Endpoint Protection

Hello guys.

something strange came up today . I had mass infection by Virut.cf . Virus which is already covered by symantec antivirus pattern definition since 2009. I m able to fix it with FixVirut.com .

My Sepm is updated to the latest MRU and has solved me too mny problem , but this situation is pretty much ....weird.

Does anyone has an idea why this might happen?

Thank you!

Hello,

W32.Virut.CF is a virus that infects .exe and .scr files on the compromised computer.

The W32.Virut.CF is one of the Variants of W32.Virut

Others Variants of W32.Virut are :

• W32.Virut.A
• W32.Virut.B
• W32.Virut.CF
• W32.Virut.H
• W32.Virut.J
• W32.Virut.R
• W32.Virut.U
• W32.Virut.W

Symantec has created the Tool for W32.Virut.CF

I would Recommend you to apply Application and Device Control meant for W32.Virut. This particular ADC policy can be used to help combat an outbreak of this threat by slowing down or eliminating its ability to spread from one computer to another.

"I would Recommend you to apply Application and Device Control meant for W32.Virut. This particular ADC policy can be used to help combat an outbreak of this threat by slowing down or eliminating its ability to spread from one computer to another."

Can you please post me an article for making this type of rule?

Hello,

Specifically for  Symantec Endpoint Protection – Application and Device Control meant for W32.Virut.CF

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-020411-2802-99

Here are few of such Articles:

perfect. i have replaced virut policy . pushed all over the network and now im waiting......to see.

Hello,

Excellent.

NOTE: For The ADC policy to work on all machines, you would require Network Threat Protection and Application and Device Control Feature installed on all machines.

Hi,the ADC policy will arrest further spread of your network.

In case,SEP or the fixvirut.com tool have difficulty removing this threat,yu could also try Microsoft® Windows® Malicious Software Removal Tool

http://go.microsoft.com/fwlink/?LinkId=40587

Microsoft® Windows® Malicious Software Removal Tool includes cleaning capabilities for Virut

You can also read this article on how to deploy Microsoft® Windows® Malicious Software Removal Tool in an enterprise environment

http://go.microsoft.com/fwlink/?LinkId=40586

First of all : Thank you all for your quick responses!!!!

I have used symantec's NPE and Avg's rmvirut tool  and i have managed  to clean all pc's infections. Also the virut policy for ADC sepm was critical to stop the spreading.

Im confused thought about how the whole virus infection started. Its a virus discovered in 2006. All my pc's and laptops are up to date with the latest AV Defs (730 w/r's). How the hell it passed through?????

It wasnt a new version of the virus.If it was i believe more ppl would have reported already....

Is there a possibility that the virus pattern was considered old and inactive and was removed recently by symantec?

@Prahveer:: Do you think i should push the specific kb through my WSUS , all over the network's workstations?

This is too weird :(

It's a new variant

Hello guys. Despite the fact that yesterday seemed normal today i have the same situation on the same pc's.

It seems like that the ADC policy is not stopping the spreading.....all pc's are up to daye with the last policy and updates

have set it to terminate, block?

are there any log events from ADC?

Its on block not terminate

Im attaching you the log

Attachment(s)

ADC Block.xlsx   14 KB 1 version

Hello,

Could you upload:

1) The Risk Logs from Symantec Endpoint Protection Manager and

2) The Symantec Support Tool Logs from the Infected Machine?

3) Enable the RiskTracer Feature on the SEPM

To Export Risk Logs, follow the Steps below:

1. open sepm
2. click on monitors
3. click on logs
4. select risk,
5. click on advanced settigns option
6. put the computer name or ip which is infected
7. create  log, you can export this log too by clicking export button.

http://www.symantec.com/docs/TECH102539

I would also Recommend you to create a Case with Symantec Technical Support.

QuickStart Guide - Create and Manage Support Cases in SymWISE

http://www.symantec.com/docs/HOWTO31132

How to update a support case and upload diagnostic files with MySupport

http://www.symantec.com/docs/TECH71023

ok im about to do as you advice. before that i would like to add something.

W32.Virut.CF seems open the ports and ipz.exe pass through and does all the damage.

Virut doesnt hit any new pc's. It goes and hit back the  old infected/cleaned pcs and infects them again.

i have found that virut.cf forces a second winlogon.exe to run that contacts with a udp port to www.brenz.pl (oh my god!!!!!)

i have banned the ip of this malware site and did the following troubleshooting :

Search for ipz.exe on system32 and found

ipz.exe

ipz.pf

ipz-db.bin

files that i deleted them

I found on services

Intelligent P2P Zombie service

For XP MAchines ::::

On registry i found and deleted

HKEY_CURRENT_USER\Software\Micorsoft\Search assisten\ACMru\5603
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IPZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IPZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPZ

For Win7 and Vista Machines

I found only  and deleted :

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IPZ

And did reboot.

On one of my remote sites  the problem seems to stop. Im not still yet sure if its gonna be recreated.

2 hours have past and still im on a good status for that site.
 

Now im about to start cleaning the 2nd site that has the problem but this time im gonna do it with risk tracer .

If you have anything to advice for the procedure i followed please dont hesitate to correct/advise me further!

Thank you :)

Hello,

You are going good.

Keep it up and keep us updated.

Hello again guys.

We have finally reach a solution.

w32.virut.cf seems it has a new form.

Basicly the whole infection thing has 2 phases.

phase 1 is w32.virut.cf and  what it comes after this is phase 2 with ipz.exe and its service it creates, the Intelligent P2P Zombie.

Virut  can be cleaned with symantec client or using any common malware removal tools.

Things you need to know for zombie::::

Intelligent p2p zombie sends icmp packets randomly to all the ports available .(but dont get stressed . The reason is comming up next)

If you are using Radmin Application intelligent p2p zombie will start spread ipz.exe and copy itself on every client that has an active radmin service with the same radmin user authentication.

That means that it will use the Radmin default udp port 4899 and tcp port 310 (change the default radmin port and half job is done)

While you are on disinfection status never use an domain administrator account to elevate any applications

Disable all network shares and shut down the system restore.

Be sure that all your workstation are having a unique local admin password.

Isolate the infacted workstations out of the network

First workstations and servers that are gonna bi hit are the ones with the same either radmin authentication credentials or local admin or both.

ipz and intelligent p2p zombie clean up is easy and straight forward   :::

Kill from Task manager Ipz.exe process and from msconfig , disable Intelligent P2P Zombie service.

Search on Windows\system32 for ipz.exe and ipz-db.bin and delete them both.

Delete from Windows\Prefetch all ipz*.pf files.

Check on windows\system32\drivers\etc if the host apart  from 127.0.0.1  record has a www.brenz.pl record also. If it does just delete the new record.

Next step is :::

Go on regedit and delete

For XP MAchines ::::

HKEY_CURRENT_USER\Software\Micorsoft\Search assisten\ACMru\5603
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IPZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IPZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPZ

For Vista and Win7 machines :::

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IPZ

Also to be 100% sure do a whole registry search for any ipz records!!

Most of times when you will try to erase some of those keys you will get an access deny. Solution is easy. Go right click -->permitions advanced --> owner tab and replace ownership for the local admin. After this on EVERYONE give full permition and apply. Then just kill it.

Thats all.

thank you guys again for your help and i hope what we discovered will help others :)

so far ~30 systems out of 1.5k been detected with this virus (ipz is detected as spybot not as virut) 

all contain radmin with weak passwords used for temporary remote access instead of RA/MSTSC

the difference is that SEP RU6 MR3 contains and removes the virus, however i don`t seem to find any registry key