Virus Warning

[Martin L]

moved

[smashly]

That malware trojan that was mentioned in the first post of the thread.

I currently have had similar in the internet caffe I work at. Picked it up from backpackers mem card.

It genrates a .exe of a directory in the directory with the icon for a folder (if you have file extensions set to hidden then a user will more then likely click on it thinking it's a directory). eg: C:\Temp\Temp.exe = 45KB

it then proceeds to do this for just about every directory it can find on and writeable drive, full read/write network shares are not out of the question either.

(Seen many of these type of .exe type worms , but this one seems to be a bit smarter then the average)

Avast doesn't pick it up as a prob , nor does Nortons AV , nor does MS Malicious Removal Tool.

So any pc that gets infected while in a full admin account seems to be screwed. I don't mean the built in administrator passworded account either, I refering to a created passworded administrator acount.

Makes no diff , try and access Hijack This , windows Regedit , AutoRuns or just about any util = reboot. Your Folder options are removed from Explorer. Try from safe mode is the same result as it's loading as a sytem file. (spose that's another good reason not to dissable SFC)

Adds to HKLM run Brons-Spizaetus C:\Windows\ShellNew\sempalong.exe

Adds to HKLM run C:\Documents and Settings\AccountName\Local Settings\App Data\smss.exe

If you try to access the directories where it's residing then it reboots your pc.

log into another account and it copies itself to the new user account in documents and settings.

I was able to find it's run entries by using spybot search and destroy. (didn't reboot)

Tried pulling the run keys from the reg using spybot but it replaces them just as quick.

Loads as inetinfo.exe in task manager and drops in and out as it pleases, there's also another process that does the same , but it happens so quick it's hard to see what it is. Try terminate it when it appears and you guessed it , windows reboots. Try running cmd window and it reboots your pc.

Some variants of it add an empty .pif to global startup.

When infected from a limited user account you can recover quite easly as it doesn't seems to be able to replace system files and hijack the path and your able to stop it quite quickly. Symptoms when infected in a limited user account is on reboot you get a winlogon error before the desktop loads.

From a google search it shows as a variant of some sort of w32 emailing worm trojan. Funny as it shows the risk of getting it are low... Geez the internet caffe I work in has been hit by this blighter umpteen times...lol

So much for current day virus scanners and MS Malicious Removal tool.

Going to take it home an test a few differant virus scanners on an old rat pc I have. Wonder which virus scanner detects it correctly first.

Cheers

Edited January 31, 2006 by smashly

[Andrew932]

I got infected by that MSN virus. Luckily I was using my less important old computer. Saved it to desktop, right clicked it and scanned for viruses yet Norton didn't detect it. I ran the app (I new it was a virus but decided to see what it would do) and Norton strangely uninstalled itself and Microsoft antispy crashed. I think it used a programme to execute itself. You wouldn't believe how many of my contacts got infected...

Got rid of it but the computer wouldn't work right so reinstalled windows. The same person (knowingly) sent me the virus again, saved it to my desktop and put it on a floppy disk. Scanned again with Norton and still didn't detect it (virus definitions upto date) yet tried it with Free AVG and it found it.

First virus I've ever had where I couldn't repair my system. nasty piece of work that.