Jump to content
Seth

Win32/virut

Recommended Posts

Yesterday I received an infected system in my shop that wouldn't even start in Safe Mode. I slaved it and ran sas:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 10/09/2007 at 01:36 PM

Application Version : 3.9.1008

Core Rules Database Version : 3321

Trace Rules Database Version: 1322

Scan type : Complete Scan

Total Scan Time : 00:33:23

Memory items scanned : 284

Memory threats detected : 0

Registry items scanned : 4466

Registry threats detected : 0

File items scanned : 47722

File threats detected : 220

Adware.Lop-Gen

D:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\BALLCOPYAIMBARB\REAL DART.EXE

D:\DOCUMENTS AND SETTINGS\JANICE CARSON\APPLICATION DATA\CLOSE 16\ZGHKZAGZ.EXE

D:\DOCUMENTS AND SETTINGS\JANICE CARSON\LOCAL SETTINGS\TEMP\BIS5.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP304\A0052985.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP307\A0053327.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP307\A0053328.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP307\A0053329.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP348\A0055732.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350\A0055977.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350\A0056011.EXE

Adware.Lop-Variant

D:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\LONG SLOW ROAD ITCH\AIM JUMP.EXE

D:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\LONG SLOW ROAD ITCH\MODE STOP.EXE

D:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\LONG SLOW ROAD ITCH\STOP INFO.EXE

D:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\LONG SLOW ROAD ITCH\THUNK GLUE.EXE

