Wednesday, May 6, 2009

Virut-Vitro

About two or three weeks ago, I got hit from a nasty virus named Virut (later known as Vitro).

Basically, what this does is it infects running processes and executable files without the knowledge or awareness of your antivirus software. (Of course, there's one that caught them).

I do have my antivirus installed on my workstation. I never go on any minute without making sure I have (at least to what I thought) security from malwares (viruses, infections, et al).

It all started by finding a crack for the recently released Red Alert game series. I had the previlege to copy the early version of the game with complete crack with it. I had to find a trainer so I can just test the game without having to worry about hardship in completing any of the missions.  However, after a few missions, the game stopped -- nothing but my desktop left before I opened the game -- it plainly just exited from my console.

Off I went to hunt a solution from the many sort of alternatives:
- download a trainer where I can skip missions and proceed to the next
- download a patch and try if the game still works with the currently installed crack
- download a new set of package with the crack
- download a serial or set of cracks to enable a particular version which is newer that currently installed.

I visited an old hunter: http://astalavista.box.sk for some hunting. After some clicks from here and there, I got to a website where a price may just be waiting. I downloaded an exe file -- no alarm from my top-brass, prolific, and always with the new updates -- I had confidence it was safe.

I ran it. Nothing happened. I tried again, thinking I might not have actually ran it at first. Still, nothing happened. A second later, I feel my computer is slowing down. I went ahead and closed some programs I am not using. As I still feel like my 2.4Ghz 2GB memory computer is crawling, I went ahead and restarted with a push of the button after failing to restart from the console.

It boot up well. Normally as it has been for the past months unless of course from installing some programs or hardware for my use.

After a few minutes of using it, it's really getting slower and slower, with just the browser on my screen. I am used to opening two or three instances of Mozilla Firefox with at least two tabs on one of them, an instance of Google Chrome with one or two tabs, Mozilla Thunderbird for my mails, Zend Studio, NotePad++ for my codes, MySQLFront for my DB GUI, WAMPserver for my web and development, YahooMessenger, and about half a dozen more programs running in the. background. But, most of them are not running at this point -- only a few background programs and Firefox.

I started to suspect I got something that's eating up my processing and/or memory allocations. I opened my Task Manager and noticed stranged processes running. I refreshed my browser and went to http://processlibrary.com which will give me some info about a particular process. 

I got:
reader_s.exe
stopidkc.exe
BN4.tmp
... (and a few more)

I had Tune Up Utilities installed and opened the Process Manager to check what's running. At first, it detected the above as suspicious so I stopped them from both windows. Some of which keeps coming back after a few seconds. At Tune Up Utilities, they never got back, I still saw them on the Task Manager.

I tried to re-check that my AntiVirus has the latest updates then proceed with a full-system scan. It never finished, the computer hanged mid-way the process. 

I needed another anti-virus to check further, however, I am not able to browse their websites. I had to search some mirror location of downloable files to get one. I tried getting one from my network shares but I am unable to browse any computer. To avoid further infections, I disabled my two network cards (one for LAN and one for WAN). I used my 40GB external drive to get the downloaded antivirus installer to my system. That was the last time I used my external drive. I have to serve it up for decontamination later.

I was successful at getting PrevX into my system but it needed the Internet to clean the system (my stupidity overcame me that moment). I installed NOD32 but it never updated its definition. I got AVAST and no updates were able to fetch for it. I proceeded to scan the whole system.

I have four 250GB drives with one drive partitioned into two -- 100GB was set for my system drive and the rest for my work files, temporary files, among others. One of the drive is allocated for my projects, mails, documents, pictures, and others. One drive hosts my software repository -- drivers, software, games, installers, crackers, tools, utilities, and others. The other drive is a spare one for my downloads -- movies, mp3s, software -- that do not last too long. I used it for testing or as temporary storage when necessary.

I used AVAST's bootup scanner on all my drives. With that much storage space to cover, I had to wait a lot of minutes to an hour before the next alert message. It went smooth for almost a day. My tasks are now starting to pile up as the days go by.

My computer will boot up fine but traces of the virus -- from the task manager -- still remains. I tried everyway to outcheck it. My knowledge with DOS was challenged in searching and deleting the series of files that went along with the processes from the task manager that I had to stop forcefully. None of which proved to be easing out the virus.

After some googling and reading about the symptoms, I was convinced it was a strain of Virut. Further reading told me that it's unlikely that can be removed or repaired. Some say it can be removed or repaired but the details of how to do it were proven to be ineffective by others.

I had to reformat my system. I can not reformat everything. My new edition to the upcoming release of the system I am working on is in it and it has been too long since I never had committed as it entails some great new changes even to the core level of the system that I can only implement after a series of testing of which I haven't done it while I'm finishing some details.

I have all the software I'll be able to use for my work, my career. My documents, pictures, old programs I have built from scratch that I'll not be able to work on it again. ... And the list goes on for the reasons that I should not just reformat my drives.

I re-installed WinXP with a new set of partitions on my system drive. After another day of setting up my system from which I should be able to resume my work and the many things that's already piling up on me, the virus is still there. I had NOD32 installed and updated but it never brought up a warning I still got the virus.

I had read that this virus can propagate itself to exe, rar, zip, html, asp, php (oh, PHP -- that's what my projects drive have on it). I had to stop there and think about how these files can still be saved. I had to read more about it. What my readings, the virus will inject some lines of codes onto the webpages so it can connect to a remote IRC connection using an <iframe>. Since webpages are written in text format and I never had to use <iframe>, I have to find a way to get AdvanceFileAndReplace software to locate and identify the files that might be contaminated and by brute force, I'll have to edit each and every one of them.

I then deviced a way to rename all files that has an extension as specified above. I used PHP's file and directory functions to identify and rename the files to a different extension in a recursive fashion on all datadrives. I assumed that using aoc in lieu of php will work. aoz for zip, arr for rar, aoe for exe, aom for htm, and so on. I had to leave it running overnight as I have tons of these file types stored in my machine.

The few days later, I spent assembling for my new unit as an upgrade. I had to wait more days for the power supply to arrive from the supplier.

On the new machine, I plugged my system drive and freshly repartition, reformat and reinstall WindowsXP. As standard, I had to install the drivers, complete the upgrades.

I installed Malwarebytes' Anti Malware and AVAST that has been top-rated for detecting and blocking this virus.

I downloaded a new copy of PHP so I can rename back the files to their original file extensions before proceeding to clean them up.

I ran MBAM's full-system scanner while having AVAST on real-time scan. As MBAM scans the drives, AVAST detected traces of Win32.Vitro while MBAM is unaware it has. I am hoping it will work as I have been needing to press Alt+D and Alt+E to delete any infected file. As I can no longer stay awake for more hours that it may take to do this (even while writing this post), I opted to schedule a boot-time full-system scan with AVAST and set to delete all (even system files if there will be any) traces of infections.

I am leaving my workstation to do its decontamination as I need to head home and take some sleep. I need to come early to prepare the system integration of a much-needed module.