Hi,
I'm nearly a complete newbie in malware analysis, however I know a little bit about RCE
I tried analyzing some malware by myself, and came across this website: thekeys.ws (all files contain trojans)
Checking one of the trojans (an auto-downloader), even for me it was an easy task to analyze
however i assumed the other file coming with it was an easy and boring exe, but turns out it was a virus

Dissassembling it in ida got me infected
By checking out a few infected exes, I found out bping on kernel32.CloseHandle until reaching popad will come to oep (the virus is not packed, it inserts some code)
some other stuff I found was it polymorphs, modifies winlogon, modifies host file to get access to internet and download some other malware

I don't know what this is, and have no idea how to remove it

Searching on google i can't find anything, and have no tool for removal, so I'm asking for some help

thank you all

the virus infected itself

pass: thekeys.ws

virus name=win32.vitro
installing an av should able help you to remove it

Thanks for the info
the virus finally hijacked winlogon (bsod, I think the virus errored because of unexpected exit_process which virus calls if something in it fails) and i can't log on anymore
which av should i use so i can repair the files instead of removing them?
i think such a tool should exist cause i don't think repairing the files is that hard, since virus contains original code of stolen oep unencrypted
i would need a free av/tool
some suggestions?

anyway to log on at all?
the windows recovery disk is fucking stupid
it can't detect any hard drive, so denies repairing windows
i'm lost on what to do


the virus killed safe mode too with modifying winlogon

Hi

In doing a quick search of this new Virut variant, as identified by esther, it looks like most of the IT guys are tearing their hair out over this one. The recommended solution seems to be a complete reformat/repartition/reinstall.

The problem with running an AV on it, for the few that might be able to deal with it at this point in time, is that the infected files will be deleted or moved to quarantine, not repaired, including all infected system files. Run the AV once and you can't even reboot.

All things considered, and the fact that you're dealing with the very advanced Virut family, I would simply bite the bullet and do a complete reformat/reinstall. That is, if you want to sleep at night.

Since it's been mentioned to also infect html and pdf files, I wouldn't keep any of those old files around either:

http://community.ca.com/blogs/securityadvisor/archive/2009/02/09/infectious-virut-on-the-loose.aspx


Some of the Virut strains are reported to infect the MBR, I think the recommended method in that case is to POWER OFF the computer completely after deleting the partitions, BEFORE creating the new partitions and reinstalling the OS. See here for example:

http://www.bleepingcomputer.com/forums/?showtopic=200801&view=findpost&p=1130216




Let's back up a minute. What do you mean by "Dissassembling it in ida got me infected"?

Infection from a static disassembly should be impossible. Unless you were actually debugging it and it got away from you.

I don't mean to admonish you, but to start with, you should NEVER NEVER NEVER analyze a malware outside of a VM/Sandbox. There are several threads in this particular forum, as well as google of course, with links or information on setting up and properly using such a system.

Even handling an exe file for Static disassembly in IDA (on your main system), it's usually safer to rename the *.exe extension so you never have to worry about accidently double clicking on them. (I usually rename them to *.dll files so they are still easily opened by other tools).
All live analysis MUST be done in a VM!


Good luck,
Kayaker

@kaykayer:
thanks for the info
however i wonder why you need a complete format
I checked the exe files (while the computer was still alive)
and seems the oep is really clear to find, it should be simple to disinfect them, and the rest of the exe is not touched except appended virus section, so to keep them I guess I just need to repair and change oep (only a few bytes)
this sounds very different to your description, I'm guessing it's not the new strain?
I did analyze the virus in vmware, however I didn't bother to install ida in it
so I run ida on my physical machine and got infected
I don't know how it got infected either--I never debugged it, nor did I double-click on it
The problem then might be from a deobfuscate plugin? (I'm not sure if it executes the exe)
It's true i have no experience in malware, thanks for advice

btw I really don't want a repartition
that'll remove all my rce stuff when I started,
all of it

with html/pdf i guess i'll copy and zip them in external hard-drive
i did boot using windows recovery disk
one of the posts says the virus deletes the partitions!
plz let that not happen

If you did install vmware tools ,I suspect that virus during debugging,it "runs" out of vmware and infect your physical machines,just my 2 cents


virut variants are nasty stuff,your best bet is reinstall windows now.