D:\DOCUMENTS AND SETTINGS\BARRIE\APPLICATION DATA\CLOSE 16\BEEPGPLOWNSPOP.EXE

D:\DOCUMENTS AND SETTINGS\BARRIE\APPLICATION DATA\CLOSE 16\INTRAACTIVELESS.EXE

D:\DOCUMENTS AND SETTINGS\BARRIE\APPLICATION DATA\CLOSE 16\NJPBYCKP.EXE

D:\DOCUMENTS AND SETTINGS\BARRIE\APPLICATION DATA\CLOSE 16\ONLINESPAMMEOW.EXE

D:\DOCUMENTS AND SETTINGS\BARRIE\LOCAL SETTINGS\TEMP\STA1.EXE

D:\DOCUMENTS AND SETTINGS\JANICE CARSON\APPLICATION DATA\CLOSE 16\BEEPGPLOWNSPOP.EXE

D:\DOCUMENTS AND SETTINGS\JANICE CARSON\APPLICATION DATA\CLOSE 16\INTRAACTIVELESS.EXE

D:\DOCUMENTS AND SETTINGS\JANICE CARSON\APPLICATION DATA\CLOSE 16\INTRAFRAGGPL.EXE

D:\DOCUMENTS AND SETTINGS\JANICE CARSON\APPLICATION DATA\CLOSE 16\ONLINESPAMMEOW.EXE

D:\DOCUMENTS AND SETTINGS\JANICE CARSON\APPLICATION DATA\CLOSE 16\WWHRLEIN.EXE

D:\DOCUMENTS AND SETTINGS\JANICE CARSON\APPLICATION DATA\CLOSE 16\XWMCDZRG.EXE

D:\DOCUMENTS AND SETTINGS\JANICE CARSON\LOCAL SETTINGS\TEMP\STA1.EXE

D:\DOCUMENTS AND SETTINGS\TIGGER'S OWNER\APPLICATION DATA\CLOSE 16\BEEPGPLOWNSPOP.EXE

D:\DOCUMENTS AND SETTINGS\TIGGER'S OWNER\APPLICATION DATA\CLOSE 16\FGSPFNHM.EXE

D:\DOCUMENTS AND SETTINGS\TIGGER'S OWNER\APPLICATION DATA\CLOSE 16\FXWQBIPH.EXE

D:\DOCUMENTS AND SETTINGS\TIGGER'S OWNER\APPLICATION DATA\CLOSE 16\INTRAACTIVELESS.EXE

D:\DOCUMENTS AND SETTINGS\TIGGER'S OWNER\APPLICATION DATA\CLOSE 16\ONLINESPAMMEOW.EXE

D:\DOCUMENTS AND SETTINGS\TIGGER'S OWNER\LOCAL SETTINGS\TEMP\STA1.EXE

D:\DOCUMENTS AND SETTINGS\TIGGER'S OWNER\LOCAL SETTINGS\TEMP\STA2.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP308\A0053333.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP308\A0053354.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP308\A0053355.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP309\A0053368.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP309\A0053389.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP309\A0053390.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP310\A0053394.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP310\A0053415.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP311\A0053428.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP311\A0053444.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP315\A0053454.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP315\A0053469.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP315\A0053479.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP316\A0053488.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP316\A0053496.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP316\A0053506.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP316\A0053519.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0053651.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP318\A0053657.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0053664.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0053665.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0053678.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP319\A0053688.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP320\A0053698.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP320\A0053702.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP321\A0053718.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP321\A0053726.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP321\A0053733.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP321\A0053751.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0053766.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0053775.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP322\A0053776.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP323\A0053783.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP323\A0053798.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP324\A0053809.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP326\A0053826.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP326\A0053835.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP326\A0053849.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP327\A0053893.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP327\A0053903.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP327\A0053909.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP327\A0053924.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP327\A0053925.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0053948.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0053956.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0053995.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP329\A0054003.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP329\A0054021.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP330\A0054029.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP330\A0054049.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP330\A0054059.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP330\A0054079.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0054099.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0054111.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0054117.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP333\A0054143.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP334\A0054163.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP335\A0054186.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP336\A0054201.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP336\A0054214.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP337\A0054228.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP338\A0054314.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP338\A0054327.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP338\A0054347.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP338\A0054363.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP339\A0054367.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP339\A0054392.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP339\A0054401.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP339\A0054413.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP339\A0055414.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP340\A0055436.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP341\A0055449.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP343\A0055479.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP343\A0055580.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP345\A0055593.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0055618.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0055629.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0055641.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP346\A0055652.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP347\A0055667.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP347\A0055674.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP347\A0055685.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP348\A0055708.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP348\A0055724.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP348\A0055731.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP349\A0055741.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350\A0055953.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350\A0055967.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350\A0055976.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350\A0055978.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350\A0055979.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350\A0055980.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350\A0055988.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350\A0055998.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350\A0056006.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP350\A0056010.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP351\A0056016.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP351\A0056029.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP351\A0056040.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP351\A0056047.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353\A0056069.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353\A0056070.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353\A0056086.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP353\A0056095.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354\A0056102.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354\A0056116.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354\A0056125.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP354\A0057116.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355\A0057124.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP355\A0057133.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP356\A0057153.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP356\A0057159.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP356\A0057168.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357\A0057192.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357\A0057364.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357\A0057386.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357\A0057398.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP357\A0057409.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP358\A0057414.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP359\A0057431.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP359\A0057432.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP360\A0057633.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0061048.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0062435.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0063440.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0063448.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0064434.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0064443.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0065440.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0065449.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0066442.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0067441.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0067502.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0068492.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0068502.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0069495.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0070489.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0070497.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0071508.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0072502.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0073494.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0073500.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0076513.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0076520.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0079491.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0080491.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0080497.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0081511.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0082505.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0083500.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0086500.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0087505.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0088488.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0088498.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0088506.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0089505.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0090488.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0091496.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0091508.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0093519.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0095517.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0096495.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0097508.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0097515.EXE

Trojan.Downloader-Gen/MobRules

D:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\XCTYZKJK.DLL

D:\PROGRAM FILES\BDFNNTZQ\QENKUYAM.DLL

Trojan.Unknown Origin

D:\DOCUMENTS AND SETTINGS\BARRIE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\WTQJ8X6N\FOYGQ2JV9B[1].EXE

D:\PROGRAM FILES\VGHQJIHI\ZEXULGTO.DLL

Adware.eZula

D:\DOCUMENTS AND SETTINGS\TIGGER'S OWNER\LOCAL SETTINGS\TEMP\SSDKJGXM.EXE

Trojan.Downloader-PSCMain

D:\PROGRAM FILES\SECCENTER\SCPROT4.EXE

Trojan.Downloader-Gen/HitItQuitIt

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0062403.DLL

Malware.Ultimate Defender

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0062441.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0062442.EXE

D:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP361\A0067450.EXE

D:\WINDOWS\SYSTEM32\SRVUQSJA\SRVUQSJA1.EXE

D:\WINDOWS\SYSTEM32\SRVUQSJA\SRVUQSJA2.EXE

D:\WINDOWS\SYSTEM32\SRVUQSJA\SRVUQSJA3.EXE

Trojan.WinFixer

D:\WINDOWS\SYSTEM32\MLLMM.DLL

Trojan.Net-NUSR

D:\WINDOWS\SYSTEM32\NUSRMGR.EXE

Trojan.Downloader-FakeRX

D:\WINDOWS\SYSTEM32\OEMBIOS32.DLL

Trojan.SearchTool

D:\WINDOWS\SYSTEM32\UPMEDIA\CONTENTTOOL.DLL

Trojan.Downloader-Win/GHY

D:\WINDOWS\SYSTEM32\WINZDN32.DLL

Trace.Known Threat Sources

D:\Documents and Settings\Barrie\Local Settings\Temporary Internet Files\Content.IE5\YNOF9Y4G\xcd23[1].exe

D:\Documents and Settings\Barrie\Local Settings\Temporary Internet Files\Content.IE5\TUB7V4GG\anti4[1].exe

D:\Documents and Settings\Barrie\Local Settings\Temporary Internet Files\Content.IE5\O5I7812B\xc29[1].exe

D:\Documents and Settings\Barrie\Local Settings\Temporary Internet Files\Content.IE5\C1IJC5Y3\antzom[1].exe

D:\Documents and Settings\Barrie\Local Settings\Temporary Internet Files\Content.IE5\YNOF9Y4G\text[1].dat

I then reinstalled the drive and XP booted successfully. I installed sas and ran a complete scan from safe mode. I followed up with an Ewido online scan which found 2 reg remnants and one executable. (I didn't research the executable). Everything was looking honky dory. The system was stable and fast, with no visible sign of infection.

I thought I'd give Eset's online scan a try. I fired it up and walked away. Came back about 30 minutes later to find that Nod claimed the system had W32/virut. Nod proceeded to delete over 1000 XP and program executables.

I attempted a repair install, but it couldn't handle that amount of file damage. The system is now totally hosed and requires a clean install.

I've been researching win32/virut. Provided that it performs its intended function, then it's easily removed. However a bug in the malware causes it to infect thousands of executables. I've seen a few threads with a virut infected computerand all resulted in a format.

How is sas dealing with win32/virut?

Share this post


Link to post
Share on other sites

Hi Seth

Virut is a mass file infector and although classified as a Worm it collateral damage is on par with a very nasty virus.

FYI the only times i have had to R&R my research/victim machine used for malware hunting in the last year is 3 times because of Virut.

No tools (including SAS which is not AV so it will not disinfect spliced executables),AV software or Virut removal standalone could affect a complete disinfection :shock:

Virut would set itself up in core loaded system exe's on install and then through all other exe's as they were loaded into memory.

Net result no tool could completely remove it from an infected system and it would respawn from a single exe file.

So for the latest variants of Virut(IME R.T and X)= Reformat and reinstall.

FYI this is also the current conclusion from the antimalware community in closed/research forums etc

So don't judge SAS too harsh on this since no other can get the job done 100% not that file disinfecting is within SAS field of operation to begin with :wink:

Share this post


Link to post
Share on other sites

Thank you for the reply fatdcuk. Sheesh, you gotta get an easier name :)

Yup, a wipe and reload is the only way to go with this infection.

I should have been clearer with my question. What I'd like to know is if sas can prevent it from installing.

