w32.virut.w, PE_VIRUT.A

    • Nov
    • 11

    w32.virut.w, PE_VIRUT.A

    Posted by Nick B 9 months, 3 weeks ago.

    Filed under Virus & Windows.

    I just download google pack with norton and the first scan hook my fav svn tortoise with w32.virut.w .

    Excerpt from Symantec

    W32.Virut.A is a virus that infects executable files and opens a back door on TCP port 65520 by connecting to a predefined IRC server.

    Netstats

    netstat -aob > netstat.log

     TCP USER:1028 78.109.19.140.in.hosting.ua:65520 ESTABLISHED 936
 [winlogon.exe]

    The free version of Norton Internet Scan Failed to fixed the virus. :(

    Norton Logs

    Process:
 c:\windows\system32\ctfmon.exe
 c:\program files\tortoisesvn\bin\tsvncache.exe
Infection:
 c:\windows\system32\ctfmon.exe
 c:\program files\tortoisesvn\bin\tsvncache.exe
 c:\windows\system32\spoolsv.exe
 c:\windows\system32\locator.exe
 c:\windows\system32\alg.exe
 c:\windows\system32\sessmgr.exe
 c:\windows\system32\dllhost.exe
 c:\windows\system32\rsvp.exe
 c:\windows\system32\dmadmin.exe
 c:\windows\system32\msdtc.exe
 c:\windows\system32\cisvc.exe
 c:\windows\system32\wbem\wmiapsrv.exe
 c:\windows\system32\ups.exe
 c:\windows\system32\msiexec.exe
 c:\windows\system32\netdde.exe
 c:\windows\system32\vssvc.exe
 c:\windows\system32\mnmsrvc.exe
 c:\windows\system32\mshta.exe
 c:\windows\system32\userinit.exe
 c:\windows\system32\ieudinit.exe
 c:\windows\inf\unregmp2.exe
 c:\windows\system32\ie4uinit.exe
 c:\windows\system32\rundll32.exe
 c:\windows\system32\regsvr32.exe
 c:\windows\system32\ntsd.exe
 c:\program files\wakoopa\wakoopa.exe
 c:\program files\7-zip\7zfm.exe
 c:\program files\acd systems\acdsee\6.0\acdsee6.exe
 c:\program files\adobe\adobe help center\ahc.exe
 c:\program files\netmeeting\conf.exe
 c:\program files\common files\acd systems\en\devdetect.exe
 c:\program files\windows nt\dialer.exe
 c:\program files\acd systems\fotocanvas\3.0\fotocanvas3.exe
 c:\program files\acd systems\fotoslate\3.0\fotoslate3.exe
 c:\windows\pchealth\helpctr\binaries\helpctr.exe
 c:\program files\hp\digital imaging\unload\hpqapkil.exe
 c:\program files\hp\digital imaging\unload\hpqdia.exe
 c:\program files\hp\digital imaging\unload\hpqdias.exe
 c:\program files\hp\digital imaging\unload\hpqphunl.exe
 c:\program files\hp\digital imaging\unload\hpqpsmon.exe
 c:\program files\hp\digital imaging\unload\hpqunset.exe
 c:\program files\hp\digital imaging\bin\hpqvpswp.exe
 c:\program files\windows nt\hypertrm.exe
 c:\program files\internet explorer\connection wizard\icwconn1.exe
 c:\program files\internet explorer\connection wizard\icwconn2.exe
 c:\program files\internet explorer\iexplore.exe
 c:\program files\adobe\adobe photoshop cs2\imageready.exe
 c:\program files\internet explorer\connection wizard\inetwiz.exe
 c:\program files\internet explorer\connection wizard\isignup.exe
 c:\program files\java\jre1.6.0_02\bin\javaws.exe
 c:\windows\system32\usmt\migwiz.exe
 c:\program files\movie maker\moviemk.exe
 c:\program files\windows media player\mplayer2.exe
 c:\program files\combined community codec pack\mpc\mplayerc.exe
 c:\windows\pchealth\helpctr\binaries\msconfig.exe
 c:\program files\outlook express\msimn.exe
 c:\program files\common files\microsoft shared\msinfo\msinfo32.exe
 c:\program files\messenger\msmsgs.exe
 c:\program files\notepad++\notepad++.exe
 c:\windows\system32\mspaint.exe
 c:\program files\adobe\adobe photoshop cs2\photoshop.exe
 c:\program files\quicktime\pictureviewer.exe
 c:\python25\python.exe
 c:\program files\real\realplayer\realplay.exe
 c:\program files\common files\real\update_ob\rnxproc.exe
 c:\windows\soundman.exe
 c:\program files\tortoisesvn\bin\subwcrev.exe
 c:\program files\outlook express\wab.exe
 c:\program files\outlook express\wabmig.exe
 c:\program files\winrar\winrar.exe
 c:\program files\windows media player\wmplayer.exe
 c:\program files\windows nt\accessories\wordpad.exe
 c:\program files\combined community codec pack\zoom player\zplayer.exe
 c:\windows\system32\logon.scr
Service:
 RpcLocator
 ALG
 RDSessMgr
 COMSysApp
 RSVP
 dmadmin
 MSDTC
 CiSvc
 WmiApSrv
 UPS
 SwPrv
 MSIServer
 NetDDE
 VSS
 mnmsrvc
Browser Cache
Registry:
 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon->Userinit