That's the spirit! It's strange that you can't boot the computer, a virus shouldn't kill its host (unless it was designed to do that). It should instead exist symbiotically like the Goa'Uld.

So here's a good opportunity to do some reversing, reinstall Windows if you can and see if you can manually clean the system. Let us know if you have any success.

When you find out it's infected your MBR as well, THEN you can repartition and do it all over again

Hi simonzack,

Do you know of www.virustotal.com ? useful place to find out a little more about suspious files and like what was said above, 61% of the scanners reported it as a Vitro/Virut variant, but of course these scanners are only useful if they know about such things

Darren

Howdy,

Do not copy or save any files to any other form of media.
Re installation will just put the virus right back on your box.

You need to make sure the MBR is clean or you are just wasting time.

Woodmann

Hi,
You can load BartPe on your cd,delete System Volume Information folder,Program Files,windows directory,Document and Settings,then try reinstall windows

update:
This variant doesn't infects mbr,my "research",it only infects some windows system files

I'm not sure if it has infected mbr, since the windows recovery disk can't detect the hard-drive (is that intentional by the virus?)

I'm not sure how I can do this since windows is stuck at winlogon, thus cannot start up (I think safe-mode uses that program too, I think this is not intentional, but virus bug, like some others at the forums you mentioned suggested), can you provide some suggestions? (it CAN still boot up, pre-start-up AV scan can run)

Bart-PE: that'll be most convenient, I'm not sure if this laptop can burn (it's quite old), I'll check

My original plan was to get some kind of external hard-drive enclosure to transfer my files to another computer, with no-execute mode (not sure how to do that yet), then to statically compare virus with uninfected file (I have a few places where I can compare these), then disinfect the file (all exes)

I hope with bartPE i can change this a bit and only operate on my infected computer (it'll prevent further possible infection)

I don't really plan to study the virus yet, since I think it's easier to disinfect files first
the last step would be to remove stuff in html
then I would copy these disinfected files to external hard-drive (my files only)
then re-zero hard-drive, reinstall windows, then copy stuff back on
I think this will kill the virus

My av has warned me many times the virus is infecting winlogon, but I had no idea this will be the result (thought it was just infecting another exe)

virustotal: thanks , i'll check that out

i uploaded decrypted-body-virus;
where can be MBR-like code??
but @404000 are some group of crypt-bytes

pass: virus

ahm, it is also downloader!
it downloaded other-brothers, and one of them drops 2007 year made
E-Worm.Mydoom.bj.1 MD5=ee1df61226033d18d0ed64820b41fe15

pass: virus

yeah, i kinda decrypted it too, and analyzed just a bit further then that until place of ZW functions and virus poly (i think)
i have not a clue about zw functions, and kernel stuff is this somehow related to file infection?
relating to mbr: i think it might have changed it, since windows recovery disk can't recognize hard-drive, thus can't really use that to fix mbr
Umm... does bartpe transfer control to mbr? if it does, i hope it won't get virus running again (i hope nothing is run on harddrive using bartpe)
Do you think this virus can be cleaned quite easily?

at my opinion, before thinking about virus-cleaning, you need to take back control on partition.

after that, view on drive every exe-dll-sys, if anyone looks packed-crypted, move to some choosen directory.
if system-partition is NTFS... lamest thing.. just hope, no stream infection was or cure it

edit: but some virus-sys are not crypted & this case is here in
E-Worm.Mydoom.. "protect.sys"

do you have a sata hard drive in your computer? in this case some of the older recovery cds or install cds do not have the sata drivers included, thus cant find a hard driks. if thats the case, you would either have to use a floppy disk to load the drivers (which i heard fails most of the time) or you have to integrate the drivers into your rescue/install cd. just search on google for slipstream and sata drivers.

