Video Screencast Help

Virut virus.

Created: 10 May 2011 • Updated: 14 May 2011 | 17 comments
This issue has been solved. See solution.

Hello guys.

 

something strange came up today . I had mass infection by Virut.cf . Virus which is already covered by symantec antivirus pattern definition since 2009. I m able to fix it with FixVirut.com .

 

My Sepm is updated to the latest MRU and has solved me too mny problem , but this situation is pretty much ....weird.

 

Does anyone has an idea why this might happen?

 

Thank you!

Comments 17 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

W32.Virut.CF is a virus that infects .exe and .scr files on the compromised computer.

The W32.Virut.CF is one of the Variants of W32.Virut

 

W32.Virut
 
 
Discovered:April 11, 2007
Updated:March 3, 2010 9:19:06 AM
 
The Variant W32.Virut.CF
 
Discovered:February 4, 2009
Updated:February 4, 2009 6:14:14 PM
 

 

Others Variants of W32.Virut are :

 

Symantec has created the Tool for W32.Virut.CF

I would Recommend you to apply Application and Device Control meant for W32.Virut. This particular ADC policy can be used to help combat an outbreak of this threat by slowing down or eliminating its ability to spread from one computer to another.

 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Fnxgr2010's picture

"I would Recommend you to apply Application and Device Control meant for W32.Virut. This particular ADC policy can be used to help combat an outbreak of this threat by slowing down or eliminating its ability to spread from one computer to another."

 

Can you please post me an article for making this type of rule?

 

Mithun Sanghavi's picture

Hello,

Specifically for  Symantec Endpoint Protection – Application and Device Control meant for W32.Virut.CF

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-020411-2802-99

 

Here are few of such Articles:

 

How to use Application and Device Control to limit the spread of a threat.
 
 
How to create custom policies in SEPM to prevent a threat from spreading
 
 
Hardening Symantec Endpoint Protection with an Application and Device Control Policy to increase security
 
 
Using Application and Device Control in Symantec Endpoint Protection (SEP) to block activity in common loading points for threats
 
 
Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x
 
 
How to create a rule that will block or log Browser Helper Objects in Symantec Endpoint Protection
 
 
 
NOTE: For The ADC policy to work on all machines, you would require Network Threat Protection and Application and Device Control Feature installed on all machines.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Fnxgr2010's picture

perfect. i have replaced virut policy . pushed all over the network and now im waiting......to see.

Mithun Sanghavi's picture

Hello,

Excellent.

NOTE: For The ADC policy to work on all machines, you would require Network Threat Protection and Application and Device Control Feature installed on all machines.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Prahveer's picture

Hi,the ADC policy will arrest further spread of your network.

In case,SEP or the fixvirut.com tool have difficulty removing this threat,yu could also try Microsoft® Windows® Malicious Software Removal Tool

http://go.microsoft.com/fwlink/?LinkId=40587

Microsoft® Windows® Malicious Software Removal Tool includes cleaning capabilities for Virut

Prahveer Kumar
BSc(Hons) Mathematics - year 2 student
University Of Technology,Mauritius

 

Prahveer's picture

You can also read this article on how to deploy Microsoft® Windows® Malicious Software Removal Tool in an enterprise environment

http://go.microsoft.com/fwlink/?LinkId=40586

Prahveer Kumar
BSc(Hons) Mathematics - year 2 student
University Of Technology,Mauritius

 

Fnxgr2010's picture

First of all : Thank you all for your quick responses!!!!

 

I have used symantec's NPE and Avg's rmvirut tool  and i have managed  to clean all pc's infections. Also the virut policy for ADC sepm was critical to stop the spreading.

Im confused thought about how the whole virus infection started. Its a virus discovered in 2006. All my pc's and laptops are up to date with the latest AV Defs (730 w/r's). How the hell it passed through?????

It wasnt a new version of the virus.If it was i believe more ppl would have reported already....

 

Is there a possibility that the virus pattern was considered old and inactive and was removed recently by symantec?

 

@Prahveer:: Do you think i should push the specific kb through my WSUS , all over the network's workstations?

This is too weird :(

_Brian's picture

It's a new variant

Fnxgr2010's picture

Hello guys. Despite the fact that yesterday seemed normal today i have the same situation on the same pc's.

 

It seems like that the ADC policy is not stopping the spreading.....all pc's are up to daye with the last policy and updates

pete_4u2002's picture

have set it to terminate, block?

are there any log events from ADC?

Fnxgr2010's picture

Its on block not terminate

Im attaching you the log

 

AttachmentSize
ADC Block.xlsx 14.83 KB
Mithun Sanghavi's picture

Hello,

Could you upload:

1) The Risk Logs from Symantec Endpoint Protection Manager and

2) The Symantec Support Tool Logs from the Infected Machine?

