Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recycler w32/pedalac.A et al - a 12 step plan


  • Please log in to reply
5 replies to this topic

#1 Barrowford Bluesman

Barrowford Bluesman

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 24 September 2010 - 06:52 AM

I am not a techy person, but this is what happened to me and how I cured the infection.

My computer recently suffered from this. My methodology was to download something new to a stick. Scan it. Make sure I was happy. Put the file/program on my PC. On 26th August I did this and entered computer hell for just under 3 weeks.

My PC is homebuilt. C = op system; D (physical drive); E (partition) small for tests and downloads; F partition for programmes. There are pluses and minuses to this. I edited the Windows registry to make my default installation F, and changed the path to MyDocuments. Windows XP. Avira was my choice of AV product at the time.

There are many descriptions of this Worm and it's derivatives, but if you are finding this without having read them, this is as brief as I can make it. When you attach a USB drive to your computer (on a Mac it does something similar), it makes an "invisible" folder on the drive RECYCLE; it is this aspect that it exploits i.e. you can't see what's going on.

How do you get caught. You will download an infected file; in my case I think it was a clone of an "official" looking site - so wherever you go check that the address looks right. If not be suspicious. I con't quite understand why scanning the file doesn't trigger the AV, but when you try and open the download it will probably fail. At this point the damage is done. Off goes Wormy to the RECYCLE folder and replicates itself. At this point I still knew nothing was amiss. I got an "autorun.ini" block (the default in Avira) and, as it wasn't unusual and I wasn't worried I over-rode it. At this point I was done for. Shortly afterwards I got an "Autorun.ini" alarm several times in succession - which I allowed Avira to block. I still didn't realise what was going on. My USB stick had an LED in it and at some point I noticed it was flashing all the time. Something was amiss. I went into Folder options and set it so that I could see hidden files. I opened the RECYCLE folder and there is is. Replicating faster than a bacteria. You can just watch this thing grow - beautiful and elegant. Naturally I removed the stick without any further ado. As I'd over-ridden Avira, I realised I had infected my machine, and the next thing was to remove the Network cable. YOU MUST DO THIS. Wormy talks to a load of his friends on the Net, and the longer you are connected the more infections you will get.

PANIC set in. Like a lot of us, I back up, but I had no discipline about it. And by now Wormy was on my USB drives i.e. my back up.

NEXT I burned a load of my most important files to a DVD. Avira was fighting back, bleeping like crazy, but I got enough off to preserve the bulk of my work. Worried about scanning files later.

Wormy targets anything that will connect to the Net and seems to target anything with HTML as the extension. JPEGs seem to be OK. I rapidly got off my photographs etc.

Eventually, Avira collapsed under pressure. Windows eventually ceases to be able to run or function and ultimately will not boot. At this point despair set in and I thought that the computer was destroyed, my back-ups compromised, family photos lost........

HOPE comes along in the form of Linux. At least I think that's how it works. So by now you are bored and I will give you the way out as quickly as possible. Ideally you need a secondary computer to be able to download a few files. You also need your original discs or restore discs.

1. Disconnect all USB drives/remove cards etc. etc.
2. Disconnect from the Internet
3. If you have been disciplined and backed up prior to the infection, shut down Windows immediately.
4. If you have not been disciplined and have the ability to burn a DVD, burn as quickly and efficiently as you can your absolute most important files; you are about to burn, what would you save - think of it like that. Women and children first, then your guitars....or maybe vice versa....
5. Use AN Other machine to download AVG's rescue kit. Burn an image to disc.
6. Switch on your PC intercept it early and go to your setup and instruct the machine to boot from CD. DO NOT LET IT BOOT WINDOWS. If you miss it and it starts then hit reset - you are in a hole anyway so you can't make matters much worse.
7. Boot from AVGs rescue disc (from here on ARK AvgRescueKit). You can select a version where you can choose a resolution, or let it try and work itself out. For me it didn't always work.
8. ARK will look for an internet connection. At this point don't let it have one.
9. It takes a bit of figuring out, but if you are trying this you have some idea of what you are doing, so let it scan your system. You get a file manager too which enables you to move stuff around, look at it, delete it etc.. These are your first steps on the road to purity.
9a. It will find and deal with a load of infections. I took no chances. I deleted anything it found. Masses of files. Someone that knows more than me may say do something different. But I wanted to kill this thing. You can see what you are doing, so if there's something you maybe want to quarantine I think you can do that.
9b. If a program was compromised, I deleted the directory too. Wormy is now on the defensive. The empire is striking back.

