Win32/Virut.O Slipped Past Nod32

Discussion in 'NOD32 version 2 Forum' started by sticktron, Sep 17, 2007.

Thread Status:
Not open for further replies.
  1. sticktron

    sticktron Registered Member

    Joined:
    Sep 17, 2007
    Posts:
    3
    The Virut.O virus got past Nod32, infected it, thus disabling it, and was subsequently spread to many of the executables on my system. Has anyone else been hit with the virus, and found a way to clean it up, or is a re-install of Windows the only option?

    As a side note, in my 20+ years of experience with computers, this is the first virus I've encountered that has actually caused a serious problem. Up until the last year or so, I didn't even use AV software, and the only virus I've ever had in Windows was an email-spamming type, which is embarassing, but harmless. I use Nod32 now because I have family that share my computer, and they aren't techies.

    There is so much hysteria about computer security these days, with people running a half-dozen security programs because they think a virus might steal their children and burn their house down, this goes to show that even with a top-of-the-line security product like Nod32, you can still catch the rare virus that ends up being quite harmful.

    It's like getting hit by lightning I guess--extremely rare, but it happens, and no amount of protection is going to stop it.
     
  2. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
  3. sticktron

    sticktron Registered Member

    Joined:
    Sep 17, 2007
    Posts:
    3
    Thanks for the suggestion, but I tried that already, and it doesn't detect the Virut.O variant.

    Plus even if it could "remove" the coded added to each .exe that is infected, how do I know that the files haven't been damaged? It looks like starting over fresh is the only way to recover from this infection.

    Given all the paranoia about virii these days, I would have thought a virus that's actually serious like this one would be making some news.
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    Last edited: Sep 17, 2007
  5. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    499
    Location:
    Nottingham
    Sticktron, just out of curiosity,do you mind me asking, do you have any idea where/how you got this virus,probably not the question you want asked right now,hope you don't mind me asking
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    There are some Virut variants that cannot be cleaned by any AV in principle and need to be replaced with a clean copy. I'd suggest that you send a sample of it to samples[at]eset.com with this thread's url in the subject.
     
  7. sticktron

    sticktron Registered Member

    Joined:
    Sep 17, 2007
    Posts:
    3
    I'm not sure where the virus came from, actually. I share this computer with my mother, and she was checking her emails and surfing for new wallpaper the other night. The next morning, she told me the computer was slow and she was getting popups while surfing. So I booted up the computer to check it out, and sure enough she was getting the WinAntiVirus2007 popups that appear to be warning you about security and suggesting you download their product.

    Obviously something had infiltrated the system, and I was suprised, so I ran ran Nod32, and sure enough it told me it had failed it's CRC check and had probably been infected. Then Nod started warning me that file after file after file had been infected with Win32/Virut.O.

    Since any program I try to run on the computer now will be infected as well, it's a pretty dire situation. I could hook the drive up to another system and try to clean all the infected files, but so many system files and program files got infected, there is no way to know how many problems I would encounter in the future due to corruption. I would have to hand replace dozens of files, maybe hundreds, and that's not something I particularily want to do.

    Since the Virut virus appears to affect executables only, I will back up documents and pictures and emails, etc., and start again with a fresh install of XP. On the bright side, maybe my system will be a little more "peppy" after a clean install! It has been awhile.
     
    Last edited: Sep 18, 2007
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please read my email above and send a sample of it in an archive protected with the password "infected" and this thread's url in the subject to samples[at]eset.com. If it's technically possible to clean the infected files, we'll do so.
     
  9. Solarus

    Solarus Registered Member

    Joined:
    Sep 23, 2007
    Posts:
    1
    Wow, this virus really is a pain...

    I'd been having a few random virus and general problems for a while, so I decided to format my main partition and reinstall windows a few days ago.

    I moved into college yesterday, and they insisted that everyone install an antivirus they provided us with (Just a corporate version of NAV). As soon as I installed it, it started popping up telling me I had "W32.Virut!Gen" in completely random files, ranging from drivers to firefox. I ignored the alerts for a while, thinking it was an error or something minor. but eventually the random quarantining of every other exe file became too much, so I turned it off and restarted, intending to install a different AV program.

    And I then find that windows doesn't load. I try ctrl-alt-del > Run -> explorer.exe -> "The file explorer.exe cannot be found". So it's now it appears that all the processes that were running have been infected, and consequently deleted/quarantined by my antivirus.

    Not with enough time to mess around trying to fix it all, I decide to just reformat and reinstall windows again. I ran the antivirus on my D: partition first (which I didn't format before - it's mostly documents and music, and the remenants of a previous windows installation which I can't delete) and pretty much every exe file on the partition was infected. In the end I cancelled it before it finished - assuming that some random infected exe files in the depths of some folders I'll never touch wouldn't cause a problem again.

    So I formated C: again and reinstalled windows (still leaving D: unformatted though) only to see the same problems come up again as soon as I restarted after installing some drivers and programs - problems starting windows, exe files being deleted, programs not running (mostly due to missing exe files).

    So, I'm now running a virus scan on D: again and finding a few hundred more exe files - it doesn't appear to have spread to the newly installed programs on C:, although it has deleted a lot of random programs, but almost every exe file on D: is infected.

    I really hope there is some way to deal with this without formatting both partitions, as I've got a lot of documents and music on there which I really don't have the time to back up to CDs and such.

    So what I'm wondering is, where does this virus actually start? Obviously it spreads through any exe (and I think I saw some infected scr files too) that it can find, but how, and is there a root file of it that can be removed?

    Definitely one of the most dangerous viruses I've seen, and I've been infected with most of them at some point.
     
  10. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,220
    Hi there,

    It's been said many times that no AV will always protect you 100%. Nowadays there are too many nasties produced every hour, and therefore the new virus or variant is likely to go undetected.

    IMO there are 2 ways to avoid the so called 0 day threat:
    Virtualization or Sandboxing (basically the same concept, you can search Wilders for threads relating to these applications, and do some reading).

    Backingup your entire drive to an external USB drive (or even internal if you have one), might take from half an hour to an hour depending on the size and software one uses.

    There is no 100%, but either solution will give you 99% protection.
     
    Last edited: Sep 23, 2007
  11. nodHead

    nodHead Registered Member

    Joined:
    Sep 23, 2007
    Posts:
    85
    I don't get this.

    I did a search and found that Virut.O should be detecting since signature level 2506.
     
  12. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    One Off Topic post removed.

    This is the NOD32 Support Forum.

    Blackspear.
     
  13. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    Another off topic post removed. Follow the advice of Eset as posted in this thread.

    Thread is now closed.
     
Thread Status:
Not open for further replies.