So it seems that we have a real nasty couple of viruses (virii?) that came out in the last couple of weeks. The Virut.CE and Virux viruses are two of the worst viruses I’ve seen in a long time.
You see, I spent the better part of evenings in the last week trying to remove the virut.ce one from a friends laptop. The issue is that, even if you clean it completely off, you will need to do a repair install of Windows and reinstall every other program on the machine. Why you ask?
1) It adds code into normal executables. I’m talking explorer.exe, svchost.exe, and any other .exe file it can find.
2) It destroys the Software hive of the registry. This alone means you would need to restore it from the repair directory. Unless you have a recent backup of the hive safely off the machine, you loose just about any registry keys from software on your machine and have to reinstall them
3) It keeps coming back. Every tool from Kapersky to Malewarebytes winds up finding it, trying to remove it, and yet it still comes back.
4) Initially it prevents access to task manager and explorer. This is partially because of the Registry infestation.
5) It hits flash/external usb drives. If there are executables on your external or flash drives, you are screwed. scan them and if its on them, format them.
6) It Will spread over your network! If a machine is infected with these monsters, unplug its network connection immediately. It will infect network shares and spread across your network.
It is a pain to wipe and reinstall systems, I know, but there are a few things you can do to make it a little bit easier.
1) Use a boot CD and a clean external drive. Booting off a Linux or Windows boot cd (BartPE, ERD Commander) You can at least transfer documents to an external drive. Booting off the CD also means you won’t be activating the virus, so you are safe plugging and external in.
2) Format the drive and delete the partitions using the Boot CD. This helps insure that you don’t have it sitting in memory, and that the drives are clean. I recommend formatting the drives first, then wipe the partitions, then go ahead with the reinstall.
3) Remove all power from the machine for 5 minutes before starting the reinstall. This makes sure your memory has been cleared out.
I don’t know what joy people get from writing such destructive things. I do know that while its not really celanable, the latest virus definitions for your antivirus will stop it before it starts, which hopefully will help mitigate it. Also it seems that it comes through html intially, which means any site could unknowingly be hosting it.
The Virus itself opens a back door to an IRC network, where your machine will be loaded with all other sorts of nasties. And so you all know, my friends machine initially was taken down by this monster within 5 minutes of being infected. Yes, totally infected and downed inside of 5 minutes!
Hopefully you don’t have to deal with this for a friend, let alone a client network.