A frightening tale of computer infection and its consequences

It all started when I wanted to get more performance out of my video card. I download the latest drivers and included this virus.

Yep, that one simple act turned into an infection nightmare lasting three weeks.  I’m hoping Micky will work out exactly where he got the drivers from, and let us know (as well as warning whoever it is that is distributing the infected drivers.

The entire sorry tale is at www mickyj com / blog htm (link deliberately broken because I'm not sure that I want anybody going there yet).

To save you from the need to visit, I'll copy Micky's tale of woe verbatim.  Micky’s message to everybody is “Make sure to point out that no matter how cluey you are with IT (I have 20 years experience) these things are getting nasty.”

Reproduced with permission.

“Where have I been for almost 3 weeks? - 26 April 2009 - mickeyj.com

Virux/Virut
Keywords: PE_VIRUX.E-2, PE_VIRUX.C-2, Win32/Virut, Cryp_Virux, W32.Virut, PE_VIRUX.G-1, PE_VIRUX.F

... Offline. I am lucky enough to be one of the two people in Australia/New Zealand to have been infected with a rare strain of the Virux/Virut virus on my home PC. This is according to Trend Micro's Statistics. If you get this virus, be very afraid. It infected every EXE, SCR, DLL, HTM, HTML, ASPX file (And more). It copied itself to every USB device including my Camera flash cards and USB keys. It infected my Outlook email signatures (So I need to contact people I have emailed), Outlook stationary and more. I started seeing a pattern where infected executable files were about 20 kb larger than the originals and my internet would slow down (Due to incoming IRC connections). It was almost impossible to beat.

If I am like you, I have a whole heap of downloads on my PC that contains all my setup files. That included service packs, video drivers, scanner and printer drivers. All were infected. As I tried to reinstall my hardware I got reinfected. If I plugged in a memory card, I got reinfected. I even found the virus on my media centre and Xbox shared folders. It got everywhere. (Even played with my firmware on my router).

It all started when I wanted to get more performance out of my video card. I download the latest drivers and included this virus.

I reinstalled Windows XP Pro and all my additions at least 20 times between 26/3/09 - 16/4/09 before I finally got online again. I know this as I can no longer activate my Microsoft software. I have exceeded the install number allowed for a retail version of the product.

I got to the point of throwing out USB keys and starting to install everything fresh, from fresh downloads. Finally, I have myself back up and running (Minus all my data). Both AVG and Trend Micro could not protect me from reinfection. The virus is encrypted. It hides in space within exe files and nothing can detect is due to the encryption. Trend Micro etc can only detect it once the "exe" has started modifying other files. It happens so fast and Trend Micro and others can't clean it. I think I had 50 infections per second once the virus broke free. The virus targets all files in C:\Windows and C:\Windows\System32 first so basically, Windows becomes one big virus. It becomes especially hard to handle when AVG and Trend Micro start quarantining the virus, removing essential Windows files out of your system so ... Your system can't reboot. I also had the virus in system restore so the OS was completely tainted.

I got to the point where as soon as Trend or AVG triggered, I pressed the workstations reset button, shoved in my XP disk and started reformatting. I think my earlier mistake was trying to clean the virus. The more I tried, the more I got infected. I tried the Symantec removal tools and many others. They all did not deal with this particular strain of the virus.

If you see this virus, run away. Be very, very afraid. Format your PC. Get your files back from backups. Don't trust any files off your old system as the virus is encrypted and could be in any file. Certainly antivirus can detect this virus when it starts running, but by then, it is too late.

The virus detected was:
PE_VIRUX.E-2
PE_VIRUX.C-2
Win32/Virut
Cryp_Virux
W32.Virut
PE_VIRUX.G-1
PE_VIRUX.F

The virus downloaded and installed the following strains:
Virus.Virut.r
W32.Virut.CF
W32/Virut.n
PE_VIRUT.BO.
TROJ_VIRUX.A.

It also downloaded:
TROJ_AGENT.CHB
TROJ_MAILBOT.CN
TROJ_SMALL.NAX
TROJ_AGENT.ZNH

Google blocked my website
Keywords: Google, Website, Harm, iFrame

.. And rightly so. I have been hacked. It has been a shocking month for me thus far. My home PC covered in Viruses for the first half of the month, 1 week to breath and then my website hacked in the second half of the month.

