Hello,

W32.Virut.CF is a virus that infects .exe and .scr files on the compromised computer.

The W32.Virut.CF is one of the Variants of W32.Virut

Others Variants of W32.Virut are :

• W32.Virut.A
• W32.Virut.B
• W32.Virut.CF
• W32.Virut.H
• W32.Virut.J
• W32.Virut.R
• W32.Virut.U
• W32.Virut.W

Symantec has created the Tool for W32.Virut.CF

I would Recommend you to apply Application and Device Control meant for W32.Virut. This particular ADC policy can be used to help combat an outbreak of this threat by slowing down or eliminating its ability to spread from one computer to another.

"I would Recommend you to apply Application and Device Control meant for W32.Virut. This particular ADC policy can be used to help combat an outbreak of this threat by slowing down or eliminating its ability to spread from one computer to another."

Can you please post me an article for making this type of rule?

Hello,

Specifically for  Symantec Endpoint Protection – Application and Device Control meant for W32.Virut.CF

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-020411-2802-99

Here are few of such Articles:

perfect. i have replaced virut policy . pushed all over the network and now im waiting......to see.

Hello,

Excellent.

NOTE: For The ADC policy to work on all machines, you would require Network Threat Protection and Application and Device Control Feature installed on all machines.

Hi,the ADC policy will arrest further spread of your network.

In case,SEP or the fixvirut.com tool have difficulty removing this threat,yu could also try Microsoft® Windows® Malicious Software Removal Tool

http://go.microsoft.com/fwlink/?LinkId=40587

Microsoft® Windows® Malicious Software Removal Tool includes cleaning capabilities for Virut

You can also read this article on how to deploy Microsoft® Windows® Malicious Software Removal Tool in an enterprise environment

http://go.microsoft.com/fwlink/?LinkId=40586

First of all : Thank you all for your quick responses!!!!

I have used symantec's NPE and Avg's rmvirut tool  and i have managed  to clean all pc's infections. Also the virut policy for ADC sepm was critical to stop the spreading.

Im confused thought about how the whole virus infection started. Its a virus discovered in 2006. All my pc's and laptops are up to date with the latest AV Defs (730 w/r's). How the hell it passed through?????

It wasnt a new version of the virus.If it was i believe more ppl would have reported already....

Is there a possibility that the virus pattern was considered old and inactive and was removed recently by symantec?

@Prahveer:: Do you think i should push the specific kb through my WSUS , all over the network's workstations?

This is too weird :(

It's a new variant

Hello guys. Despite the fact that yesterday seemed normal today i have the same situation on the same pc's.

It seems like that the ADC policy is not stopping the spreading.....all pc's are up to daye with the last policy and updates

have set it to terminate, block?

are there any log events from ADC?

Its on block not terminate

Im attaching you the log

Hello,

Could you upload:

1) The Risk Logs from Symantec Endpoint Protection Manager and

2) The Symantec Support Tool Logs from the Infected Machine?

3) Enable the RiskTracer Feature on the SEPM

To Export Risk Logs, follow the Steps below:

1. open sepm
2. click on monitors
3. click on logs
4. select risk,
5. click on advanced settigns option
6. put the computer name or ip which is infected
7. create  log, you can export this log too by clicking export button.

http://www.symantec.com/docs/TECH102539

I would also Recommend you to create a Case with Symantec Technical Support.

QuickStart Guide - Create and Manage Support Cases in SymWISE

http://www.symantec.com/docs/HOWTO31132

How to update a support case and upload diagnostic files with MySupport

http://www.symantec.com/docs/TECH71023

ok im about to do as you advice. before that i would like to add something.

W32.Virut.CF seems open the ports and ipz.exe pass through and does all the damage.

Virut doesnt hit any new pc's. It goes and hit back the  old infected/cleaned pcs and infects them again.

i have found that virut.cf forces a second winlogon.exe to run that contacts with a udp port to www.brenz.pl (oh my god!!!!!)

i have banned the ip of this malware site and did the following troubleshooting :

Search for ipz.exe on system32 and found

ipz.exe

ipz.pf

ipz-db.bin

files that i deleted them

I found on services

Intelligent P2P Zombie service

For XP MAchines ::::

On registry i found and deleted

HKEY_CURRENT_USER\Software\Micorsoft\Search assisten\ACMru\5603
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IPZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IPZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPZ

For Win7 and Vista Machines

I found only  and deleted :

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IPZ

And did reboot.

On one of my remote sites  the problem seems to stop. Im not still yet sure if its gonna be recreated.

2 hours have past and still im on a good status for that site.
 

Now im about to start cleaning the 2nd site that has the problem but this time im gonna do it with risk tracer .

If you have anything to advice for the procedure i followed please dont hesitate to correct/advise me further!

Thank you :)

Hello,

You are going good.

Keep it up and keep us updated.

so far ~30 systems out of 1.5k been detected with this virus (ipz is detected as spybot not as virut) 

all contain radmin with weak passwords used for temporary remote access instead of RA/MSTSC

the difference is that SEP RU6 MR3 contains and removes the virus, however i don`t seem to find any registry key