3) Enable the RiskTracer Feature on the SEPM

 

To Export Risk Logs, follow the Steps below:

  1. open sepm
  2. click on monitors
  3. click on logs
  4. select risk,
  5. click on advanced settigns option
  6. put the computer name or ip which is infected
  7. create  log, you can export this log too by clicking export button.

 

 

 

About the Symantec Endpoint Protection Support Tool
 
 
What is Risk Tracer?

http://www.symantec.com/docs/TECH102539

 
How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection
 
 

 

I would also Recommend you to create a Case with Symantec Technical Support.

 

QuickStart Guide - Create and Manage Support Cases in SymWISE

http://www.symantec.com/docs/HOWTO31132

How to update a support case and upload diagnostic files with MySupport

http://www.symantec.com/docs/TECH71023

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Fnxgr2010's picture

ok im about to do as you advice. before that i would like to add something.

 

W32.Virut.CF seems open the ports and ipz.exe pass through and does all the damage.

Virut doesnt hit any new pc's. It goes and hit back the  old infected/cleaned pcs and infects them again.

i have found that virut.cf forces a second winlogon.exe to run that contacts with a udp port to www.brenz.pl (oh my god!!!!!)

i have banned the ip of this malware site and did the following troubleshooting :

 

Search for ipz.exe on system32 and found

 

ipz.exe

ipz.pf

ipz-db.bin

 

files that i deleted them

 

I found on services

 

Intelligent P2P Zombie service

 

For XP MAchines ::::

 

On registry i found and deleted

HKEY_CURRENT_USER\Software\Micorsoft\Search assisten\ACMru\5603
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IPZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IPZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPZ

 

For Win7 and Vista Machines

 

I found only  and deleted :

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IPZ

 

And did reboot.

 

On one of my remote sites  the problem seems to stop. Im not still yet sure if its gonna be recreated.

2 hours have past and still im on a good status for that site.
 

Now im about to start cleaning the 2nd site that has the problem but this time im gonna do it with risk tracer .

 

If you have anything to advice for the procedure i followed please dont hesitate to correct/advise me further!

 

Thank you :)

Mithun Sanghavi's picture

Hello,

You are going good.

Keep it up and keep us updated.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Fnxgr2010's picture

Hello again guys.

 

We have finally reach a solution.

 

w32.virut.cf seems it has a new form.

Basicly the whole infection thing has 2 phases.

 

phase 1 is w32.virut.cf and  what it comes after this is phase 2 with ipz.exe and its service it creates, the Intelligent P2P Zombie.

 

Virut  can be cleaned with symantec client or using any common malware removal tools.

 

Things you need to know for zombie::::

 

Intelligent p2p zombie sends icmp packets randomly to all the ports available .(but dont get stressed . The reason is comming up next)

If you are using Radmin Application intelligent p2p zombie will start spread ipz.exe and copy itself on every client that has an active radmin service with the same radmin user authentication.

That means that it will use the Radmin default udp port 4899 and tcp port 310 (change the default radmin port and half job is done)

While you are on disinfection status never use an domain administrator account to elevate any applications

Disable all network shares and shut down the system restore.

Be sure that all your workstation are having a unique local admin password.

Isolate the infacted workstations out of the network

First workstations and servers that are gonna bi hit are the ones with the same either radmin authentication credentials or local admin or both.

 

ipz and intelligent p2p zombie clean up is easy and straight forward   :::

 

Kill from Task manager Ipz.exe process and from msconfig , disable Intelligent P2P Zombie service.

Search on Windows\system32 for ipz.exe and ipz-db.bin and delete them both.

Delete from Windows\Prefetch all ipz*.pf files.

Check on windows\system32\drivers\etc if the host apart  from 127.0.0.1  record has a www.brenz.pl record also. If it does just delete the new record.

 

Next step is :::

 

Go on regedit and delete

 

For XP MAchines ::::

 

HKEY_CURRENT_USER\Software\Micorsoft\Search assisten\ACMru\5603
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IPZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IPZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPZ

 

For Vista and Win7 machines :::

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IPZ

 

Also to be 100% sure do a whole registry search for any ipz records!!

 

Most of times when you will try to erase some of those keys you will get an access deny. Solution is easy. Go right click -->permitions advanced --> owner tab and replace ownership for the local admin. After this on EVERYONE give full permition and apply. Then just kill it.

 

 

Thats all.

 

thank you guys again for your help and i hope what we discovered will help others :)

SOLUTION
IuliusAugustus's picture

so far ~30 systems out of 1.5k been detected with this virus (ipz is detected as spybot not as virut) 

all contain radmin with weak passwords used for temporary remote access instead of RA/MSTSC

the difference is that SEP RU6 MR3 contains and removes the virus, however i don`t seem to find any registry key