Posted 25 July 2011 - 05:41 PM
Since 1994 that I'm in the IT business. I started building computer in the late 1990's and until July 3rd, 2011, never had to deal with a single virus. I moved to a new appartment on July 1st, and as I had to wait until July 15th to get my new ISP grant me access to their network, I had to bring my WD Passport USB drive to an Internet Café here in Montreal. My trip there was supposed to be a quick 10 minutes stop n' download a specific driver from Panasonic's web site (voice editing v1.1 drivers for Vista).
Just to download the driver was a pain as I noticed after plugging in the drive, that I couldn't access any of the folders. I managed to save the said drivers from Panasonic, and went back home. The week got hectic so I postponed the time until the following Saturday to install that said driver. I almost got a HEART ATTACK, especially when browsing the content of my WD USB drive: each folder were showing a total of 3kb each, which got me worried on the spot as each folder should have shown an average of 7 to 10gb each! I ended up on Google and found the best answers on Bleeping Computers (I'm thankful to have found you!!!).
I found out the darn virus (which is an autorun), but all my desktop computer drives are in NTFS (2 of them being e-SATA's out of 5 Disks), so when I plugged the WD Passport, the virus has spread itself on the spot without my knowledge... I called up the Internet Café, as I NEVER NEVER NEVER have plugged this WD USB flash drive anywhere else until that said July 3rd 2011. When I called, I asked to speak to the owner, but although this Internet Café is opened 24 hours/7 days a week, no one could be or would be willing to provide the owner's name (he cannot be reached AT ALL). I am known to be a Go Getter and zero tolerance towards morons, so I told them that they had 2 choices: either help me in removing a trojan virus they've infected me with, or that I'd call CyberCrime Police to shut down their premises for knowingly infecting customers due to bad intentions...
They asked me to calm down, they said they knew about a certain virus that had spread around within THEIR network; to come over, that they had a FIX. Wow, I was impressed, so I drove there on July 10th @ 11:05pm, the clerk (or cashier) said THEY were expecting me and asked me for the "troublesome Flash Drive". The clerk already had an MS-DOS utility on his desktop so he copied and pasted it on my USB drive. I noticed that what appeared in the DOS window was all in CHINESE letters (and I only speak french and english). I am known to play the "dumb blonde" during my investigative day to day work, so I acted as if I didn't know anything and asked the clerk how to use this utility (which is called CURE). I noticed though, that when he plugged in my flash drive, he had no warnings (and the drive had the Recycler virus on it!) and didn't seem to be running any type of Anti-Virus on the Main Computer. Their CURE utility only unlocks the infected folders, but you'd be tempted to say: how nice of them...yeah, this CURE utility contains a command line that spreads the virus more efficiently within each unlocked files/folders that you think might be safe to copy on your own computer.
I called the city police but ended up bouncing here and there and be told that unless I could prove I had been a victim of cybercrime, nothing could be done. Hell, my computer, a USB flash drive, and a 16gb Micro SD had been infected and all were out of order, NOT wanting to get on the internet AT ALL.
So I called the Royal Canadian Mounted Police (RCMP) and they've been the most helpful as I pushed my research further more. I have a friend that was able to virtually run this strain of Autorun/Recycler virus, and the command lines of the MS-DOS virus had keyloggers programmed to send all logs to up to 10 ip addresses in China!!! We then ran the CURE virus (which was provided by the Internet Café - the utility was created in 2008 but must have been modified for their own needs/greed) and it contained another autorun exe to send logs to up to 5 ip addresses within the Montreal Area. I've uncovered the scam, and to my disappointment, unless CyberCrime is on Financial or Sexual Offence, not much can be done for now, until several victims report the same...crime.
What would you have done if it happened to YOU?
Thanks to all for comments and inputs.
(P.S.: I've FDISK'd the whole disk which was only for MS Vista 64 OS and bought a new Windows 7, while being at it!)