Share this post


Link to post
Share on other sites

I should have been clearer with my question. What I'd like to know is if sas can prevent it from installing.

I would guess so if it knows the dropper file but that said i will leave that to Nick to answer since my area of intensive SAS testing is reguards detection & cleaning:)

Share this post


Link to post
Share on other sites

The malware corrupts the Windows files to unrecoverable condition. Antivirus utilities recognize and then try to clean, but fail to bring the files back to their default state.

Share this post


Link to post
Share on other sites
The malware corrupts the Windows files to unrecoverable condition. Antivirus utilities recognize and then try to clean, but fail to bring the files back to their default state.

Right, but I'm just trying to find out if SAS's Real Time protection will prevent Virut from running.

Share this post


Link to post
Share on other sites
The malware corrupts the Windows files to unrecoverable condition. Antivirus utilities recognize and then try to clean, but fail to bring the files back to their default state.

Right, but I'm just trying to find out if SAS's Real Time protection will prevent Virut from running.

If we have definitions, we certainly will block it from running. If you have samples, please send them to us!

Share this post


Link to post
Share on other sites
The malware corrupts the Windows files to unrecoverable condition. Antivirus utilities recognize and then try to clean, but fail to bring the files back to their default state.

Right, but I'm just trying to find out if SAS's Real Time protection will prevent Virut from running.

If we have definitions, we certainly will block it from running. If you have samples, please send them to us!

Well I'm going to assume that SAS doesn't block / detect Virut, as the slaved log and active log don't show any indication of it.

I don't want to go anywhere near that bad boy (not even a sample). But, I'm sure your team would love too :D.

Share this post


Link to post
Share on other sites

Well I'm going to assume that SAS doesn't block / detect Virut, as the slaved log and active log don't show any indication of it.

It does detect some dropper files(like the one's i have submitted) and i know Nick has got his harvester all over at least one particular URL that spits them out(******.name :wink: ) but i don't believe SAS can target worm code route1 and even if it could the thing is being repacked(new MD5)alarmingly quick :evil:

It helps to remember SAS dose'nt detect in the same method as AV tho.

I don't want to go anywhere near that bad boy (not even a sample). But, I'm sure your team would love too :D.

Since i don't use imaging/rollback or VM....I'm with you on this one:lol:

Share this post


Link to post
Share on other sites
So Nick,

Are you and the boys going to look into Virut?

We already have been, we are just looking for additional samples.

Share this post


Link to post
Share on other sites
So Nick,

Are you and the boys going to look into Virut?

We already have been, we are just looking for additional samples.

Sweet.

I'll be watching the updates 8)

Share this post


Link to post
Share on other sites
So Nick,

Are you and the boys going to look into Virut?

We already have been, we are just looking for additional samples.

Sweet.

I'll be watching the updates 8)

FYI. Our definitions may not be called "Virut" as we do designations based upon our research, what's inside the file, etc.

Share this post


Link to post
Share on other sites
So Nick,

Are you and the boys going to look into Virut?

We already have been, we are just looking for additional samples.

Sweet.

I'll be watching the updates 8)

FYI. Our definitions may not be called "Virut" as we do designations based upon our research, what's inside the file, etc.

Ok.

Can you please let us know when you've added some definitions for it?

Share this post


Link to post
Share on other sites
So Nick,

Are you and the boys going to look into Virut?

We already have been, we are just looking for additional samples.

Sweet.

I'll be watching the updates 8)

FYI. Our definitions may not be called "Virut" as we do designations based upon our research, what's inside the file, etc.

Ok.

Can you please let us know when you've added some definitions for it?

We already have some. We won't be able to disinfect the files it attaches itself to as that's not something we tackle as an Anti-Spyware product, that is more virus like.

Share this post


Link to post
Share on other sites
fatdcuk, have you tested virut on an XP testbox with a Limited Account?

No....i don't have a seperate testbox :lol:

When its time for the next pave&cave i will create LTD account and give it a go :P

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...