Thursday, February 19, 2009

New Virus Warning W32.Vitro

I recently got a machine in the shop which failed to boot after what appeared to be a Microsoft Update. Apparently this was NOT a legit Windows Update Icon and when installed infected all called exe files on reboot.

This Virus is known as W32.Vitro. It is a polymorphic virus. Polymorphic viruses were first seen in 1990. A polymorphic virus is one that replicates itself every time a legitimate program on your computer is run. The file names on your computer will appear to be normal when in fact they are now part of the virus. Each and every program opened by Windows will become infected.

At this time Nortons, Macafee, AVG and others do not detect it. Avast was able to detect it but became infected as well. At this writing there is no way to remove this virus successfully.
A format alone may not be enough. Deletion of the partition, recreation of the partition, a hard format, and complete Windows installation will be necessary.

Back up of files is NOT recommended. The virus infects any external media you may use, burning programs, cdr's flash drives.

This new outbreak seems to have been discovered just this week. There is little information about its transmission as yet.

I will keep you posted as more information becomes available.

8 comments:

  1. I just got this virus. It wiped my drivers folder and my registry. I fixed it mostly by replacing the system32 folder with one from another computer but I'm probably still infected.

    ReplyDelete
  2. Sounds like a real virus. Most infections are trojans, worms and spyware. Since the one you have or had is destructive chances are replacing the system file wasn't enough.

    Start by downloading Malwarebytes Anti-Malware from http://www.malwarebytes.org
    Allow it to update after install and run a quick scan. Allow it to remove whatever it finds and reboot to finish the removal if directed to do so.

    Then download Avast Anti-virus from:
    http://www.avast.com
    After installation select perform a boot time scan then select restart later. Open Avast from the start menu and select setting then updating. Update the vps (virus signatures) once insstalled you will be directed to restart your computer. Do so.

    Avast will run prior to Windows starting. You will need to be present for the scan as it asks for user decision for each infection found.

    If system files are affected and have to be removed you may need to perform a system repair or in place re-installation of Windows.

    Hope this helps. We also have a user forum should you need additional help.
    http://www.forum.dcs-computer-services.net

    Good Luck

    ReplyDelete
  3. I have the virus as well, I formatted three times and got it back because it also infected all my back up files. I found Dr.web [www.Drweb.com] had the programs that will cure most of the infected progams, and give you the option to delete the few it doesn't, unless you get all the files cleaned it will come back.

    so far it has been the best solutin I've found

    ReplyDelete
  4. Thanks Pat

    I can always use tips & tricks from users that find other ways of combatting the mess internet users are subject to these days. Your information is greatly appreciated. If your interested in posting your own articles here just let us know

    ReplyDelete
  5. I Just got screwd over by this bad boy i ran the malwarebytes and avast scans and after the avast scan my pc will no longer log in it gets to the log in screen and then just logs out again ill have to take out the bloody hdd now and try to make a backup of the data and mail without infecting the other computer t witch i am going to connect the hdd

    ReplyDelete
  6. Yep I understand the issue. Its better if you don't back up any program. You can save things like images and mp3's but any exe that has been called or opened will be infected.

    Wish I had a better fix for this one but so far format is it.

    ReplyDelete
  7. We saw this same virus for the first time yesteday. Interesting running the boot scan of Avast.. Avast.exe is infected, as is mbam.exe(Malware Bytes Anti Malware). Practically every .exe. on this system was infected in less than 5 minutes... Destroyed all executables from the client's recovered data from a Linux machine using Fprot to detect, then removed infected files manually. Migrated back into the system after a clean install and a subsequent test of the data on a sandboxed machine.

    ReplyDelete
  8. ...just doing the third boot scan using Avast... so difficult to get rid of. So far have used Avast, AVG, and Malwarebytes while in safe mode. This has found loads of exes and dlls infected, but though moved to chest/vault a re-scan by Avast always seems to show Win32.Vitro infected files in System32, which Malwarebytes doesn't detect :-(

    Re login issues, you may have to boot from your XP CD, hit R, login, find the I386 folder on the CD and "expand userinit.ex_ c:\windows\system32". Then go to your system32 folder and "copy userinit.exe wsaupdate.exe". DO NOT USE THE ONE FROM DLLCACHE as that's likely infected already. NB: this may give you access to your machine, but it won't have cured it. I've used it so I can get into Safe mode and run anti-malware progs: no luck yet but will keep you posted. Will try DrWeb, thanks for the tip!

    ReplyDelete