hope that helps.

ps: of course you should do the driver integration on a clean pc!

for your reinstall: create a new partition on your disk, set it to active and primary, set your current system parition to logical. install windows on the new disk. you can also try to use fixmbr/fixboot from the recovery console to overwrite the mbr of your disks. after installing windows, install a virus scanner and scan your other partition. delete everything virus related. at least you should have some of your data still on the disk. next time i would recommend to have the system and data on seperate disks/partitions. makes it easier in case of a reinstall.
you can also try a bootable antivirus cd. i recall kaspersky having one free to download. but as already mentioned, that might screw your system totally so you probably wont get around a reinstall anyway.

regards,
b3n

I found a good analysis of the virus
http://securitylabs.websense.com/content/Blogs/3300.aspx
It seems by this analysis the virus is not really hard to get rid of after all
the only hard thing for me will be mbr is infected
I hope I can get the bartpe going tomorrow and clean mbr, and fix virus
I'll actually do a re-zero, but I'll keep all the exes

btw.
from my searching on the web, numerous noobs, with absolutely no experience in malware, have suggested that the exes cannot be disinfected, it is sad that so many noobs not only exist, but copy each other's posts

as i found interesting, this virus loads it's body in other process not by writeprocessmemory, but using NtCreate/OpenSection with target process handle.

I got bartpe working about a week ago (yes, I know it took a long time)
then I programmed some disinfector to kill the virus
though I can startup the computer now (it's quite simple since i just replaced winlogon.exe)
however I'm not 100% confident if the virus resides in the harddrive or not, so it may infect me again
I am thinking to hex-scan the whole harddrive, but I think there are better ways
Are there scans which allow me NOT to go on the internet to scan my computer?
thanks

Howdy,

On a clean box burn the Combo-fix.exe file.
If you can find Malwarebytes, burn that also.

Woodmann

More to follow.

Is the free version of Malwarebytes ok?
Or do I have to have the full one

I did a harddrive hex scan of virus signature, which I think is computer-dependant, not file-dependent, and I think it is gone
I wiped all deleted data, and defragged, so I think virus is not in harddrive anymore

For some reason, firefox can't start up (since I'm quite confident the virus is gone, however I still don't want to start network as virus might have downloaded something else/infected html files?)
But ie does, so maybe something in the registry?
I searched a bit but still not sure why firefox is dead
btw. It's still in processes, after re-install, just is not shown in window handles. I have an AV but I don't want to get it updated over the internet, afraid some virus might get in.

[update] Malware bytes *did* find a trojan, which I believe the virus downloaded. I saw it when I got the virus, maybe it found a backup copy of the trojan

[update2] Malware bytes is quite bad, I think, it didn't find stuff which were supposed to be malware, however found many FPs, however it did find conficker sample which I saved somehow which ended up in system volume info, I hope this does not indicated conficker infection
I did save it initially as 'exe' instead of some other format, so is that why windows backed it up?

[update3] I searched in registry, didn't find anything related to firefox which prevents it from starting, can you suggest some other detection tools?
thanks a lot

delete&reinstall FFox & all other programs.

hi thanks for reply
did this for like 3 times
nothing worked

OK,

Heres what I had to do just a few days ago.

I did the typical delete partitions and format with a win disk.
Installed XP and the box still acted strange. It didnt start up.
Instead it asked me which version of windows to start.
Ummmmmmm.....there should only be one version of win .

Me thinks dirty MBR.

Ultimate Boot CD to the rescue.
I deleted all the partitions.
I deleted all the info in the MBR.
Low level format.

The box is running fast and clean.

