PDA

View Full Version : Virut Infection [Terrible]


GEEK
August 30th, 2009, 15:32
hey guys,

I have been infected by the deadly Virut virus because of a stupid friend. I havent got an antivirus installed and am not able to install one since virut is not allowing the dr.web self protection to install.

I would really appreciate if Kayaker can give me a few pointer on how to deal with it since he has analysed it in depth.


My system state :

Since having been infected a day before i have been running cureit(dr.web on-demand virus remover). It does detect and cure the files but they get reinfected. I am unable to install an antivirus or even access internet because it doesnt allow loading drivers.

My internet works using an ethernet card and the card is disabled and so is the internet because the pc cannot load ethernet card drivers upon startup.

I have disabled screensavers and deleted all .scr but when i try try to disable system restore it say access denied

I have also deleted "System Volume information" folder.

It hooks all processes running including cureit and gmer.Kernel detective gives a bsod when reading kernel mode drivers. GMER has been successfull in detecting a lot of IAT and code modifications and hidden processes but is unable to stop them.

After killing hidden processes the next second they are back again. It has also detected some registry modifications which again i am unable to delete. A detailed GMER scan log is attached below. I have been using Process hacker to avoid the virus from downloading more malware.

I have collected live samples if some one needs. I also ran a string scan in winlogon process and have attached it as well. It contains lot of virut related entries including hundreds of russian websites the virus seems to connect.

I wanted to know:

1. how do you guys think i can prevent it from running at start up?
2. Allow my lan card and antivirus drivers to load?
3. Prevent hooking of all processes including winlogon

I tried booting in safe mode but as expected it didnt help.

I tried checking for a solution on the internet but everyone seems to be in confusion and a complete reformat is suggested most of the time

I going to burn the Dr.web live cd. will it help? and even prevent virus from autostarting?

Update : It hooks 4 functions in ntkrnlmp.exe, Zwcreatesection, Zwcreateprocess, ZwSetSystemInformation, ZwLoadDriver as shown by gmer

Any help would be appreciated

Edit : will attach virut string scan and gmer registry scan in a few hours

Darren
August 30th, 2009, 17:58
You could give hirens boot cd a go ( http://www.hiren.info/pages/bootcd ) download from http://www.hirensbootcd.net/ it has a bootable version of XP called mini XP this will allow you to access your drive and be able to scan it with the various tools on the CD, i'd recommend malwarebytes, this is particually good at removing persistant nasties.

http://dlpro.antivir.com/package/rescue_system/common/en/rescue_system-common-en.iso is a bootable antivirus CD

esther
August 30th, 2009, 18:29
You might wanna have a go with this tool from sysinternals
http://download.sysinternals.com/Files/ProcessExplorer.zip
Hope it helps

Woodmann
August 31st, 2009, 19:11
I would try a Linux live disk like Knoppix.

My thinking is if you sneak in with a different OS run off the cd/dvd
you might be able to fool it.

Woodmann

GEEK
September 4th, 2009, 02:52
Sorry for the late reply my internet access is blocked and was a bit busy with my job

i did exactly what woodmann said

i burned Kaspersky Rescue disk and scanned the entire C:
it runs on knoppix i guess

cleaned all infected files
NOTE: i didnt scan all drives since it was taking a LOT of time but i made sure all startup programs were scanned

but somehow it got back again
GMER reported all hooked functions again
its frustating!

i am going to format C: now
before reinstallation i will rescan using the live cd

lets c if it works

sfeet
September 5th, 2009, 03:00
The best offline anti-virus method is ubcd4win as it enables loading all the registry hives from the infected system and you can run several different anti-virus/anti-spyware-programs from the cd.

http://www.ubcd4win.com/

disavowed
September 5th, 2009, 22:33
Microsoft's Malicious Software Removal Tool is free and will clean Virut from your computer. http://go.microsoft.com/fwlink/?LinkId=40587

GEEK
September 7th, 2009, 13:43
Finally i have got rid of it

I purchased Dr.web antivirus, formatted c: and before reinstalling ran a live cd Dr.web and Kaspersky rescue disk scan...cleaned all infected files on the other drives....reinstalled the OS....scanned the entire system again using Dr.web and Microsoft's Malicious Software Removal Tool(Thanks disavowed ) ....both confirmed only one virut infected file (the one i had got infected from. i wonder how it escaped after so many scans). i have disabled system restore and scrensaver just to be safe.
The system is running fine. I am glad i lost no data as i did take backups from C: and scanned them before reinstalling OS.

Thanks to all those who helped

Kayaker
September 7th, 2009, 14:43
Glad you got rid of it GEEK. I had done the analysis of a Virut variant, but it sounded like yours may have had a driver component, which the one I looked at didn't. In such a case, anything was possible.

The reason I thought that was because of the GMER entry
ControlSet001\Services\trnlzsfdq

Was that driver truly part of the malware?

Kayaker

GEEK
September 8th, 2009, 13:45
there was a driver component involved definately but am not sure if it was something it downloaded off the internet or a part of the malware itself.


---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\trnlzsfdq@DisplayName Network Driver
Reg HKLM\SYSTEM\ControlSet001\Services\trnlzsfdq@Type 32
Reg HKLM\SYSTEM\ControlSet001\Services\trnlzsfdq@Start 2
Reg HKLM\SYSTEM\ControlSet001\Services\trnlzsfdq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\trnlzsfdq@ImagePath %SystemRoot%\system32\svchost.exe -k netsv
Reg HKLM\SYSTEM\ControlSet001\Services\trnlzsfdq@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet001\Services\trnlzsfdq@Description Provides user experience theme management.
Reg HKLM\SYSTEM\ControlSet001\Services\trnlzsfdq\Parameters
Reg HKLM\SYSTEM\ControlSet001\Services\trnlzsfdq\Parameters@ServiceDll


Also a driver loaded with a random name from the temp folder each time i boot[even in safe mode]
C:\DOCUME~1\Admin~1\LOCALS~1\Temp\4XJi7tv7.sys

i have attached new logs which i had saved for you and anyone else who might be interested

virut_strings.txt contains strings inside the hijacked winlogon process

Heres the link to the malware itself
http://www.2shared.com/file/6884465/3a40af33/od_online.html