A new virus....

As many of you regular MG visitors already know, I work on lots of REALLY messed up PCs. Because of this, I get to see new mutations of malware. Well, in the past few days, since maybe Thursday Feb 12 2009, a new variety of malware has surfaced... well... it's new to me. Avira AntiVir recognizes it as W32/Virut.Gen. It jumps into .exe files. It will jump into .exe files on a thumb drive. I think it lives in the Windows active memory and whatever .exe files you happen to run (even on a USB flash/thumb drive), it will merge into it. Apparently, I used my thumb drive on a PC with this new virus. I ran some general tools (portable CCleaner, ATF-Cleaner, RRT which is a tool for fixing folder problems and regedit problems, etc) and now they are all infected with the virus. It's sneaky. It doesn't appear to get recognized while it's active in the system memory and is only detected 'after the fact' and the .exe files are infected. It seems to only be .exe files, and it seems to just infected whateve is accessed while the virus is active in memory. Windows Data Execution Prevention will start popping up warnings when this nasty gets in to the userinit.exe file, and the winlogon.exe file. I also had it infect some drivers I had stored on my thumb drive; I installed these drivers on a customer's laptop, and now it looks like I will have to format the PC and reload Windows. Luckily (if you can call it luck) he brought it to me for virus removal anyway, but I don't think I should have made the situation worse. DOH!

I just thought everyone should be aware.... as I come across more info, I'll post it.

EDIT- I just did some quick research... I see that this isn't necessarily a "new" infection, but it's my first time dealing with it, and it's nasty. If anyone feels like adding to this with thoughts, opinions, links, etc, feel free.

 

Yea, look like it has been around for a while.

http://www.symantec.com/security_response/writeup.jsp?docid=2007-041117-2623-99&tabid=1

 

it is a new variation of a known virus, it was released around Feb. 1st. It actually crippled & shut down 475 computers in the city of Houston for an entire week. Most all major AV programs have updated their definitions to accomodate this

 

Hey dlb,

Did you happen to get a chance view a post I started?

http://forums.majorgeeks.com/showthread.php?t=182583

Thanks

 

OMG, this is what i've got.... and the reason exactly why i'm here today, If this is not the place to ask a question please let me know, I've ran AVG mulitple times including Safe Mode, all virus's appear to be clear and i'm still having the problem, do I need to restore files or is removing the virus with an appropriate cleaner good enough??

 

I ran an Avira scan was because it started running slow and I had a feeling the HD was doing things it shouldn't have been.......all I could do was shut it off by pressing on the power button (laptop). Then I restarted it and noticed a number of new 59 kb .exe files. I ran an Avira scan and I think it removed about 11,000 59 kb .exe files with text names about 8 or 9 text characters long, followed by .exe. They seemed to be in the most random folders, but widely distributed.

After the scan where it cleaned up all those files the computer then put me into a Log-on loop because it (Avira) apparantly had detected my userinit.exe as bad and removed it. I ended up creating a BartPE CD and used it to insert the userint.exe file. I've had no log-on problems since. And even seems to scan clean and run clean for the past week or so.

One of my AV scans indicated an infection of W32/Virut.AX so now I'm freaking out as everything I read about paints a sad future.

Is there a way to see if this is still on my computer, even though its seemingly acting fine?

ps I was just about ready to begin the recommended cleaning procedure here before I asked for help. Should I do anything different?

Thanks

 

Read and Run me First

b2009,
You should go here and follow the recommended cleaning procedure just to make sure you are clear of any virus and malware