Office doc replacment oddity

Howdy all

First time poster, long time reader - hope you're all well?

I have a strange problem which has been driving me slowly nuts over the last 24 hours. We have a couple of network shares that seemed to be behaving strangely. Examining the shares revealed three new files in the root of the share:-

desktope.ini
desktopw.ini
thumbs.db2

All three were marked as read only, system, hidden files. Then throughout the drive; all Excel and Word files were being hidden and replaced with a shortcut (a .lnk file using the same name as the now-hidden file).

The .lnk file would load CMD.exe; start the thumbs.db2 file; then run the relevant correct program (word or Excel) and the file - a typical shortcut would look like this:-
C:\WINDOWS\system32\cmd.exe /C start \thumbs.db2 && start winword.exe "~$J claim form detail.doc"

I've scanned all three files above using virustotal.com and they come back clean - thankfully at the end of the report, it provides a guess on what it thinks the files are; so it turns out the .ini files are actually Excel and Word icon files (used to mask the shortcut with the correct Office logo) and the thumbs.db2 file is an executable.

I've tried decompiling the thumbs.db2 file using IDA Pro Free V5, but I'm by no means a coder; so can't see what else this file may be doing.

the only form of proagation we can therefore see is when someone tries to run a spreadsheet or document; they are kicking off the process to scan all Excel and Word files.

AFAIK this process doesn't seem to affect local documents, only on network shares.

I've not attached any files; but the report for the thumbs.db2 file from Virustotal.can be found here:

Link to virustotal.com scan report for thumbs.db2


Needless to say, I've tried a *lot* of Googling to get to the bottom of this, but can't find anything beyond the usual "If a piece of malware hides all your files run attrib... to reset"

So, do I have anything to worry about; or should I just keep squashing this process until it stops (it does seem to be slowing down today)

Your thoughts, further queries and pearls of wisdoms will be greatly received!

Thanks in advance

Mat Moore

Hi there,

I'm a unix administrator and we are also experiencing this infection on a lot of our shared drives for the last day or so. We are still unsure of how the virus infects a users personal machine or propagates, I can see that once an infected user tries to open a word or excel doc on a shared drive it creates the three files mentioned in that particular directory and then scans the shared drive hidding all word/excel docs and creating .lnk files as already explained.

Symantec is now able to detect the thumb.db2 file as a trojan virus but we have found 4 different sized versions of this file and are having them all checked out.

Currently we are writing scripts to unhide the original word/excel files and remove the shortcut links. We can tell by the owner of 'thumbs.db2' which members of staff have caused the infection of the shared drive but we are unaware where the virus is located on the infected Pc and how it gets there.

I agree with Mat that at the moment there is very little on the net to go on at the moment.

Thanks jazzclubber

Agree with all you say there.

Yeah, four A/V firms are now picking it up:-

Virustotal.com again

But when they use a name of "Trojan Generic" it doesn't fill me with confidence they know what to do with it!

I'll keep plodding along correcting the shortcuts and report back if we find anything.

hope it gets sorted soon for you jazzclubber and if anyone else has had this or any thoughts to a fix I think we'd both really appreciate it!

Thanks all

Mat

We too have seen this at work.

Manifested it's self 2 weeks ago and after removing over 20,000 'fake' shortcuts and deleting 4 versions of Thumb.db2 that I found floating about in user shares, we seem to be rid.

Then today, out of no-where it's decided to pop back up.

I've managed to again remove all the 'fake' shortcuts and found 2 Thumb.db2 files which I've now removed. The user creation details on the shortcuts give me a slight pointer to who's machine had this process running on it. I've disconnected them from the network and started full scan's (SEP) with latest defs to see if anything can be removed.

We're still at a loss as to what was the cause or source of the infection. Which is more concerning that the issues it creates.

I have also noticed that a lot of user oid's have been removed from permissions so I've had to start creating all the permissions again.

As a precaution, we have blocked (by GPO) the command prompt so even if a user does hit a fake link, it wont spread. We've also added a policy to SEPM to log, remove and alerts us to any new attempts to run the thumbs.db2 file.

If anyone has got any more information regarding this issue please post here so we can all try to keep on top on it.

I did read somewhere that it's spreading through MSN, but that's just speculation at this point.

Thanks all,

Tris

more info to be found here;

http://forums.overclockers.co.uk/showthread.php?p=22576457#post22576457

&

https://community.mcafee.com/thread/47666?start=30&tstart=0