Woodmann

You need the full version of malwarebytes and combofix and Avira wouldnt hurt. Avira will do a boot scan after installation.
This may very well STILL not work.
Right now I try to clean the infected boxes for my own enjoyment BUT a proper douching is the best.
And use DOS based tools, they are much stronger.

hey!

Don Wooma, maybe will good save that MBR for analyze?..

another hint: use FAT32 for system partition. NTFS for big data storage

I will do my best to save it just for you eval .

Don Wooma

i had a first hand experience with virut when it first came out. there weren't many variants then
after pulling out my hair for a week and looking in vain for help on discussion forums and Av developer sites i found the only solution was to do a complete reformat. I had formatted and reinstalled xp my C: thrice but it didn't help.
Fortunately Dr.web came to my rescue as it was the only AV detecting and curing/(removing if not curable) it.
the reason i realized it came back again after a format was it had infected all exe files on the entire computer so if after reformat you run winamp from D: its infected again.
Another main reason for reinfection is running screen savers.
I don't think it has infected your MBR.

From what i recollect the virus appends some 16 bytes into every exe file and when you run any infected file it hooks all running processes including winlogon which causes the bsod. It had some bug because of which it would corrupt some exes instead of just appending data.

What you can do is
Make a live cd with 2-3 antiviruses (with the latest av definitions)
scan entire computer with all those 2-3 AV cause it might happen that some AV doesnt detect a particular variant
backup data on C:
format and reinstall xp on C:
turn off screensaver and scan again

i remember zairon had written an article on it recently.



Update: If you think its conflicker i think there are many tools available to remove it nowadays

ok,
problem solved
it had nothing to do with virut, rather the firefox plugin firebug got some error
deleted and worked fine
must've been faulty update

I should've tried firefox safemode than troubling you guys


I don't think there's anything in mbr, as this thing is ring3, the only ring0 thing is int2e and I believe that's dead in xp?
and I believe the virus is dead, since a week has passed, it was never active

I have also checked it's infection routine,
which led me to remove the stupid entry in hosts file

the only thing now is to disinfect all the .html .php .asp with the stupid iframe in them,
though I believe firefox blocks the side anyway, as I checked the site out firefox blocked it

btw.

I couldn't believe I didn't find kayaker's excellent analysis on google


what that mean
no idea even to wut language it is
sorry

"Don Wooma" is just a "nickname" evaluator has given Woodmann.

Using the Search function here will give you lots of examples, like the one above.

Regards,

Wellllll.......

Here is my take on the Don Wooma thing.

In Italian Cosa Nostra, "Capo Di Tutti Capi" means boss of all bosses.
The word Don indicates the head of a "family".
I'm not sure but I think the term Don is an Americanized word.

So myself being the the owner of this place, is viewed by evaluator as the Don or boss of the family.
The family being the moderators and all who post here.

I do prefer Capo DI Tutti Capi though .

Woodmann

finally, done!
computer is free of win32.virut

ahm!
then you should pay for each help-post here!
PRICES:

Don Wooma's 1 post = 5$
Kayaker's 1 post = 4$
my 1 post = 3$
JMI 1 post = 0,3 $
YOUR 1 post = 1 $
Esther should pay to you for her 1 post = 8$ + say SORRY ~:~DDD

Now that's funny

OK...Now I'm going to have to complain to the Union about equity pay for Senior Citizens.

Regards,

lol

*Esther should pay to you for her 1 post = 8$ + say SORRY ~:~DDD
Hi Evaluator,
You have to pay me 10,000 euros for lawsuit on changing my sex ,I'm a GUY!
And sorry to what? brrr

[QUOTE][Originally Posted by Woodmann;80679]Wellllll.......

The word Don indicates the head of a "family".
I'm not sure but I think the term Don is an Americanized word.
[QUOTE]

"Don" comes from latin "dominus" (just like "donna" from "domina", "Madonna" from "mea domina". It is now considered as an honorary title, and it is currently used also before the names of the priests.

Best regards, bilbo