Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help identify virus: makes programs from folder names. more


  • Please log in to reply
1 reply to this topic

#1 joemer

joemer

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 05 October 2016 - 08:42 AM

Hi,

 

My network got infected with worm virus that creates programs with folder names in that folder. it will crawl shares.

Most of the infection is in the shares and local user folders.

The root of the share will have 3 bat files, actually programs with random name, and autorun.pif that contains adding these bat programs to Shell, Open, and Exe commands. Here is part of the autorun:

 

=========================================

;qjznayjuwnjpypgzpdqozkmdzfofwpftgepactpvevmfvjwufqsjflulcvlzmkvgizvbkbslbpcalwyplraribrfsqbmofbhqhyrhvigrcevrxgxohxly
[AutoRun]
;pgzpdqozkmdzfofwpftgepactpvevmfvjwufqsjflulcvlzmkvgizvbkbslbpcalwyplraribrfsqbmofbhqhyrhvigrcevrxgxohxly
open=zcnylvdkch.bat
;dqozkmdzfofwpftgepactpvevmfvjwufqsjflulcvlzmkvgizvbkbslbpcalwyplraribrfsqbmofbhqhyrhvigrcevrxgxohxly
shell\\open\\Command=rwjwlxhqkryw.bat _

=============================================

 

The virus is protected with active system process

Norton claims this is less than 5 days, but the virus ID relates to infections from year 2007.

 

The files created different extensions created are *.exe, *.bat, *.pif, *.scr. The files sizes in Bytes: 491520, 667648,651264,1036288

Few files will have System or read-only attributes.

When active, the virus will spread to USB drive in the same way.

 

The virus will not let JRT or Malwarebytes run.

Luckily Rkill will kill 3 process that hold the active virus, sometime I ran Rkill second time. After that Malewarebytes and JRT can run.

 

I manually deleted all the files involved and the system "seems" clean. But I have to clean 20 more PC and wish to find cleaner.

Please let me know.

 

Joe.

 



BC AdBot (Login to Remove)

 


#2 joemer

joemer
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 06 October 2016 - 10:26 AM

Hi All,

 

Is this the proper forum to ask such question? Should I ask on a different site?

 

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users