XP 32bit virut prevention possible?

Discussion in 'other anti-malware software' started by SourMilk, Jun 16, 2009.

Thread Status:
Not open for further replies.
  1. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
    I guess no one could answer my Vista 64 question concerning virut prevention so now I'm asking about XP 32bit. DefenseWall or GesWall or Deep Freeze or something else might be able to prevent virut from damaging .exe's or do they fail as well? Certainly, there must be a way to keep that nasty away.
    Thanks for your patience with my ignorance,
    SourMilk out
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Of course it is possible for Vista for XP even Win 98 :)
    Using programs like AV and Hips and similar helps but the main defence is you the user.
     
  3. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    DefenseWall can protect you against Virut infection, as well as GW/LUA/SRP/HIPS/Shadow Defender.
    Also remember to keep your data on external (offline) disk, and do data backup and image backup regularly.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    There certainly is!

    Reports have identified the virut famiy using the two normal attack vectors,

    • Web-embedded exploits

    • Social engineering exploits

    The web exploits I've seen analyzed use unpatched vulnerabilites in Internet Explorer older versions (meaning IE6)

    This is expected since no exploits in the wild target Opera or Firefox.

    A couple of instances were reported that PDF, Flash and Java Runtime were used. These are plugin vulnerabilities and would work in any browser, assuming the user had the particular version of the targeted plugin and unpatched.

    In all cases, the installation of the virut executable is prevented by any software using execution prevention/white listing protection, and perhaps by other means, depending on the product.

    The social engineering exploits have involved email, P2P, etc. This from one report:

    Also, from a CA Security advisory,

    Like some other current malware, such as Mebroot (MBR infector) virut is scary when you read what it does once installed. Yet virut is no different from any other virus as far as how it gets installed (attack vectors), it seems to me.

    If the virut virus should install, you ask about Deep Freeze: It would protect the frozen partition. But the file infector malware could also seek across other partitions, which, if not frozen, could be in big trouble.

    Be aware that virut infects other than .exe filetypes. Also from CA Security:

    And who knows what else it might infect later!

    But that is of no consequence if the executable cannot install in the first place.

    ----
    rich
     
  5. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
    It looks like it's back to good ole XP 32 for me. :D The lack of effective security-ware for Vista 64 is pitiful. I'm glad XP sp3 is going to be supported to 2014 (at least that's what MS says today).

    Thanks again to you knowledgeable souls who try to keep us fumblers on the straight and narrow when it comes to computer safety.
    SourMilk out
     
  6. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    I have tested recently some programs with virut.n.
    Comodo, Online Armor, Outpost and ThreatFire stopped this one with out of the box settings.

    At first this variant wants to inject a remote thread into the winlogon.exe and when you block this, it seems to be plain dead.
    So look out for winlogon popups. :ninja:

    If it is able to inject a remote thread into the winlogon.exe, then it uses this process to download other nasty stuff, but then it's too late anyway.

    But other variants may have different behavior.

    Cheers
     
  7. eXPerience

    eXPerience Registered Member

    Joined:
    Apr 28, 2009
    Posts:
    98
    Hi,

    Comodo has a 64bit version of it's Internet Security and will stop Virut before it can harm you.

    Best regards (and if you need any help configuring it you can always pm me)
    eXPerience
     
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Since you seem to have one of the variants to test with, have ever tried the old cyberhawk v1113 with any of that sort of thing?

    Sul.
     
  9. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    I found this version of Cyberhawk with the assistance of SiteAdvisor. :shifty:

    Is this the valid installer MD5 of version 1.1.1.3?
    22F5A0836E3CC9BA2AA9C29D99F7DA28

    Cheers
     
  10. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Indeed, and as well

    SHA1 hash
    1554089B2B64206C75C393116501C299B8499B3F

    CRC-32
    B155DD4F

    I use it from time to time because of it's quiet nature. Most things I ever find to 'test' it with fail due to CH. Although I don't use it all the time, it is an occasional item I would use if I wanted to handle dll injection mostly. Interested to see how it would fare against a winlogon.exe exploit among other things.

    Sul.
     
  11. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    I found quite an interesting analysis of Virut. Here

    ^^ Would this prevent warnings about Winlogon.exe. For instance, my Firewall has Winlogon.exe listed as safe, and has acess to the internet without prompt, by default. So I would have no idea what is happening connection-wise. But would I have any idea Winlogon was executing abnormally via HIPS, in this scenario ?

     
  12. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    This version of Cyberhawk failed after prompt and deny with Virut.n.

    Cyberhawk.png

    Looks like it could not prevent these ntdll.dll hooks.
    However, I have seen exactly the same with a previous TF version some months ago and recently the popup for this sample turned from yellow (ask) to red (auto-quarantine), so they have improved their detection a bit.

    The first OA prompt is something like "virut.n wants to change memory access protection of winlogon.exe".
    If you allow everthing till a FW prompt may come up, you are owned anyway. :p

    Cheers
     
  13. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    I must be tired... but WTH :D, do you know any other scanner doing better or something? :)
     
  14. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Scanner :doubt: you mean doing better than the Kaspersky AVP Tool o_O

    Cheers
     
  15. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    See, I even said scanner. :D Nah, I meant just overall - a security app., a security app. doing better against Virut.
     
  16. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    Like said in my first post in this thread, Comodo, Online Armor, Outpost and ThreatFire stopped this one (virut.n) with out of the box settings.
    But I didn't test virut a-m & o-z so far. :D
    Therefore in general - I dunno.

    Cheers
     
  17. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Thanks, Subset. :)
     
Loading...
Thread Status:
Not open for further replies.