1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Wondering about Virut and Sality...

Discussion in 'Security and Privacy' started by megamouth, 2009/06/19.

  1. 2009/06/19
    megamouth

    megamouth Inactive Thread Starter

    Joined:
    2009/04/14
    Messages:
    11
    Likes Received:
    0
    I was just reading around the forums, and saw a couple Virut/Sality problems that were "not able to be removed ".

    However, I google'd it, and saw on the Symantec virus index that the removal for Sality was "easy ", and a couple of trusted sites had "Virut removers "

    Not that doubt your Malware Removal (you guys are the best! I have recommended all my friends to you guys), but is there a specific reason it is not able to be removed when trusted sources said it is easy?
     
    megamouth,
    #1
  2. 2009/06/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Instead of talking nonsense, Symantec should spend more time on improving its weak products.
    This is how Virut works: http://www.teamfurry.com/wordpress/2007/02/15/under-the-hood-virut/
    I understand, it's little bit of a geek talk, but the main point is:
    As to what kind of executables - most of important system (Windows) files.
    To see, it better, please check this thread: http://www.windowsbbs.com/malware-v...e-virut-some-windows-apps-wont-run-after.html
    Look at my reply #12.
    As you can see, Virut modified the most important system files.
    What can you do? Replace all system files? Can you be sure, you won't miss single one?
    There is no cure. Format, and reinstall is the only option.
     
    broni,
    #2


  3. to hide this advert.

  4. 2009/06/19
    megamouth

    megamouth Inactive Thread Starter

    Joined:
    2009/04/14
    Messages:
    11
    Likes Received:
    0
    OK thx Broni!

    Now I understand better.

    It sounds pretty scary... is there a way to best avoid getting either Virut or Sality?

    And what are some symptoms? Other than
     
    megamouth,
    #3
  5. 2009/06/19
    megamouth

    megamouth Inactive Thread Starter

    Joined:
    2009/04/14
    Messages:
    11
    Likes Received:
    0
    Last edited: 2009/06/19
    megamouth,
    #4
  6. 2009/06/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    There are tens of Virut variants.
    Just to list some:

    W32/Virut—http://vil.nai.com/vil/content/v_141339.htm
    W32/Virut!htm—http://vil.nai.com/vil/content/v_143831.htm
    W32/Virut!mem—http://vil.nai.com/vil/content/v_147991.htm
    W32/Virut!rtf—http://vil.nai.com/vil/content/v_154193.htm
    W32/Virut.a—http://vil.nai.com/vil/content/v_139473.htm
    W32/Virut.a!9BFCFE19—http://vil.nai.com/vil/content/v_146503.htm
    W32/Virut.b—http://vil.nai.com/vil/content/v_139898.htm
    W32/Virut.c—http://vil.nai.com/vil/content/v_141430.htm
    W32/Virut.d—http://vil.nai.com/vil/content/v_141751.htm
    W32/Virut.dr—http://vil.nai.com/vil/content/v_141969.htm
    W32/Virut.e—http://vil.nai.com/vil/content/v_141927.htm
    W32/Virut.f—http://vil.nai.com/vil/content/v_141957.htm
    W32/Virut.g—http://vil.nai.com/vil/content/v_142563.htm
    W32/Virut.gen—http://vil.nai.com/vil/content/v_142592.htm
    W32/Virut.gen!BB215D78—http://vil.nai.com/vil/content/v_150582.htm
    W32/Virut.gen!C33F18E0—http://vil.nai.com/vil/content/v_146499.htm
    W32/Virut.gen.a—http://vil.nai.com/vil/content/v_143432.htm
    W32/Virut.h—http://vil.nai.com/vil/content/v_143034.htm
    W32/Virut.i—http://vil.nai.com/vil/content/v_143033.htm
    W32/Virut.j—http://vil.nai.com/vil/content/v_143054.htm
    W32/Virut.j!3C0367A2—http://vil.nai.com/vil/content/v_150634.htm
    W32/Virut.j!82322FB0—http://vil.nai.com/vil/content/v_150653.htm
    W32/Virut.j!C1CE762F—http://vil.nai.com/vil/content/v_150641.htm
    W32/Virut.k—http://vil.nai.com/vil/content/v_143058.htm
    W32/Virut.m—http://vil.nai.com/vil/content/v_153860.htm
    W32/Virut.n—http://vil.nai.com/vil/content/v_154029.htm
    W32/Virut.n!htm—http://vil.nai.com/vil/content/v_154039.htm
    W32/Virut.n!inf—http://vil.nai.com/vil/content/v_154028.htm
    W32/Virut.n!mem—http://vil.nai.com/vil/content/v_154030.htm
    W32/Virut.n.gen—http://vil.nai.com/vil/content/v_154055.htm
    W32/Virut.o—http://vil.nai.com/vil/content/v_154084.htm

    I follow security developments on quiet a few boards, and I've never seen successful Virut, or Sality removal.
     
    broni,
    #5
  7. 2009/06/19
    megamouth

    megamouth Inactive Thread Starter

    Joined:
    2009/04/14
    Messages:
    11
    Likes Received:
    0
    Ok Thx!

    Can you answer my question:

     
    megamouth,
    #6
  8. 2009/06/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I totally agree, it's scary...
    There are no prevention tools, which actually target any particular type of infection.
    Below is a good link, giving you some steps to avoid infections, but there will never be 100% guarantee.
    It's very simple historic rule: if there is a weapon, there will be anti-weapon.
    Two most important things:
    - keep your computer up to date (I mean everything)
    - be smart

    More reading:
    How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
     
    broni,
    #7
  9. 2009/06/19
    megamouth

    megamouth Inactive Thread Starter

    Joined:
    2009/04/14
    Messages:
    11
    Likes Received:
    0
    What are some noticeable symptoms?
     
    megamouth,
    #8
  10. 2009/06/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    This is another tricky part about Virut.
    There are no symptoms, which are present in every case.
    I had at least couple of computers, which didn't seem to be infected too badly. Couple of scans didn't show much, and then BAM....Virut.
    In Virut's case, some variants will create Reader_s.exe file.
    It's easy to miss, because the file has very similar name to Adobe Reader file: Reader_sl.exe

    If any doubt, upload any important system file, like explorer.exe to: http://www.virustotal.com/, and you'll know right away.
     
    broni,
    #9
  11. 2009/06/19
    megamouth

    megamouth Inactive Thread Starter

    Joined:
    2009/04/14
    Messages:
    11
    Likes Received:
    0
    What I don't understand is how some people get viruses and others don't.

    For example, I can bet that a lot of staff on WindowsBBS have never gotten a Virut or Conficker virus. Yet others seem to be overflowing with them, even when they have the exact same security.

    Internet is a thing of luck, I guess.
     
    megamouth,
    #10
  12. 2009/06/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    IMO, there is definitely relationship between being computer savvy, and being safe.
    It's simple, you know more, you can defend yourself better.
    On a top of it, from time to time, we all do stupid things.
    I can give you an example from my own sandbox.

    One of my computers is an old machine, which originally came with Win 98.
    I don't use it much, just for testing purposes.
    One day, I decided to give it a fresh install of Windows 2K.
    Being not so smart at that moment, I kept computer connected to the net.
    You know, having it connected, I'll quickly download, and install all service packs, updates, etc.
    Not so....
    By the time, Win 2K installation was completed, firewall downloaded, and installed, I had 3 trojans on the computer already.
    1 hour? More than enough time to get your computer messed up.
     
    broni,
    #11

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...