LUDER.A virus - Mutating to Nuwar.gen - Anyone got info/Links?

Hi, I have just gotten acquainted with LUDER.A. This has got to be the nastiest worm I have ever seen.

The only way I see to get rid of it is a complete WIPE/DELETE.

I want to know if anyone else has run across this and what they are doing about it?

This particular virus does not follow the rules that are posted about how to get rid of worms. No matter how many times you follow the procedure, this thing STAYS in the infected drive. It leaps from folder to folder infecting all the executable files on the drive. I do not even feel comfortable having the drive with the infection CONNECTED to my machine. The virus removal tools all say that they have found all of the virus bodies, but there are still thousands more new bodies the next time I scan.

I'll go ahead and do the procedure again, but I just want to know if anyone else has come across this INSIDIOUS virus? And what they did to defeat it? Usually I am pretty good at kicking these thing's asses, but this one is kicking MY ass,

Thanx In Advance.

Oh yah, I forgot: I think this thing is getting into the MASTER BOOT RECORD of the infected drives. Anyone know abotu that as well? When I run NOD32 it says it can't read certain boot sectors.

 

Welcome to MajorGeeks.com, please follow our standard cleaning procedures:

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

• Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around..

http://www.majorgeeks.com/images/grenade.gif In your next post, please make sure you attach the following logs and that you have run these scans in the following order:

• CounterSpy - ONLY IF you were not able to run Windows Defender
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Thanx bjgarrick - Looks like the procedure was changed a little since the last time I did this, so I printed out the run me first page

I just have a question before I get started on this machine... I only have XP Service Pack 1 on this machine, and I do not feel forced to "update" to SP2 yet. So I can't run Windows Defender. I noticed that in the list of programs to download you include Spybot S&D - Is this a mandatory part of the scan? I can't use Ad Aware instead? It is just that I prefer not to use Spybot S&D, because it deletes system, and program files that are not malware. But the instructions mention fixing "Spybot's Ignore Products Bug" - Does that have to do with S&D deleting files you don't want it to delete? The last time I ever used S&D it deleted a DLL and a SYS file from a major program that I use. So from that point on I have not used S&D.

So, is using S&D a mandatory part of this operation, I need to know cos if it is, I need to protect the files that I know it will delete. Or, is there another comparable Spyware remover that I can use? If it is a mandatory part of the operation, I'll download it and use it.

While I am getting this set up, can you, or anyone else, tell me more about this LUDER.A virus? There is scant information about it on the net.

The system that got infected, I had installed ESET NOD32 and it was a clean machine. The guy must have shut off NOD32, but one of the first files that got infected was the executable for NOD32. I was suprised that this virus got through the protection that NOD32 sets up. But once it dealt with NOD32, it propogated like wildfire all over a 250 GB Drive. So, t6hat is why I came here to ask about it, and it looks like several other people have been smitten with this insidious thing. Maybe we can all pull together and talk about it? Is this thing bad enough to rate special attention (Like SpyFalcon, etc.)?

If anyone else has had encounters with this virus and defeated it: What was done (On top of doing the default Run Me First thing)?

 

Something of note for people with this particular virus: The Microsoft Malicious Software Removal Tool does not search for either LUDER.A or NUWAR.GEN. This might save someone else a bit of time. Maybe the next update of MSRT will deal with it.

 

It's highly recommended you update to SP2 due to security reasons and because SP1 is no longer supported but that's up to you. Anyway, it says if you can't run Windows Defender run CounterSpy instead.

No, actually I do not recommend either because IMO they are both useless against todays infections.

I don't believe this, I have been using Spybot for years and never seen this. I don't use it anymore because like I said with todays infections it's useless just like Ad-Aware.

If you don't feel comfortable running Spybot, skip it and run CounterSpy instead.

I'm somewhat new to this WORM but I understand it's spreading rapidly. You can see the site below for more information.

http://vil.nai.com/vil/content/v_138841.htm

 

This WORM is fairly new, MS removal tool doesn't do much anyway IMO, lol.