Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

x.exe - How does it do it?


  • Please log in to reply
4 replies to this topic

#1 Artemio

Artemio

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 09 March 2011 - 11:28 PM

Hi y'all :thumbup2:

(I picked the accent last year in an exchange program in Columbia S.C.. Boy is that place green!! Loved it!)

Anyhow... to the topic at hand:

How does the e.exe virus do it?

It transforms the "Documents and Settings" by changing its attributes to hidden, and then the same for the c:\Documents and Settings\[User account name] and many of its subdirectories.

It also makes the hidden attribute unchangeable, meaning that I cannot re-assign the attribute of those directories.

It masks the directories (My documents, My music, etc.) as shortcuts and makes the real folders hidden and only found by typing the full path.

When I took an infected USB to disinfect, the antivirus and the malware detectors found things to clean, but did not return the capability to regain control on the attribution of the directories.

How does the virus do that?

Is it in the Group policy editor? Is it in the Registry? Is it a combination of both?

Am I barking at the wrong tree :wacko: ?

I am currently working on two computers that are infected with the x.exe virus, and due to very urgent operational time restraints, I have evaluated that the most practical thing to do at the moment is just to re-format and re-install. (I know... a very cowardly solution... HEY!! I heard that :angry: !)

Is there a better solution?

I have come across logs from ComboFix and malware detectors, which makes me think that this trojan/backdoor worm needs to be worked upon on a case-by-case basis. Am I right in assuming this?

Should I follow the instructions posted at http://www.bleepingcomputer.com/forums/topic376374.html so I can get a head start?

So...


Thanks for reading this and I hope there are suggestions to prevent further or future infections.

BC AdBot (Login to Remove)

 


#2 Artemio

Artemio
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 09 March 2011 - 11:33 PM

Oh yea... Sorry...

Both computers are running on Windows XP SP2 in Spanioul, but I'm sure the language is not an issue here.

Yup... Those comps do need their SP3 ASAHP

#3 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:23 AM

Posted 10 March 2011 - 12:20 AM

It is always best to open up a new topic as each infection could be different, so with that said please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

#4 Artemio

Artemio
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 11 March 2011 - 01:58 AM

Thank you Madman.

Will do that ASAI can get working on those computers and I will let you know.

Question...

Would it have the samen "effect" (in general terms) if I follow the instructions on a set of files that I backed up to a USB drive?

I'm assuming the answer is "no" because it works with a functioning system, i.e. within WinXP, right?

#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:01:23 AM

Posted 11 March 2011 - 02:55 PM

That is something you will have to ask a malware removal team member.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users