Posted 31 July 2008 - 08:58 AM
I am a technician for a nationwide, onsite system support & repair company and encountered this yesterday at a customer site. Following is a copy of what I already advised the other Techs, Kaspersky Labs, & Avert.
Iím advising everyone that today I encountered a new, in the wild, virus that is incredibly destructive. It is known to get past Symantec & Norton AV products, Iím unsure as to how others may fare against it as weíll never know who getís it, and who doesnít unless they have another PC available to them.
This what the client described to me:
ďThere was a window that popped up stating I was infected with lots of bad viruses, it wasnít from my Symantec Antivirus, it was different. Before I could close the window, or click on the buttons I started getting all kinds of popups from Internet Explorer, which I never had a problem with before. As I tried to close the popup windows, and the one telling me I was infected.. the computer rebooted and came up with this blue screenĒ
What I found:
The blue screen was reporting ďUNMOUNTABLE_BOOT_FILESYSTEMĒ. I tried every disk & tool in my arsenal and anything that was Windows XP based did not even see the hardware disk anymore. A Vista based recovery disk did see the hardware, and it did show a partition, however it threw quite a few read errors when trying to read the files on the partition. Open SUSE 11.0 also saw the hardware, and the partition. When I tried to mount it via the partition manager it reported that the volume was damaged and refused to mount it. I forced a mount with an ntfs file system and I was able to see the folders & files on the volume. Due to the damage to the file system I was unable to even try to find what, if any, files had been added recently so I was unable to get a sample of it to send to Kaspersky or Avert.
I booted the system recovery disk, thinking to do a re-format & re-install, and it did not see the disk stating there was no hard disk to install onto. IOW, the disk was hosed beyond repair (unless you wanted it reformatted for use by Linux)
I have reported it to Kaspersky labs and they are actively researching it. Itís real, itís out there, and itís horrendously nasty & destructive.