Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Removing and preventing PE_VIRUX infections using Worry-Free Business Security (WFBS)

    • Updated:
    • 15 Oct 2015
    • Product/Version:
    • Worry-Free Business Security Standard/Advanced 8.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • Windows 2003 Enterprise Server
    • Windows 2003 Home Server
    • Windows 2003 Small Business Server
    • Windows 2003 Standard Server Edition
    • Windows 2008 Datacenter Server
    • Windows 2008 Enterprise Server
    • Windows 2008 Essential Business Server
    • Windows 2008 Small Business Server
    • Windows 2008 Standard Server Edition
    • Windows 7 32-bit
    • Windows Vista 32-bit
    • Windows XP Home
    • Windows XP Professional
Summary

Know more about the PE VIRUX and how it can affect your systems. The article also details how you can prevent and remove this malware.

Details
Public

PE_VIRUX is a fast spreading file infector that:

  • Uses advanced techniques in terminating antivirus processes and disabling security applications
  • Connects to a malicious IRC server/website to download malwares
  • Utilizes a Windows exploit in its shortcut flaw by dropping a *.LNK file that automatically executes its malware
  • Drops an AUTORUN.INF, allowing the malware file to be executed when accessing USB and shared drives

PE_VIRUX continuously evolves from one of the early variants of PE_VIRUX.M to SALITY.RL while adopting the latest technology in threats. Due to the changing malware landscape, relying on your file-system scanner may be insufficient as of date.

Recommendations to mitigate the malware

  • Operating System recommendations

  • Sysclean Tool recommendations

    • Download the Sysclean tool to address clean up and detection issues. Make sure to use the latest scan pattern file.
    • The capabilities of the Sysclean tool can be further maximized if you boot in Safe Mode. Before booting your machine, copy the Sysclean package in a clean USB disk. You can use one USB disk for each workstation. USB disks are detected in Safe Mode and will be assigned a drive letter/drive name that is higher than the letter of your physical drive. Then, turn on your machine and press F8upon boot up to open Safe Mode.

      The article "A description of the Safe Mode Boot options in Windows XP" provides more details about Safe Mode boot options for Windows XP. The same options presented in the article apply to any Microsoft OS.

  • Product recommendations

    • Recommended scan option configurations by product:

      • SPNT, WFBS, CSM-SMB, OSCE 7.3: Clean / [Pass/Bypass]
      • OSCE 8.0: Clean / Deny Access

      These options clean cleanable executable files but leave infected executables that may possibly be system files.

    • Enable scanning of network storage drives when the network environment is using shared mapped drives or frequently using shared folders.
    • For OfficeScan 8.0 and 10/10.5 users who have a license for Web Threat Protection, enable Web Reputation to minimize the risk of the machine-downloading malware such as PE_VIRUS.A. This malware can be commanded via IRC to download malware from a malicious URL.
    • Check if the OfficeScan Client has been infected. PE_VIRUX is a file infector and the OfficeScan Client may be effected especially if the network has been tainted prior to malware detection.

      You can also run the following command to fix any OfficeScan client-side corruption:

      \\ip.address.of.osce-server\ofcscan\autopcc.exe -f

      For large-scale infections, implement the command via GPO.

  • Network recommendations

    Minimize risks on the network by using a scanning HTTP proxy server. At the firewall, restrict all HTTP (port 80) access to go through the HTTP proxy. This blocks the content downloaded via web and prevents connections to the IRC port (port 6660 to 6669). You can also use InterScan Web Security Suite to minimize this risk.

Other recommendations to mitigate the malware

  • Contain the malware by following the Network recommendations. Review your firewall or proxy configuration if you are able to block specific ports and scan for downloaded content.
  • Ensure that your Trend Micro product is updated with the latest pattern file and recommended scan engine. After downloading the Scan Engine, you can update your product via the product's Active Update site.
  • On your Trend Micro product console, set the correct scan action to prevent system files and other important files from being quarantined. For OfficeScan, select a specific group of clients who were infected by the said malware and implement changes for this group.
  • For OfficeScan 8.0, enable Web Threat Protection if you have a license for the feature.
  • Perform a Manual Scan on the machines.
  • Check your virus logs. For machines that are heavily infected with this malware, use the Sysclean tool. Remove SFC cache files and System Restore points as they may have been infected already.
  • Restore the infected OfficeScan client to full functionality by running the command “\\ip.address.of.osce-server\ofcscan\autopcc.exe -f”.
  • After scanning the machines with the Sysclean tool and restoring possibly-corrupted OfficeScan installations, do another manual scan.

    The recommended Trend Micro scan action is enabled to contain the malware that can be cleaned in the future. Trend actively works on this complex malware, and updates the pattern files regularly.

The following technologies implemented by the latest Trend Micro products are the most effective methods of preventing being reinfected by PE_VIRUX:

  • Malware Behavior Blocking via Behavior Monitoring Settings

    This prevents Trend Micro products' processes from being terminated and further infected by the malware.

    • In OfficeScan, PE_VIRUX is prevented through Malware Behavior Blocking.

       

    • In Worry-Free Security Client/Server Security Agent, PE_VIRUX is also prevented through Malware Behavior Blocking

       

  • Block the AutoRun function in USB devices via Device Access Control

    This prevents USB drives from introducing infections brought by foreign networks in the environment.

  • Web Reputation

    This prevents the introduction of new malware from web sites hosting files associated with PE_VIRUX.

  • Scan Network Drive

    This prevents the propagation of infections from shared drives and folders. This option cleans all malware detected files found in the shared drive and folder

Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1053036
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.