When you Google mickyj.com you get a result that lists "This site may harm your computer" under my website. When you click the link for my website, you get a google page warning viewers not to go to my website. Obviously I wanted to find out more so I downloaded the code for my website and found 4 iFrame infections had been injected into the code.

I contacted Google Support through their help system, after fixing my website. It took a little bit to explain to them what I found, how I had cleaned it all and how the infection had likely occurred, then they "verified" and "reviewed" my website and it is up again in all it's glory. Thanks Google Guys. You were awesome. I was unable to request verification of my website through the web interface as my Domain name holder has some restrictions in place that I could not get around. The Google guys understood this and did an awesome job helping me through their help system. I can't stress enough how fantastic these guys were. Especially Johnathon at Google. you guys rock.

Website up and running, safe again on the 25th April.

New Wrinkle
Keywords: Twitter, Suspended

Twitter have blocked me for suspicious activity. 26th April Twitter suspended my account. What ?? I hope that this is related to the virus I had earlier and can be easily explained and then unblocked. This has not been a good month.

Maybe things will be better tomorrow as it is my Birthday !”

For what its worth Micky, Happy Birthday!

And… change all your passwords!

Comments

# re: A frightening tale of computer infection and its consequences

Thursday, April 30, 2009 10:09 PM by The Hubb

If someone with 20 years experience can't even keep themselves clean, how the heck is grandma supposed to keep her PC clean?

..Mac anyone?  

...i'm just sayin..

# re: A frightening tale of computer infection and its consequences

Friday, May 01, 2009 1:34 PM by jeno

Google cache of the site is still infected...

i.e.

# re: A frightening tale of computer infection and its consequences

Friday, May 01, 2009 8:19 PM by sandi

@The Hubb

A Mac won't protect grandma (or anybody else) from social engineering.

Trojans attacking the Mac:

www.google.com/search

# re: A frightening tale of computer infection and its consequences

Sunday, May 03, 2009 8:53 AM by Bull

Sounds like bull.  Why would anyone reinstall windows 20 times?  How would a fresh install become infected unless the infected files were rerun after the clean install?  Alot of these claims don't make sense.

# re: A frightening tale of computer infection and its consequences

Sunday, May 03, 2009 8:00 PM by sandi

@Bull

You are mistaken and need to realise that the entire point of his post, and my repeating it here, is to warn about how hard it can be to recover from an infection if you try to save pre-existing data and downloads, and just how sophisticated these infections are becoming.   I corresponded with the gentleman in question, and I was involved in having Micky's web site isolated from viewing while it was cleaned up, and saw the malicious code on his web site with my own eyes.  

The mistake Micky made was using pre-downloaded software to rebuild his system, because the installers he was using were infected with the virus (and were not being detected as infected by his antivirus software).

He made another mistake in not asking for help, and trying to fix things on his own.

It is rare for somebody to lose *all* of their EXE, SCR, DLL, HTM, HTML, ASPX file (and more) to an infection on the local machine, as well as on all USB devices and even networked systems such as an XBOX and media systems.  Stop and ponder the implications of that fact for a moment.  How many of us, when faced with an infected computer, advise the victim that they will have to wipe not only the primary infected computer, but also all USB devices, and all networked devices AND that they must consider all pre-existing data and downloads as suspect?  I can tell you now that far too many people, when "cleaning" infected computers, do not give any thought to external devices and shares.

Re your statement "How would a fresh install become infected unless the infected files were rerun after the clean install?", please read what Mickyj wrote, specifically the following section, which answers your question:

"If I am like you, I have a whole heap of downloads on my PC that contains all my setup files. That included service packs, video drivers, scanner and printer drivers. All were infected. As I tried to reinstall my hardware I got reinfected. If I plugged in a memory card, I got reinfected. I even found the virus on my media centre and Xbox shared folders. It got everywhere. (Even played with my firmware on my router)."

# re: A frightening tale of computer infection and its consequences

Tuesday, June 16, 2009 10:43 PM by Mickyj

Yes, I am still here to relive the tale. A rebuild estimate of 20 times is not only accutate but very frustrating. As an interesting side note, I did neglect to mention I requested help from a few AV companies. All could not help due to the nature of the encrypted virus. My mistake, not starting fresh. I kept wanting my data back. I made my life difficult by trying to make it easier. In the end, I threw out all my saved files, configs and documents and started again. Live has been better ever since.