Depending on your system, this scan may take many hours. Go to bed. Go do something else. Once it is running you don't need to meddle with it til morning i.e. there's no real user input at this point.

You will have to make some of your own decisions based on your own system, and what ARK finds. But basically I deleted everything it found. If I could save 60% of what I had, I decided it was better to have 60% clean than have one little derivative of Wormy sitting there ready to wreak havoc.

10. Shut down. Plug in your network cable/turn on your network hub and make sure that it is ticking away nicely. Re boot from the disc. This time ARK will find the Internet connection, update itself. SCAN AGAIN.

11. Take your chosen course of action.

12. Go back to 10 i.e. shut down. re-boot. reupdate ARK. rescan. action. Repeat.

You must keep doing this until you have no infections. I started out with 21000+ and after two weeks of repeated scanning I was down to nil. BUT I still had the infected drives.

13. Attach an infected USB drive. Go back to 10. Scan the USB drive. Repeat until clean. Remove the drive. Add the next drive. Repeat (also worked for a 16Gb stick I had which had some current work on it.

At this point, when you are as confident as you can be that the drives are clean, find a friend with a MAC. Get him/her to scan the drive too. Having been through the process, what I can say is that ARK definitely works.

14. See if Windows will boot. If it does boot, you are lucky. Chances are that it won't. This is where you need a recovery disc or the original disc. Boot from the disc. REPAIR. Do not attempt to run from the recovery console it offers you - you can find enough out about Windows Repair elsewhere.

At this point a lot will depend on how you structured your machine in terms of the op sys, programs and documents. As all my drives logical or not were set up as above, I chose to clean install Windows XP. Some programs were compromised, others weren't. As in most cases I do have the original discs I could run the repair function e.g. Microsoft Office.

As of September 22nd I had a fully working, restored machine. I lost a years worth of e mail but I kept all my bank stuff, accounts, daily grind stuff etc..

I hope this helps someone.

Ian

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:53 PM

Posted 24 September 2010 - 11:34 AM

Hello, thank you for sharing your solution. I will move this topic to a more appropriate forum.

A general note on file infectors: a file infector is a virus that injects code in legit files. Not all antivirus applications will leave the files alone if they cannot disinfect them, which can lead to system instability.

Depending on the amount of time you are willing to spend on cleaning; a reformat/reinstall is usually the safest and fastest solution. One single infected file can reinfect everything in a matter of hours. The same goes for an infected flash drive or external HD.

While a rescue disk can be a great solution, you also have to be aware of its limitations; a rescue disk is only able to scan the filesystem, not the registry. Due to this, it can delete files that are called upon on windows startup and thus cause boot problems. As a general guideline; only delete something if you know what you are doing!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:53 PM

Posted 24 September 2010 - 11:04 PM

Pedalac.A is the name used by Avira for a variant of Win32/Ramnit.A, a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? As elise025 explained malware injects code in legitimate files similar to the Virut virus and in many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Barrowford Bluesman

Barrowford Bluesman
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:53 PM

Posted 25 September 2010 - 04:49 AM

Thanks for your input.

All I can say is, it worked for me - but it was such a nasty thing I thought I'd share what I did i.e. it infected my back-up drive too. As I work for myself, it would have been a big lost to lose everything.

The way my computer is set up, it enabled me to treat each drive independently. A reformat for a lot of people is likely to mean that they lose everything.

In the end I've come out of it clean. I lost about 12 months of e mail, but of course anything important was saved/backed up anyway - that's not to say I've not deleted something that might have been useful.

The way AVG Rescue Kit works is particularly useful. You can keep updating/running it without having to boot Windows.

All my software is legit. So in the end sure, I had to repair Windows and rebuild the program links, but I preserved 80%+ of my work. That was worth it to me. Of course, not everyone will have access to a second machine, or an old machine that can be sacrificed if necessary.

I think the key is patience.

Ian

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:53 PM

Posted 25 September 2010 - 07:28 AM

Although you're satisfied the infected files have been repaired, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change all passwords from a clean computer, not the one which was infected. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:02:53 PM

Posted 27 September 2010 - 10:47 PM

Nice job there, dude! It's never happened to me, and I hope it never does, but that was good! It was better than I could have done.

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users