    had to reinstall my windows XP because there is so many hook. I had send a support email to hosting.ua but still got no replied from theme. need to reboot now.

    Nov 17 07 , Update

    I got reply back from hosting.ua support. below is part of the email

    from	abuse@hosting.ua
to	nospam@gmail.com,
date	Nov 13, 2007 5:00 PM
subject	Reply: trojan 78.109.19.140.in.hosting.ua #48879

hide details Nov 13 (3 days ago)	

Reply

======== CUT HERE =========
Your support request was answered:

Created: 11.11.2007 1:28:38
Last Mod: 12.11.2007 1:41:30

Assigned To:
admin(Hosting.UA)

[11.11.2007 1:28:38]
Q: hi,
This is for your attention. I got a trojan in pc it routed back to one of
your hosting at *78.109.19.140.in.hosting.ua *

I hope you can do something about it.

Thank you
-------------------------------------------------------

[13.11.2007 11:00:08]
A: Fixed!

thx
www.Hosting.UA

-------------------------------------------------------
Hosting.UA Administration

    Well there is no explaination about the issue from the support staff.  hope this site will be closed down for good. Google already blocked and place a warning when you search for the infected URI.

    About the Author

     

    Tags:
    • November 11, 2007 at 11:44 am
    • November 17, 2007 at 1:36 am
    • 0.3
    • url

    • No Responses to w32.virut.w, PE_VIRUT.A

      Trackback URL: Use the TrackBack url ↑ to ping this article. If your blog does not support Trackbacks you might want to leave a comment instead.
        • RE: w32.virut.w, PE_VIRUT.A - 'The Guide' ↓
          w32.virut.w, PE_VIRUT.A Kakkoi 9 months, 3 weeks ago 5 url
          Marvin, Point of View Gun

          The following "Code" are designed to protect you and other users of this site.

          • Be relevant: Your comment should be a thoughtful contribution to the subject of the entry. Keep your comments constructive and polite.
          • No advertising or spamming: Do not use the comment feature to promote commercial entities/products, affiliates services or websites. You are allowed to post a link as long as it's relevant to the entry.
          • Keep within the law: Do not link to offensive or illegal content websites. Do not make any defamatory or disparaging comments which might damage the reputation of a person or organisation.
          • Privacy: Do not post any personal information relating to yourself or anyone else - (ie: address, place of employment, telephone or mobile number or email address).

          In order to keep these experiences enjoyable and interesting for all of our users, we ask that you follow the above guidlines.

          be the first to comment.

          KakkoiFeel free to engage, ask questions, and tell us what you are thinking! Regular and insightful comments are most welcomed.

           

    "write as if you were talking to a good friend (in front of your mother)."

    .haveyoursay

    Disclaimer: For any content that you post, you hereby grant to Kakkoi the royalty-free, irrevocable, perpetual, exclusive and fully sublicensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, perform and display such content in whole or in part, world-wide and to incorporate it in other works, in any form, media or technology now known or later developed. Some rights reserved.

MySQL query error