Malware name: Trojan Virut
Newest version detection rate: 22/43
Detected by Malwarebytes: No
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllIntroduction:This virus is a botnet that's extremely hard to remove since it hides itself extremely well against anti-viruses with rootkit and polymorphism techniques.
It also infects all .exe and .scr files including the ones in your windows, system32 and dllcache folder.
It hooks multiple functions in ntdll.dll which transfers control to the virus every time any of those funtions are made.
The functions include NTCreateFile, NtCreateProcess, NtCreateProcessEx, NtOpenFile and NtQueryInformationProcess. (ty Avast for this information)
Some variations can download other malware or infect your USB devices by placing an autorun.inf and a hidden executable.
There are some malfunctioning versions of this virus which can corrupt your files while infecting them which can make your computer unable to boot. (You'll need to reformat in this case.)
Symptoms:Many program gives error code 0x00000005 when opening it. (the first few minutes that the virus executed)
Multiple other error codes when first executing the virus, this is caused by the buggy injection code.
BSOD when trying to start in safemode with error 0x0000007B.
Unable to visit anti-virus sites and many other security sites.
Anti-viruses and anti-malware programs not working properly.
Files created:%temp%\"random".exe (deleted immediately after executing)
C:\windows\"random"\"random" (used to keep track/delete the original executable) (it does not create a folder, it simply creates the file in any folder in the windows directory)
C:\windows\System32\drivers\"random".sys
Some variant:
USBdevice:\autorun.inf
USBdevice:\"computer name"\"computer name"\"computer name".exe
USBdevice:\"computer name"\"computer name"\desktop.ini (used to hide the folder and show it as a recycle bin.(it redirects to the recycle bin if you try to enter the folder))
Registry key created:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\"random" (this key is deleted after the first reboot)
{%temp%\cetrdedva.exe}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\"random"
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\"random"
Services created:"random" (runs "random".sys)
Mine was hsclvua (runs jnoaate.sys in the C:\windows\System32\drivers folder)
Removal:As previously said, this virus is extremely hard to remove with normal anti-viruses or anti-malware programs.
This virus can usually corrupt all your .exe files and make them incurable because of some faulty coding so even specialized removal programs can't remove it or cure the files
Kaspersky created a removal tool for this virus called VirutKiller.
Download VirutKiller here:
http://support.kaspersky.com/viruses/solutions?qid=208280756Note: this trojan will block access to the kaspersky website so you will need to download it on another computer and use a USB key to transfer it to the infected computer.
While it scans, do not open any programs and wait for it to finish then restart your computer.
If it does not remove it, you may also try the following programs:
Dr.Web Cure-it can help removing this virus:
http://www.freedrweb.com/cureit/?lng=enOpen the program and run the scan.
It should tell you that XXXXX.exe is infected with virut and will ask you to cure it, click on Yes to all.
Let the scan finish then restart your computer.
If that doesn't detect anything, try the following other programs:
Avg's virut remover:
http://free.avg.com/ca-en/virus-removalOnce again, you might need to download it on another computer then put it on a usb key and transfer it on the infected computer.
It should be the first program on that page.
Run the scan and reboot your computer once its finished.
Next, try Synematic's virut removal tool here:
http://www.symantec.com/security_response/writeup.jsp?docid=2009-022016-4444-99Click on Download removal tool.
You'll need to run this program in safemode, to do this, restart your computer and press f8 before your computer boots then use the arrow keys to navigate to Safemode.
Run the scan and it let finish then restart your computer.
For me, none of the programs above removed it completely, Avast still detected all of my .exe files as infected but couldn't cure them.
If this is the case, it would probably be best to backup all of your files (
excluding your executable .exe and .scr files) and do a complete reformat of your computer.
Tips:To stop it from blocking some websites, you'll need to delete the malicious services.
To do this, you'll need to search the registry editor (start - cmd - type regedit) for the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\"random"
With the following subkeys:
Code
"ImagePath"=hex(2):System32\drivers\"random".sys
"Start"=dword:00000000
"Type"=dword:00000001
"ErrorControl"=dword:00000001
"jljjt"="\\??\\C:\\WINDOWS\\"random\\"random""
"hcbi"="C:\\WINDOWS"
"gawuvm"=dword:00006aca
"Group"="System Reserved"
Another way of finding this service is to download tdsskiller by Kaspersky (download it on another computer and transfer it to the infected computer)
Open the program and click on Change parameters and check all of the boxes then click on Start scan.
It should detect one unsigned file, it's the same name as the key in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
Once you find the key, it should show which driver it uses on the right side, you can find it in c:\windows\system32\drivers
Delete the driver and delete the registry key by rightclicking it and clicking delete.
Or you can click on Cure after the scan with tdsskiller and restart your computer.
If you get a Blue screen of death every time you try and boot in safemode, it's caused by a missing/deleted registry key (safeboot)
To fix this do the following:
Download Sality_RegKeys.zip on this page (scroll down a bit)
http://support.kaspersky.com/faq/?qid=208279889There should be 5 registry files (.reg), choose the one corresponding to your operating system and double click it then press OK on the warning message.
Since this is a botnet, it usually steals passwords and credit card information, make sure to change them on a non-infected computer.
Also, make sure if you successfully remove the virus, to do a full scan with an anti-virus and anti-malware to make sure it didn't download anything else malicious.