Cracks & Keygens spread Virut

[AndyManchesta]

Hi guys,

 

We always say using crack and serial sites is very dangerous as most of the malware around today is distributed from those sites but in the last few weeks they have been adding a file infector named Virut into the bundle and this is coming from multiple keygen and crack sites,

 

Virut will infect .exe and .scr files on the system and once it gets on the machine the only solution is to format and reinstall Windows, you can attempt to clean it using whatever Antivirus program you can think of but the AV programs will also be attacked by the virus, even if they are able to disinfect the files you will find that most of them will not function or run correctly because they have been corrupted by the virus and due to its process injection features such as injecting into winlogon.exe the virus will regenerate after running the scans and reinfect the files. Apart from the damage Virut causes it will also open a backdoor on the machine to allow the attacker full access so the only safe solution is to format and reinstall and with it being a file infector its not even possible to backup any data before doing that.

 

Please consider the consequences before visiting or downloading any files from crack, serial and keygen sites or even accepting those type of files from friends as this is about as bad as it gets

 

Sample Kaspersky scan log attached, No suprises where it came from on that system

 

G:\keygen.exe Infected: Virus.Win32.Virut.l

 

Kav.txt

[hazelnut]

A timely reminder Andy of just how devastating crack sites can be. People think they are safe if they have av or malware protection, but as you have pointed out, this particular nasty has serious consequences for downloaders

[AndyManchesta]

The main problem is that AV programs tend to do a great job at detecting the virus once its trashed the machine but not so great at detecting the installer for the infection so it could easily get past the real time protection on some security programs, for example here's the results for a virut installer from last week and only 6 out of 32 vendors detected it at VirusTotal

 

File install.exe received on 09.15.2007 16:28:26 (CET)

 

Result: 6/32 (18.75%)

 

AntiVir 7.6.0.10 2007.09.14 W32/Virut.W

BitDefender 7.2 2007.09.15 Win32.Virtob.2.Gen

eSafe 7.0.15.0 2007.09.13 Suspicious Trojan/Worm

Microsoft 1.2803 2007.09.15 Virus:Win32/Virut.L

Sophos 4.21.0 2007.09.15 Mal/Dorf-A

Webwasher-Gateway 6.0.1 2007.09.14 Win32.Virut.W

 

File size: 13312 bytes

MD5: 5740638882b6e02b0633d985d550519b

SHA1: 79888eec0327b4fbce5906fa7a90fefee4d58970

 

[DennisD]

Is this little nasty liable to spread its wings wider than crack sites?

[AndyManchesta]

Hi Dennis,

 

I don't think so but this isn't common so its anyone's guess what they hoping to achieve, it sort of defeats the purpose if they damage the system beyond repair as any revenue they would of made from the original malware that gets installed before Virut such as Smitfraud and Vundo type infections will also be lost if the user has to format.

 

Generally file infectors tend to mostly spread using backdoor bots or other network worms so for example a PC gets infected with a IRCBot but the system is already infected with a file infector such as Parite or Virut so it then infects the IRCBot file with the virus then the bot scans random IP's looking for more vulnerable machines to spread to which is usually the first thing bots will get instructed to do when they connect to the IRC channel and because the file is then infected with a Virus it also spreads that to other machines and on it goes infecting each machine it gets on but Virut itself can also be instructed to look for vulnerable systems to infect once that connects to its IRC channel so just keeping a system fully patched and having a strong AV and Firewall would be enough to avoid junk like that.

 

Honeypot sites such as honeynet will pick up Virut/Parite etc that are spreading together with alot of other infections as their sensors act like unpatched systems so I find thats always a useful reminder why keeping Windows updated is essential but if you download and run one of the infected files from the crack sites then even that will not help much.

 

http://honeynet.cz/?mmenu=malware&smen...=en&vmetr=7

[DennisD]

Thanks Andy, this thing puts me in mind of the time when a virus's sole purpose was to cause as much damage as possible.

 

I'm talking about the old Amiga, and the only way they were spread was disk to disk at the Saturday morning computer clubs.

 

Remember this...

 

A wonderful thing has happened. Your Amiga is alive! And, even better, some of your disks are infected by a virus!

 

Reminisced a bit here:

[AndyManchesta]

Amiga

 

That brings back memories, I remember thinking Amiga's were the best thing ever around that time as Id updated from an Amstrad 464 (which Ive still got collecting dust somewhere in my attic )

[Caldor]

Common sense is the best security. Dont run your system in admin. Dont install software from untrusted sources. Use a secure operating system. Interesting that onecare picked up it - told you all that MS will end up dominating this space just like it did with its OS.

[Humpty]

Andy, would a ghost image get you out of this if infected?

[AndyManchesta]

Im really not sure Humpty but its likely Windows features such as system restore would fail due to the amount of damage caused, if the ghost software allows you to boot from a disk to restore to an earlier image rather than run the .exe for the imaging software which would likely also be infected or corrupt by the virus then it may work but I wouldnt like to be put in a position where I had to find out

[Pfipps]

When you go in the sketchy parts of the internet, you need bigger guns - not only a good firewall and AV, you need extra malware protection like

a HIPS or behavior blocker with a sandbox, sometimes even two (since there is no clear definition of behavior blockers like antiviruses). However, you almost need

nothing short of Turning on Windows' firewall if you follow safe computing practices (ie updating windows etc.)

[JDPower]

Due to the seeming lack of an end gain from this infection a conspiracy theory could of course be deliberate infection of these sites by some large software company to scare people off.

Interesting that onecare picked up it

And the conspiracy theory deepens

[login123]

Due to the seeming lack of an end gain from this infection a conspiracy theory could of course be deliberate infection of these sites by some large software company to scare people off.

And the conspiracy theory deepens

 

Or a tune up run toward an even larger purpose...

[Caldor]

MS "assimilated" onecare, much as it did with Windows Defender which was also "assimilating" other peoples IP in a buyout. There's so much malware around that I highly doubt any antimalware vendor needs to drum up its own business - not to even begin to consider a MS conspiracy. MS can hardly take one step these days without being critically observed by the whole planet.

[lotse]

There used to be a list of reputable software, which, apparently, if they dectected a stolen password or serial number would either disable the software or in some cases disable windows itself. I would post the list if I could find it, but it was a few years ago...

 

I never bothered to find out if was true

[JAGO]

What if we were to use a hard drive bridge (allows us to treat our internal drive as an external USB drive) and scan the hard drive using another computer? The hard drive will be powered during this operation. Could we potentially clean the virus out in that regard?