Virus / Rootkit VT100.EXE

• hides its process and executable file
   
• injects its code to every created process
   
• infects most executable files on ALL disks, enlarging files by  5120 or  8192 bytes.
   
• if the executable file is not infected, it is modified during the launch ( *.EXE, *.SCR )
   
• infected file (process) connects to some host and tries to download rootkit file : VT100.EXE
   
• after the VT100.exe is downloaded,  it starts massive infection of *.EXE files
   
• Kaspersky has already the cure for infected files !!!

  Virus.Multi.Virut.4960
  [ Virus Watch ]
  Malware detected 09.05.2006 
  20:38:34 Update released 09.05.2006 22:13:12
  	

• Virus on the net: Kaspersky BitDefender
   

  ---

  
   

  How to cure Windows form VT100 ?

  Preparing clean system:
   

  install secondary Window system ( e.g. on other drive or partition ), or
   

  plug your disk to other computer with the clean system
   

  boot your PC with bootable CD with the system (e.g. Bart XPE)

  
   
  You need:
   

  Setup CD corresponding to your window system (e.g. XP +  SP1 or XP + SP2 )
   

  wincmp.exe, expand.exe and cabarc.exe applications

  
   
  Preparing the files
   

  use wincmp.exe to unpack all *.EXE files from your windows Setup CD :

  wincmp -x X:\i386 C:\XP *.EXE

  all *.EXE files will be copied to C:\XP folder
   

  unpack all *.EXE files to C:\XP folders form any service pack installed on your system.

  
   
  Checking the files
   

  use  wincmp.exe to check what files has been modified

  wincmp -c C:\XP C:\WINDOWS

  wincmp -c C:\XP "C:\Program Files"

  1 C:\WINDOWS\system32\accwiz.exe 5.1.2600.0  99.99% +5120
  2 C:\WINDOWS\system32\dllcache\accwiz.exe 5.1.2600.0  99.99% +5120
  3 C:\WINDOWS\system32\actmovie.exe 6.04.2600.0  99.66% +5120
  4 C:\WINDOWS\system32\dllcache\actmovie.exe 6.04.2600.0  99.66% +5120
  5 C:\WINDOWS\msagent\agentsvr.exe 2.00.0.3422  99.99% +5120
  6 C:\WINDOWS\system32\dllcache\agentsvr.exe 2.00.0.3422  99.99% +5120
  7 C:\WINDOWS\system32\ahui.exe 5.1.2600.1106 != 5.1.2600.0 7.92% +11776
  8 C:\WINDOWS\system32\alg.exe 5.1.2600.1106 != 5.1.2600.0 13.76% +6144
  9 C:\WINDOWS\system32\append.exe OK
  10 C:\WINDOWS\system32\dllcache\append.exe OK
  ...
  185 C:\WINDOWS\hh.exe 5.2.3644.0 != 4.74.9273 6.06% +0
  186 C:\WINDOWS\system32\hostname.exe 5.1.2600.0  99.83% +5120
  187 C:\WINDOWS\system32\dllcache\hostname.exe 5.1.2600.0  99.83% +5120
  188 C:\WINDOWS\system32\dllcache\hrtzzm.exe 1.2.626.1  99.79% +5120
  189 C:\WINDOWS\system32\dllcache\icwconn2.exe 6.00.2600.0000  99.98% +8192
  190 C:\WINDOWS\system32\dllcache\icwrmind.exe 6.00.2600.0000  99.94% +8192
  191 C:\WINDOWS\system32\dllcache\icwtutor.exe 6.00.2600.0000  99.98% +8192
  ...
  593 C:\WINDOWS\system32\xcopy.exe 5.1.2600.0  99.95% +5120
  594 C:\WINDOWS\system32\dllcache\xcopy.exe 5.1.2600.0  99.95% +5120
  	
  		

  
   
  Restoring original files 
  

  use  wincmp.exe to copy original files to Windows and Program Files folders

  wincmp -r C:\XP C:\WINDOWS

  wincmp -r C:\XP "C:\Program Files"

  scan your system with the antivirus (e.g. Kaspersky ) to cure the rest executable files.
   
  WARNING
   

  Rest of  EXE files have to be deleted or reinstalled.
   

  The problems might occur with the system files that has been updated with Microsoft online update tool, because some of the files on Setup CD might be outdated. e.g.

  C:\WINDOWS\system32\alg.exe 5.1.2600.1106 != 5.1.2600.0 13.76% +6144

  You can overwrite the files regardless of version using the following option:

  wincmp -r C:\XP C:\WINDOWS -f