My friend asked me to look at his brother’s computer because he thinks it’s got a virus.
What I found was a computer that was infected with a very nasty executable infectious virus, this virus copies its self into every executable file(.exe) and .scr on the computer that it possible can. I found over a thousand infected files on this computer. I could not believe just how many.
Although everything I read about this virus says that it only infects .exe and .scr files I was also finding loads of infected .jpg files in the temporary internet directory. So although it infects only executable files to looks as if the computer was infect via a website’s picture files.
This was probably one of the worst infected computers I have come across in a long while.
I did a little digging into the details of this Virut.AX and although it can be cleaned, most experts say that the only way to remove this virus is to perform a complete re-install.
Well I got permission from the owner to re-install if needed, with that in mind it didn’t matter if I tried to clean the computer first, after all if attempting to clean all those executable files cause the computer to become unstable or unbootable, I can just format and re-install. So I decided to give it a go.
I cleaned/removed all the infected files using Avira & The tool below. But after rebooting could not access any account on the computer, clicking on any name on the login page started to load windows then returned to the login page again.
So I guess in this case it was already beyond repair. So a clean format was the only option :(
“Virut is a very aggressive and very evasive computer Virus designed to spread to computers on Network shares. Once contracted, the Virus copies itself into .exe files and .scr files by appending itself to the executable. This makes removal very difficult because the file itself is usually functional and necessary, simply deleting it will have recursive effects on the system. To protect itself further, Virut employs a polymorphic entry point obfuscater. This utility allows the Virus to have randomized names so there is no way to simply list its commands. By employing these ever changing file designations, it becomes difficult to trace the path of the virus and determine which computer on the network was infected first.
Once installed, Virut copies itself into the executable file of any running process. Any time a new application is launched, it copies itself there as well. It then seeks to enable a backdoor by opening TCP port 65529. Then it tries to connect to any IRC servers at bproxim.ircgalaxy.pl; from whence it will be given further instructions. “
