*** serious virus warning ***

[MrTom]

.
W32/Virut.Gen (and any variant of)........



Core files found so far: reader_s.exe and ntos.exe

What it does: This extremely nasty worm attaches itself to various files on your system. Primary targets are .exe (the worst case), .sys, .dll, .htm, .html, .php, and .asp to name just a few. Those executables that run a CRC check before execution will detect a CRC error and refuse to run......you can imagine the problems this can cause.

Where it goes: EVERYWHERE! This mean mother doesn't care what .exe file it attaches itself to.....Primary locations are the SYSTEM32 folder in the root directory. USERINIT.exe seems to be the initial target as this prevents the user from logging onto the machine.....period.

How to cure: Ditch ALL your drives and start from scratch....and even then it's not guaranteed to be killed. Honestly guy's, this bastard is one of the worst viruses to be spread around in a while. It fairly new but variants of it have been around for a while....they could be re-triggered if left lying dormant on your system.

What else it does: Attaching ANY form of external drive to the machine will result in the virus being spread to it. This includes any device that appears as a drive on your system....even your mobile phone! Any pen drives, flash cards, mobile broadband devices, HDD's, basically ANYTHING that can be written to....with the only exception being disc's that have to be 'burnt'.

Formatting a drive results in TWO files being written to it.....an AUTORUN.INF file (which has 'hidden' attributes) and an .exe file. The INF file points to the .exe file which (you've guessed it) is infected with the virus.....which is spread from an infected .exe when the file is executed.....which is what AUTORUN does.

The virus also, as well as many other things, removes the 'Folder Options' menu from the dropdown list in Windows Explorer to prevent you from showing 'hidden' files....so all bases pretty much covered I'm sorry to say.

Whilst I personally did not have any problem with random websites popping up, nor any loggon problems....(only one account), these are things to look out for. The usual sluggish behaviour and apps not running is a good indication things are not as they should be.

Unfortunately I caught this little bastard, but not in time to stop it infecting over 1300 files on the drive.....making the whole system pretty useless. The only option (at this time) is to get a clean drive and start again. Even this is a pain in the arse as transfering any files you may have left on the old drive can only be done safely via CD/DVD/BR.....the only way to be sure of not spreading it again.

Anyway, this is a GENUINE HEADS UP WARNING for all you out there....I know how precious your renderings are and would hate anyone to lose them to a sneaky malicious fuck-wit who thinks viruses are a 'fun' thing to do in his spare time.

My only advice is to check out your systems, including any external drives you still have, or have had, attached to your system, and if you DO detect it then just STOP IMMEDIATELY....the more .exe files you run the more the virus spreads. Also check out any CD's/DVD's/BR's you may have burnt recently for hidden files.....and anything you may have formatted.

Also make sure that if you logon to windows automatically or have just one account then KEEP it this way....adding any more accounts will invariably mean not being able to log on to any of them.......USERINIT.exe in the system32 folder is the one to watch......my original was around 26kb which instantly changed (right in front of my eyes) to around 45kb once infected.

There may be ways around this virus if caught very quickly.....as I said, over 1300 files where hit on my system in around 30 mins......this is SERIOUS SHIT!

Sorry to be the bearer of such bad news after being away for a while but you can now understand why.....hopefully you've never seen the effects of this virus, and if you check for it NOW hopefully you never will.

There is a growing list of hits on Google about this if you want to read more about it. I regularly turn to the Technibble.com forum for the latest news on whats going around....the guy's on there are all in the PC repair circle and know their stuff, but even this has them scratching their heads...check them out for more info.

Good Luck.

Regards.

[section1]

How did you get it

[MrTom]

Hello mate,

I don't know to be honest. It can be attached to almost anything as it doesn't actually change any files, just attaches itself to it. I've read it can be on the end of all the files I mentioned above, even web pages, so I've no idea where it came from.....to be honest I didn't really have the time to find out either.....1300 files in 30 mins....thats some going!

I have a feeling I got it just before leaving my old place, my lappy didn't appreciate moving house and the backlight went in the screen.....I started using my other PC and must have stirred up the virus by using something it had attached itself to.......as I only used to use this PC for Distributed rendering It didn't ever show itself....until now.

I'm now going through the slow process of deleting all the infected files....( .exe's included), and trying to salvage whats left. Hopefully most of my 'work' files, (.max, .jpg, .psd etc....), wont have been infected....just the program files, so with any luck I still have them on CD or whatever.......a bugger whichever way you look at it though.

All I can say is make sure your Anti-Virus is fully updated and will detect W32/Virut.??? infections. As there is no easy way to remove this without deleting all the infected program files it would be a good idea to either compress any important program files (.exe) that you don't have on CD/DVD etc into a .Zip or .Rar file, that or burn them to a disc. This seems to be the only way to protect .exe files.

Like I said, this is a particullarly nasty virus, spreads incredibly quickly and attacks your anti-virus software from the word go. There is no known, (to date), way of removing the virus from infected files, so protect them however you can.

I sincerely hope no-one else gets it.......I wouldn't even wish this on the ex wife! lol.

Regards.

[geldslaw]

considering how much work I have to complete before going to china and needing my system at one of the ost critical times in the year, this really does scare me and I think I know of people who have been infected by it. Thank goodness I do not share anyfiles with anyone so I am pretty much safe at the moment. Lets hope those are not my famous last words

thansk for the heads up

[MrTom]

No problem mate.......

If this was just 'another' annoying virus I wouldn't have mentioned it, but as this version is particularly nasty and can bring down your whole system in a matter of minutes I thought it needed to be brought to the attention of the masses.

As this thing can spread through e-mails too it's a wise idea to at least check for those two 'core' files if nothing else......a virus check on the system32 folder is also not a bad idea as this appears to be the primary target for infection.(Don't forget those hidden files!)

Unfortunately I'm still reading reports of even the best PC technicians just giving up and starting over......which is the position I'm in now, using a sacrificial PC to try and burn any remaining uninfected files to disc....it's a long process and I wouldn't wish it on anyone.....not even the wife who today filed for divorce...the bitch.

Good luck, and stay clean.

Regards.

[Hellstormer91]

Just a thought, with the autorun.inf file that points to an exe file when a drive is formatted. Would you be able to delete it if you always have the "hide protected OS files" tab unchecked and unchecking the "hide extensions for known file types" tab?
It's just a thought as I have my settings for those two tabs like that because that sujin virus has been popping up at my school and that's the way i detect it.

[MrTom]

Absolutely.

Deleting those two files is ok to make a 'clean' drive, but when I first found out I had this I didn't know that this was what was happening......hence it took me three attempts to install a temp OS without transferring the virus....I mean, when you format a drive you expect it to be clean right?

Just one of the sneaky ways this thing tries to spread itself, but deleting those two files does infact remove the problem......if caught immediately after formatting and before the drive is removed from the infected machine.

I had also noticed that attaching a clean drive to an infected machine also transfers those two files, although I'm not sure as to when this happens, it may only happen once something else is written to the drive or simply when the drive is accessed.....I'm not sure on that one but something to look out for.

Regards.