RE: newfolder.exe containment procedure

This is a great information you have here sir
please visit this website

http://www.microsoft.com/security/portal/default.aspx

mpcfb@xxxxxxxxxxxxx

Thanks,
--
Milo
MSPSS


"Mark" wrote:

Greetings all, this is what I have used to contain this bug, so far so good,
but what is it upto in the background? We have CA AV and have submitted
sample to them the defs will be out in a few hours. Here is my fix:

Virus info

How to Identify:
File Size equals 208Kb, uses a folder Icon the same name as parent folder,
but is an executable:
NB: Turn on view of system files and hidden files, also show file extension
types.
Removal instructions (Some of the info below was from AGV forum)
Description of what it does:
I you enter a directory it creates an exe of that directory, eg
Enter the directory c:\Program Files\ and it will create Program Files.exe

Properties of Program Files.exe:
Version:
Comments - Butterfly.
File version - 1.00
Internal name - My Things
Language - English(United states)
Legal Trademarks - 2007
Orignal file name - My Things.exe
Product Name - butterfly

Ensure you set the PC to show hidden and system files and file extensions.
Where it is located:
Registery:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
That is the entry that starts the bug.

Physical location if windows XP:
c:\WINDOWS\Help\sched.exe or schedl.exe

If Windows 2000: C:\WINNT\Help\sched.exe or schedl.exe

How to stop it:
0) Turn off system restore
1) Open Task Manager goto Processes sort by Image Name. Find the sched.exe
and kill it.
2) Delete the entry from the registery
3) Delete the sched.exe file
4) Need to find all the infected *.exe and delete them. If you run them, it
will reinstall itself.
5) Search for *.exe from 01 May 2007 to present, look for hidden files with
a maximum size of 209Kb and make a detailed list of them.
6) Check the properties. If they match delete them! Empty the recycle bin
(Safety net incase any valid files are deleted).
7) Restart machine and check 1) to 3).
8) If the user is using Offline files and folders and has no reason to be
using them, clear the offline folder cache by using Shift + left CTRL +
Deltete then disable offline files and folders.
9) Reboot and re-check 1, 2 and 3
10) The user may have browsed to network shares and used a memory stick, mp3
player or cellphone to view or store data. Run from step 5 to search and
delete the dormant virus files.

You can add the following basic script to the beginning (must be beginning)
of a logon batch file to kill the virus on a XP workstation. (Can also be
added as a startup script via a GPO).

rem ****************************************************
rem Butterfly virus containment 06-06-07 mtd (thanks uct for the basics!)
rem ****************************************************
echo This batch will kill the schedl.exe
echo process and remove it from startup
echo ---------------------------------------
rem ---------------------------------------
taskkill /F /IM schedl.exe /T
REG DELETE
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v schedl
/f

del /ah c:\WINDOWS\Help\schedl.exe
cls
echo Completed "schedl.exe" removal

Explorer stays very slow after the reboot!

This is a temporary fix until the AV vendors recognise this as a virus and
provide a fix with a system clean. We are unsure as to what else this bug
gets upto. It is possible that your antispam box will hammered with
x@xxxxxxxxxxxx!

.