08-18-2009 04:51 AM - last edited on 08-18-2009 09:09 AM by Rexival_Feraer
Aliases: Virus.Win32.Virut.ce (Kaspersky), W32.Virut.CF (Symantec), W32/Virut.n.gen virus (McAfee)
Type of infiltration: Virus
Affected platforms: Microsoft Windows
Signature database version: 3832 (20090206)
Win32/Virut.NBM is a polymorphic file infector. The virus connects to the IRC network. It can be controlled remotely.
Executable files infection
The virus searches for executables with one of the following extensions:
Executables are infected by appending the code of the to the last section.
The host file is modified in a way that causes the virus to be executed prior to running the original code.
It avoids those with any of the following strings in their names:
It infects the following files:
The virus inserts an IFrame element with an URL link into the file.
The virus is sent data and commands from a remote computer or the Internet.
It communicates with the following servers using IRC protocol:
It can execute the following operations:
* download files from a remote computer and/or Internet
* run executable files
The following file is modified:
The virus writes the following entries to the file:
* 127.0.0.1 jL.chura.pl
The virus may set the following Registry entries:
"%filepath%" = "%filepath%:*:enabled:@shell32.dll,-1"
The performed data entry creates an exception in the Windows Firewall program.
08-18-2009 05:23 AM - edited 08-18-2009 05:26 AM
Hello. I suggest that you try the following malware troubleshooting steps. Scan your computer with Trend Micro System Cleaner and Trend Micro Rootkitbuster.
You may refer to the following link for details on how to use the Trend Micro System Cleaner:
For the RootkitBuster, try downloading it on the following link:
The tools should be able to detect and remove the virus from your computer. If the problem persists, I suggest that you generate the HijackThis Logs of your computer so that we can check for malicious registry entries and identify the location or directory of the virus. You may refer to the following link for details on how to generate the logs:
Kindly paste the generated log here. Thanks.
08-18-2009 05:37 AM
the trend micro system cleaner can detect and remove the virus but after you restart the computer. its back again
the rootkit buster wont run error says something like the integrity of the software has been compromised
Hijack this can detect the infected files.. ive tried this one and analized the files here http://hijackthis.de/.. but again after restarting the computer everything is back again..
cant seem to get rid of this host file entry 127.0.0.1 jL.chura.pl
08-18-2009 05:47 AM
I suggest that you paste the HijackThis Log here so that we can check the directory of the virus. Kindly provide also the directories of the detected files which are located on the Sysclean Log. So that we can analyze it.
08-18-2009 05:57 AM - edited 08-18-2009 06:00 AM
i have already formatted the pc and gave up on the virus..
infected files that were detected by Internet security pro, Hijack this, sysclean.
i will have the pc infected again just to collect the logs.
sysclean logs will only display those things listed above.
malware bytes log would give us more info
if you have a spare pc or if your confident enough that you'll be able to remove they virus
just download the virus from the link posted on the top of this page.
08-18-2009 06:01 AM
If you think that the files are malicious, you may use TwinFix to delete the viruses. Please refer to the following link for details on how to use TwinFix:
08-18-2009 06:23 AM - edited 08-18-2009 06:25 AM
i have also used the twin fix application i have downloaded that one from the support site..
but again i can only place there the 3 malicious files that internet security pro, hijack and sysclean detected
located in c:windows/system32
if we can have a brave soul who would be willing to have thier pc infected that would be great.
btw if you'll have the pc infected
you can nolonger do the following...
- boot in normal mode
- cant open rootkit buster
- cant open combofix
- cant run autoruns
but you can
- run system cleaner but cant get rid of the virus
- run hijack this but cant get rid of the virus
- run internet security pro in safemode and scan and it will be able to detect and lock but after a restart everything is back
- can run twinfix as may times as you want but will not be able to remove the virus
- can run malware bytes get the log and manually delete the files but again after a restart everything is back
for sure we can have someone from trend micro try this virus and generate the logs and find the solution.
i can get the logs but not now.. im not in front of that pc
08-18-2009 09:53 AM
Thank you for sharing your knowledge to help other users of the community - keep it up.
I have edited your post to remove the link on where others can get the samples. Because all of us are curious in nature, some users might click the link and get their machines infected. I know both of us doesn't want that to happen.
08-18-2009 10:05 AM - last edited on 09-11-2009 09:13 AM by JSMO
Thats ok with me if youre going to remove the link..
anyway if anybody would want to try thier luck on this virus just PM me.. and i'll give you the link
btw here is a link from another forum where we have discussed about the virus
[Mod Note: Removed link from post <broken link>]
09-11-2009 08:54 AM
I would like a link to this virus...I caught this (my own fault) and it was the nastiest I have ever seen...My only regret is that I did not save it so that I could toy with it on one of my offline systems...I couldn't find anything to defeat it, luckily I learned my lesson long ago and have everything backed up, but it still took my entire system down..Would love to mess around with this monster again....steer clear of this one