Posted 24 September 2010 - 06:52 AM
I am not a techy person, but this is what happened to me and how I cured the infection.
My computer recently suffered from this. My methodology was to download something new to a stick. Scan it. Make sure I was happy. Put the file/program on my PC. On 26th August I did this and entered computer hell for just under 3 weeks.
My PC is homebuilt. C = op system; D (physical drive); E (partition) small for tests and downloads; F partition for programmes. There are pluses and minuses to this. I edited the Windows registry to make my default installation F, and changed the path to MyDocuments. Windows XP. Avira was my choice of AV product at the time.
There are many descriptions of this Worm and it's derivatives, but if you are finding this without having read them, this is as brief as I can make it. When you attach a USB drive to your computer (on a Mac it does something similar), it makes an "invisible" folder on the drive RECYCLE; it is this aspect that it exploits i.e. you can't see what's going on.
How do you get caught. You will download an infected file; in my case I think it was a clone of an "official" looking site - so wherever you go check that the address looks right. If not be suspicious. I con't quite understand why scanning the file doesn't trigger the AV, but when you try and open the download it will probably fail. At this point the damage is done. Off goes Wormy to the RECYCLE folder and replicates itself. At this point I still knew nothing was amiss. I got an "autorun.ini" block (the default in Avira) and, as it wasn't unusual and I wasn't worried I over-rode it. At this point I was done for. Shortly afterwards I got an "Autorun.ini" alarm several times in succession - which I allowed Avira to block. I still didn't realise what was going on. My USB stick had an LED in it and at some point I noticed it was flashing all the time. Something was amiss. I went into Folder options and set it so that I could see hidden files. I opened the RECYCLE folder and there is is. Replicating faster than a bacteria. You can just watch this thing grow - beautiful and elegant. Naturally I removed the stick without any further ado. As I'd over-ridden Avira, I realised I had infected my machine, and the next thing was to remove the Network cable. YOU MUST DO THIS. Wormy talks to a load of his friends on the Net, and the longer you are connected the more infections you will get.
PANIC set in. Like a lot of us, I back up, but I had no discipline about it. And by now Wormy was on my USB drives i.e. my back up.
NEXT I burned a load of my most important files to a DVD. Avira was fighting back, bleeping like crazy, but I got enough off to preserve the bulk of my work. Worried about scanning files later.
Wormy targets anything that will connect to the Net and seems to target anything with HTML as the extension. JPEGs seem to be OK. I rapidly got off my photographs etc.
Eventually, Avira collapsed under pressure. Windows eventually ceases to be able to run or function and ultimately will not boot. At this point despair set in and I thought that the computer was destroyed, my back-ups compromised, family photos lost........
HOPE comes along in the form of Linux. At least I think that's how it works. So by now you are bored and I will give you the way out as quickly as possible. Ideally you need a secondary computer to be able to download a few files. You also need your original discs or restore discs.
1. Disconnect all USB drives/remove cards etc. etc.
2. Disconnect from the Internet
3. If you have been disciplined and backed up prior to the infection, shut down Windows immediately.
4. If you have not been disciplined and have the ability to burn a DVD, burn as quickly and efficiently as you can your absolute most important files; you are about to burn, what would you save - think of it like that. Women and children first, then your guitars....or maybe vice versa....
5. Use AN Other machine to download AVG's rescue kit. Burn an image to disc.
6. Switch on your PC intercept it early and go to your setup and instruct the machine to boot from CD. DO NOT LET IT BOOT WINDOWS. If you miss it and it starts then hit reset - you are in a hole anyway so you can't make matters much worse.
7. Boot from AVGs rescue disc (from here on ARK AvgRescueKit). You can select a version where you can choose a resolution, or let it try and work itself out. For me it didn't always work.
8. ARK will look for an internet connection. At this point don't let it have one.
9. It takes a bit of figuring out, but if you are trying this you have some idea of what you are doing, so let it scan your system. You get a file manager too which enables you to move stuff around, look at it, delete it etc.. These are your first steps on the road to purity.
9a. It will find and deal with a load of infections. I took no chances. I deleted anything it found. Masses of files. Someone that knows more than me may say do something different. But I wanted to kill this thing. You can see what you are doing, so if there's something you maybe want to quarantine I think you can do that.
9b. If a program was compromised, I deleted the directory too. Wormy is now on the defensive. The empire is striking back.
Depending on your system, this scan may take many hours. Go to bed. Go do something else. Once it is running you don't need to meddle with it til morning i.e. there's no real user input at this point.
You will have to make some of your own decisions based on your own system, and what ARK finds. But basically I deleted everything it found. If I could save 60% of what I had, I decided it was better to have 60% clean than have one little derivative of Wormy sitting there ready to wreak havoc.
10. Shut down. Plug in your network cable/turn on your network hub and make sure that it is ticking away nicely. Re boot from the disc. This time ARK will find the Internet connection, update itself. SCAN AGAIN.
11. Take your chosen course of action.
12. Go back to 10 i.e. shut down. re-boot. reupdate ARK. rescan. action. Repeat.
You must keep doing this until you have no infections. I started out with 21000+ and after two weeks of repeated scanning I was down to nil. BUT I still had the infected drives.
13. Attach an infected USB drive. Go back to 10. Scan the USB drive. Repeat until clean. Remove the drive. Add the next drive. Repeat (also worked for a 16Gb stick I had which had some current work on it.
At this point, when you are as confident as you can be that the drives are clean, find a friend with a MAC. Get him/her to scan the drive too. Having been through the process, what I can say is that ARK definitely works.
14. See if Windows will boot. If it does boot, you are lucky. Chances are that it won't. This is where you need a recovery disc or the original disc. Boot from the disc. REPAIR. Do not attempt to run from the recovery console it offers you - you can find enough out about Windows Repair elsewhere.
At this point a lot will depend on how you structured your machine in terms of the op sys, programs and documents. As all my drives logical or not were set up as above, I chose to clean install Windows XP. Some programs were compromised, others weren't. As in most cases I do have the original discs I could run the repair function e.g. Microsoft Office.
As of September 22nd I had a fully working, restored machine. I lost a years worth of e mail but I kept all my bank stuff, accounts, daily grind stuff etc..
I hope this helps someone.