviously if it's infected something like ntoskrnl.exe then you can't delete that, but what if it hasn't yet attacked system files like that?
Primux
New User
New User
 
Posts: 10
Joined: Mon Aug 03, 2009 1:57 am
Blog: View Blog (0)


Re: Virut Virus -- Here's a humdinger.

Post by sanddbox on Thu Mar 18, 2010 12:07 am
([msg=36992]see Re: Virut Virus -- Here's a humdinger.[/msg])

Primux wrote:I'm far beyond "Starting with simple malware and moving myself up". I've been working with removing viruses and spyware for about ten years now. I'm just particularly fascinated with this particular virus. Ive encountered other viruses that I've had to remove by using a bootable CD, although I imagine there's a way I could have done it without having done that.

Here's a question to which I know the answer: What's to keep you from simply removing the registry keys/other startup entries that are loading the virus?

And here's a question to which I don't know the answer: Why can't you use something like pendmoves or gmer to perform a delayed-write operation to delete the files that the virus has infected before they're loaded at the next boot? Now obviously if it's infected something like ntoskrnl.exe then you can't delete that, but what if it hasn't yet attacked system files like that?


Didn't you say the virus spreads to every file that is executed? A lot of important files are executed. It would probably ruin your OS if you purged every file infected.
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2337
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Re: Virut Virus -- Here's a humdinger.

Post by DamegedSpy on Thu Mar 18, 2010 1:57 am
([msg=37003]see Re: Virut Virus -- Here's a humdinger.[/msg])

Well you will trash the OS.
Thats why this malware is VERY destructive.
You could check something called "Sandboxie". It prevents malware to some point.
DamegedSpy
Poster
Poster
 
Posts: 273
Joined: Sat Dec 19, 2009 1:40 pm
Blog: View Blog (0)



Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests