Know more about the PE VIRUX and how it can affect your systems. The article also details how you can prevent and remove this malware.
PE_VIRUX is a fast spreading file infector that:
- Uses advanced techniques in terminating antivirus processes and disabling security applications
- Connects to a malicious IRC server/website to download malwares
- Utilizes a Windows exploit in its shortcut flaw by dropping a *.LNK file that automatically executes its malware
- Drops an AUTORUN.INF, allowing the malware file to be executed when accessing USB and shared drives
PE_VIRUX continuously evolves from one of the early variants of PE_VIRUX.M to SALITY.RL while adopting the latest technology in threats. Due to the changing malware landscape, relying on your file-system scanner may be insufficient as of date.
Recommendations to mitigate the malware
Operating System recommendations
- For MS Windows ME, XP, and Vista, turn off System Restore because the restore point/files may have been infected. You can re-enable System Restore after ensuring that your system is cleared. Below are Microsoft articles about System Restore:
- Clear the cache of the System File Checker (SFC) to clean out [%SystemRoot%\system32\dllcache]. Some installations may require access to Windows Installation source files. The following are resources about System File Checker:
Sysclean Tool recommendations
- Download the Sysclean tool to address clean up and detection issues. Make sure to use the latest scan pattern file.
- The capabilities of the Sysclean tool can be further maximized if you boot in Safe Mode. Before booting your machine, copy the Sysclean package in a clean USB disk. You can use one USB disk for each workstation. USB disks are detected in Safe Mode and will be assigned a drive letter/drive name that is higher than the letter of your physical drive. Then, turn on your machine and press F8upon boot up to open Safe Mode.
The article "A description of the Safe Mode Boot options in Windows XP" provides more details about Safe Mode boot options for Windows XP. The same options presented in the article apply to any Microsoft OS.
Recommended scan option configurations by product:
- SPNT, WFBS, CSM-SMB, OSCE 7.3: Clean / [Pass/Bypass]
- OSCE 8.0: Clean / Deny Access
These options clean cleanable executable files but leave infected executables that may possibly be system files.
- Enable scanning of network storage drives when the network environment is using shared mapped drives or frequently using shared folders.
- For OfficeScan 8.0 and 10/10.5 users who have a license for Web Threat Protection, enable Web Reputation to minimize the risk of the machine-downloading malware such as PE_VIRUS.A. This malware can be commanded via IRC to download malware from a malicious URL.
- Check if the OfficeScan Client has been infected. PE_VIRUX is a file infector and the OfficeScan Client may be effected especially if the network has been tainted prior to malware detection.
You can also run the following command to fix any OfficeScan client-side corruption:
For large-scale infections, implement the command via GPO.
Minimize risks on the network by using a scanning HTTP proxy server. At the firewall, restrict all HTTP (port 80) access to go through the HTTP proxy. This blocks the content downloaded via web and prevents connections to the IRC port (port 6660 to 6669). You can also use InterScan Web Security Suite to minimize this risk.
Other recommendations to mitigate the malware
- Contain the malware by following the Network recommendations. Review your firewall or proxy configuration if you are able to block specific ports and scan for downloaded content.
- Ensure that your Trend Micro product is updated with the latest pattern file and recommended scan engine. After downloading the Scan Engine, you can update your product via the product's Active Update site.
- On your Trend Micro product console, set the correct scan action to prevent system files and other important files from being quarantined. For OfficeScan, select a specific group of clients who were infected by the said malware and implement changes for this group.
- For OfficeScan 8.0, enable Web Threat Protection if you have a license for the feature.
- Perform a Manual Scan on the machines.
- Check your virus logs. For machines that are heavily infected with this malware, use the Sysclean tool. Remove SFC cache files and System Restore points as they may have been infected already.
- Restore the infected OfficeScan client to full functionality by running the command “\\ip.address.of.osce-server\ofcscan\autopcc.exe -f”.
- After scanning the machines with the Sysclean tool and restoring possibly-corrupted OfficeScan installations, do another manual scan.
The recommended Trend Micro scan action is enabled to contain the malware that can be cleaned in the future. Trend actively works on this complex malware, and updates the pattern files regularly.
The following technologies implemented by the latest Trend Micro products are the most effective methods of preventing being reinfected by PE_VIRUX:
Malware Behavior Blocking via Behavior Monitoring Settings
This prevents Trend Micro products' processes from being terminated and further infected by the malware.
In OfficeScan, PE_VIRUX is prevented through Malware Behavior Blocking.
In Worry-Free Security Client/Server Security Agent, PE_VIRUX is also prevented through Malware Behavior Blocking
Block the AutoRun function in USB devices via Device Access Control
This prevents USB drives from introducing infections brought by foreign networks in the environment.
This prevents the introduction of new malware from web sites hosting files associated with PE_VIRUX.
Scan Network Drive
This prevents the propagation of infections from shared drives and folders. This option cleans all malware detected files found in the shared drive and folder