Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected NAS

  • Please log in to reply
No replies to this topic

#1 Curtiscool


  • Members
  • 1 posts
  • Local time:12:44 AM

Posted 15 July 2012 - 10:43 AM

My Equipment:

- Mine: Asus laptop with Windows 7 Home Premium. Free Comodo Internet Security (firewall and anti-virus), MS Security Essentials.

- Girl's: HP laptop with Windows 7 Home Premium. Free Comodo Internet Security, MS Security Essentials.

- Friend's: Gateway laptop with Windows 7 Home Premium. Windows Firewall and no anti-virus.

- Router: Linksys WRT54G running DD-WRT.

- NAS: 160 GB Western Digital Netcenter. This houses our music collection.

- Media Device: Western Digital HDTV Live Hub, 1 TB. Video file storage.

- Network Printer: Dell wireless network printer.

All devices connect to home network wire-lessly except for the NAS which connects to the router by ethernet.

My friend, from another country, had lent his Gateway to a friend of his before coming to the US. When he got to the US, he could connect to the network where he was staying but could not access the internet. Over the phone, I tried to trouble-shoot the problem. When I had him open a command prompt, his computer re-booted. After a few iterations of this I had him deliver his computer to me.

I stupidly connected his Gateway to my network without removing the other devices from it. I found his Gateway had the Brontok Worm/Virus and MS Security Essentials cleaned it up pretty easily. In addition to MSSE, I installed Comodo Anti-virus on it and returned his computer to him.

About two weeks later, I ripped some new CDs and transferred the MP3 files to the NAS. As they transferred, my Comodo anti-virus program began giving me alerts. A new window popped up about every 3-5 seconds. I chose to ignore Comodo's Geek Buddy option and chose the option of cleaning the problem myself. The instances were identified as being on the NAS drive and identified as the Brontok Virus. I attempted to have the Comodo program clean it. Each time it did, I was prompted to re-boot. Note that while this was happening, new Comodo windows were popping up with similar issues. After a few re-boots, I knew I was in trouble.

During this activity, I had noticed, maybe four times, that MS Security Essentials would slide a little window out from the taskbar, informing me that a problem had been taken care of but no action was required on my part.

I opened Windows Explorer and explored the NAS which appeared both as a Network device and a mapped drive. On its Share folder were two files that should not be there, "User Data.exe" and "Shared.exe". I recognized this behavior from the infected Gateway. I tried to delete the files but I could not. I wrote a vbs script to delete the files but it would not work. I ran a search on the NAS for all *.exe, which there should have been none, and there were thousands. Each mp3 file had a corresponding .exe file. I turned off the NAS, unplugged it and removed the ethernet cable.

While I was attempting these manual deletions, I continued to get the notices from Comodo and MSSE but I ignored them.

With the NAS disconnected I ran scans on my ASUS with both Comodo and MSSE and the ASUS was clean. I had The Girl do the same on HP and it was clean. I have searched the media center unit for "*.exe" and found none.

I have tried to research ways to clean an infected NAS and come up empty. I have researched the WD NetCenter and found that it runs a linux operating system and a ReiserFS file system. I am surprised the Brontok could have attached itself to it but it clearly did. I have posted for help at Western Digital's forum and Comodo's forum and come up empty.

I hope to be able to clean the NAS, salvage the data (I backed up a few months ago so I will lose only what we have added since then), and keep using the drive. I will settle for anything I can get short of that.

I am also now concerned, though I have no evidence of a problem, about my router, media device and printer. Could these have been infected?

Any advice will be warmly received.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users