HelpSites

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, June 2, 2008

Virut is back again - sigh

Posted on 5:07 AM by Unknown
Virut (PE_VIRUT.XZ in this case) is back again.

This one "spreads" via email with subject: "Important update from Microsoft Windows XP/2003 Professional Service Pack 2(KB946026)" or "Critical Security Update for Microsoft Windows (KB946026)".
From: Micrisoft Corporation 2008 ©
The link to the supposed WINDOWS-KB946026-X86-ENU download from Microsoft for the fix goes to this address:

URL=hxxp://xxxxx.net/upload/WINDOWS-KB946026-X86-ENU.EXE.exe



Note: This is NOT the legitimate download from Microsoft here. The legitimate WINDOWS-KB946026-x86-ENU.EXE does NOT have above "Windows icon", but has the default exe file icon instead.
The file from the link in the mail doesn't install any updates, but installs Virut, a polymorphic appending file infector.

This one attempts to infect any accessed .exe or .scr files by appending itself to the executable. It contains an IRC-based backdoor that provides unauthorized access to infected computers.

Luckily, since this is an older variant - most Antivirus Scanners *should detect and delete it immediately. That's why it's really important that your Antivirus Scanner is up to date!

In case you are someone who just loves to click links in mails - even though your Antivirus Scanner alerts you - or you have an Antivirus where the trial already expired for a couple of months - or don't even have an Antivirus installed... Well, I can assure you, you'll really regret it if you open/run the file. Mainly because this is a file infector which infects legitimate exe and scr files, so these files may not be deleted, but disinfected instead. And a common problem I see with Virut is that in some cases (some variants), it contains a bug in the code and as a result it may misinfect a proportion of executable files. And because of that, an Antivirus Scanner cannot disinfect it properly either > result > a corrupted file.

That's why, if I guide someone with Virut present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall. Unless the person knows what files are corrupted and knows how to replace them with a clean one. But then again, it's no guarantee that everything will work properly again and Virut is gone.
A format and reinstall in this case is still the fastest and especially the safest solution.

So once again, make sure your Antivirus is always up to date!

Source.
Email ThisBlogThis!Share to XShare to Facebook
Posted in Malware, Prevention | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • 3 stubborn PC problems you can fix
    Copy from retired Microsoft at Work website (retired June 30, 2013), Copyright Microsoft.  3 stubborn PC problems you can fix Ever notice h...
  • Reminder for Forum owners
    This post is actually a reminder to my previous blog post http://miekiemoes.blogspot.com/2008/04/forum-owners-take-your-responsability.html ...
  • Forum owners - Take your responsibility!!
    After we had this , with a little update here , I'm still amazed how many website owners don't take responsibility. I was researchin...
  • Email-Worm.Win32.Locksky - new stubborn variant
    I was helping a user the other day where his computer was crippled with malware. We could successfully delete all other files, registry keys...
  • Beware Telenet.be users - Telenet.be phishing scam going around
    First of all - WOW! It has been ages I have blogged here ! I really should start to blog more often again. Work & life has kept me real ...
  • Miekiemoes rules ?? Yeah right...
    This is about the Searchengine Hijack I blogged about a couple of months ago. Files responsible for this hijack are sysaudio.sys or wdmaud...
  • Friendship
    The source of these images is unknown. They were in one of those forwarded emails -- you know, the type your friends are sure you will love...
  • Fake sysaudio.sys causes Searchengine Hijack
    What is this infection about... It actually loads a script, so searchengine results are loaded within a script. For example, when you resear...
  • 10 tips to help improve your wireless network
    Copy from the retired "Microsoft at Home" website (retired 30June2013), copyright Microsoft. 10 tips to help improve your wireless...
  • Joomla! Password Reset/Remind Functionality vulnerability - update asap!
    There was a serious security vulnerability found in the popular CMS-software Joomla! (1.5.x, including 1.5.5). The vulnerability/bug resides...

Categories

  • BlogTools
  • Compromised
  • databases
  • dogs
  • email
  • Exploits
  • Firefox
  • forums
  • Funny
  • hacks
  • Internet Explorer
  • Malware
  • Me
  • Mobile
  • Online Tools
  • Other
  • phish
  • Popups
  • Prevention
  • Rant
  • Recipe
  • Registry
  • Rogue
  • scam
  • Security Products
  • Slow computer
  • Software
  • spam
  • websites
  • Windows
  • Windows Update
  • Windows Vista

Blog Archive

  • ►  2013 (11)
    • ►  June (9)
    • ►  April (1)
    • ►  February (1)
  • ►  2012 (4)
    • ►  December (1)
    • ►  November (1)
    • ►  August (1)
    • ►  January (1)
  • ►  2011 (2)
    • ►  November (2)
  • ►  2010 (3)
    • ►  November (1)
    • ►  October (1)
    • ►  April (1)
  • ►  2009 (13)
    • ►  November (2)
    • ►  July (1)
    • ►  June (1)
    • ►  May (2)
    • ►  March (2)
    • ►  February (2)
    • ►  January (3)
  • ▼  2008 (71)
    • ►  December (1)
    • ►  November (8)
    • ►  October (5)
    • ►  September (5)
    • ►  August (7)
    • ►  July (5)
    • ▼  June (12)
      • Malware Removal - Where to draw the line
      • Dutch users Alert! - Beware of fake Tax forms - ep...
      • How to guide people with fixing their computers
      • Dutch users Alert! - Beware of fake Tax Forms
      • Protect your family and computer with Windows Stea...
      • Top Ten excuses why people don't want to secure th...
      • Increase of malware found on legitimate websites
      • The Neverending Story
      • Virut is back again - sigh
      • Google Alerts - You should try it!
      • Comodo BOClean Detection of Ask
      • Woopra - new real-time Web tracking and analysis a...
    • ►  May (8)
    • ►  April (6)
    • ►  March (5)
    • ►  February (9)
Powered by Blogger.

About Me

Unknown
View my complete profile