How can I confirm and remove Win32.Virut.A ?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Hi Folks,

I downloaded the FREE version of PCTools AV and did a scan on several
large internal and external hard drives. It found, and quarantined)
over 1,300 EXE files saying that they were infected with
"Win32.Virut.A".

Is there a way for me to manualy verify that this infection exists.
Also, is there a tool to "disenfect these files instead of simply
deleting them?

Thank you for helping,

Don

Re: How can I confirm and remove Win32.Virut.A ?

Infected@diseased.net after much thought,came up with this jewel in

Quoted text here. Click to load it
several

Submit the files in question to www.virustotal.com You could also use
David Lipman's AV tool to scan each file(it includes 4 diferent
scanners). BitDefender has a on-demand scanner that you can install
also.
Many files cannot be disinfected because they are not valid windows
files.
max
--
Virus Removal http://max.shplink.com/removal.html
Keep Clean http://max.shplink.com/keepingclean.html
Tools http://max.shplink.com/tools.html
Change nomail.afraid.org to gmail.com to reply by email.

Re: How can I confirm and remove Win32.Virut.A ?

Quoted text here. Click to load it

"over 1,300 EXE files"?  Hope he's got a lot of time on his hands, lol
:)

Quoted text here. Click to load it

-jen



Re: How can I confirm and remove Win32.Virut.A ?


Quoted text here. Click to load it

Perhaps he is on an extended leave of absence......
--
Virus Removal http://max.shplink.com/removal.html
Keep Clean http://max.shplink.com/keepingclean.html
Tools http://max.shplink.com/tools.html
Change nomail.afraid.org to gmail.com to reply by email.

Re: How can I confirm and remove Win32.Virut.A ?

Quoted text here. Click to load it

If he's not now, I'm sure he will be after this :))))

-jen



Re: How can I confirm and remove Win32.Virut.A ?

Quoted text here. Click to load it

Win32.Virut.A is an appending virus.  This file infector infects .exe
and .scr files by attaching its encrypted code to the end of the file.

The encrypted code contains IRCBot functionality.

When Win32.Virut.A is executed it injects it's code into all running
processes.

Win32.Virut.A opens up a backdoor at port 65520  on the compromised
machine.

This virus tries to connect to IRC servers located at:

* proxima.ircgalaxy.

Symptoms -

# Modified executable files (increase of 5,120 bytes of exe files)
# DNS queries to proxima.ircgalaxy.pl and IRC related network traffic

Method of Infection -

Win32.Virut.A is a file infecting virus. Infection starts with *manual
execution* of the binary. Executables in network shares may also get
infected if accessed by the compromised machine. This virus can also be
instructed to scan for vulnerable systems and infect them.

Good luck,

-jen




Site Timeline