Virus.Win32.Virut.q (analysis and removal instructions)

Recently an user sent to us a suspicious file that, from what he said us, it was downloaded from a website that needed a video codec to play a flash movie and the video codec was hosted in the same website. The file name of the malicious executable is video_plugin.exe and when the file is executed, it creates the following files:

1
2
3
4
5
6
7
8
C:\DOCUME~1\user\LOCALS~1\Temp\381562351.exe
C:\DOCUME~1\user\LOCALS~1\Temp\311188061.exe
C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe
C:\DOCUME~1\user\LOCALS~1\Temp\7hjhffd.bat
C:\Documents and Settings\user\__rar_00.000
C:\Documents and Settings\user\__rar_00.100
C:\Documents and Settings\user\svchost.exe
C:\WINDOWS\system32\sfc_os.dll

By using the dropped DLL file named sfc_os.dll, the malware disabled the Windows File Protection changing the registry value SFCDisable to ffffff9d:

1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable

Now that Windows File Protection has been disabled, the malware is free to delete or infect all the system files without alerting the user. Below there are the actions performed by the malware:

1
2
3
4
5
[+] Renamed C:\WINDOWS\explorer.exe in C:\WINDOWS\explorer.exe_
[+] Created its own modified version of explorer.exe in C:\WINDOWS\explorer.exe
[+] Created its own modified version of explorer.exe in C:\WINDOWS\system32\dllcache\explorer.exe
[+] Deleted C:\WINDOWS\explorer.exe_ (that is the ORIGINAL version)
[+] Modified code of C:\WINDOWS\system32\drivers\tcpip.sys

This is the virus scanner report for the modified (infected) file named explorer.exe:

Report Generated 25.2.2009 at 23.14.47 (GMT 1)
Filename: explorer_exe
File size: 1107 KB
MD5 Hash: B2BB9906D6F75AF45C987BA979D1BEAB
SHA1 Hash: DDBB4CB75E64BDCACB015E387523D40D1451AE62
CRC32: 1371467216
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection Rate: 5 on 23 (21,73 %)

Antivirus Sig Version Result
a-squared 24/02/2009 Virus.Win32.Virut.q!IK
Avira AntiVir 7.1.2.71 –
Avast 090223-0 –
AVG 270.11.3/1970 Agent.AZTP
BitDefender 25/02/2009 –
ClamAV 24/02/2009 –
Comodo 986 –
Dr.Web 25/02/2009 –
Ewido 25/02/2009 –
F-PROT 6 20090225 –
IkarusT3 24/02/2009 Virus.Win32.Virut.q
Kaspersky 25/02/2009 –
McAfee 23/02/2009 –
MHR 25/02/2009 –
NOD32 v3 3889 Win32/Agent.NDP virus
Norman 2009/02/24 –
Panda 07/02/2009 –
QuickHeal 25 February, 2009 –
Solo Antivirus 25/02/2009 –
Sophos 25/02/2009 –
TrendMicro 863(586300) –
VBA32 25/02/2009 MalwareScope.Trojan-Spy.BZub.1
VirusBuster 10.101.23 –

Not only the malware has infected the system file named explorer.exe and it has deleted the original file to avoid its recover, but it has also infected other system files. We have also noticed a big spam activity generated from this malware, with messages intended to promote pharmaceutical products and other spam related content:

1
2
3
4
5
6
7
8
9
Local Address     : 70.43.63.21
Local Port        : 25
 
220 mxfe07.atlngahp.sys.nuvox.net ESMTP Wed, 25 Feb 2009 16:43:42 -0500
 
Local Address     : 208.99.203.243
Local Port        : 25
 
220 mail.marrison.com ESMTP

How to remove this malware Virus.Win32.Virut ?

The first action you can take is to scan your system with our free NoVirusThanks Malware Remover to check if your system is infected also by rogue security software. To remove this kind of malware named Virus.Win32.Virut I can suggest you to follow these instructions:

1] Boot windows in SafeMode (press F8 on boot)

2] Delete the infected files except C:\WINDOWS\explorer.exe

3] Copy from your Windows OS CD-ROM the file explorer.exe in C:\WINDOWS\system32\dllcache\explorer.exe and overwrite the existent file. Then you need to re-enable the Windows File Protection, that was originally disabled by the malware. Set the value of SFCDisable to 0 in the following registry location:

1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisabled

4] Find the file named explorer.exe that is present in your OS CD-ROM and copy it under C:\WINDOWS\explorer.exe overwriting the existent and infected one.

5] Now your explorer.exe should be the original file, to be sure of this just scan these files in our Virus Scanner and make sure that are not detected by any AV:

1
2
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dllcache\explorer.exe

6] Now you can restart your computer and see if the malware is gone.

Alternatively you could boot a Windows OS LIVE from a CD-ROM and repair the infected explorer.exe. If you have problems removing this malware you can contact us and we will try to help you removing it.

Random Posts

Previous Posts