Re: Blue Star in my folders...

All,

Due to my "unique" situation I am unable to elaborate any more than I can in
the following lines.

FYI, I tried to first update virus definitions and clean the systems with no
sucess.

I have run into this virus as well and here is what I have found so far.

Entry Method:
The entry method of this virus is by way of the autorun feature. It was
introduced to multiple systems by way of a thumb drive, then by removable
hard drives, then by external hard drives and finally by burned CD's from an
infected system. The virus used autorun.inf and ran a "system file" named
"New.exe" to begin the compromise.

Residency on the host:
Once the code was introduced to the host it hid as a "system file" in the
root directory of the OS partition as "New.exe". Every 20 to 30 seconds the
software would check to see if you could see "system files" and deactivate
that option so that it could hide itself. Any new removable media that was
plugged into the infected hosts would receive this virus. The only two
things I haven't figured out yet is:

1: How did the virus get onto the secondary partition on only 2 of the 6
infected systems? The secondary partition on the primary drive had an
autorun.inf file and the virus. That was a little strange considering that
on 2 other computers that had been infected at roughly the same time there
was no installation of the virus on the secondary partition.

2: How did the virus add itself to a burned CD-Rom? Is it smart enough to
become so part of the OS that it adds itself to a CD-Recording software
executable or does it do it some other way that I can't even get my head
around?

What ever the answers to these questions you can bet that computer #5 was
infected by inserting the newly created cd burned on an infected system.

Operating with the virus:
So now that the software is running on systems and I can not remove it, we
decided to try and see what was going on. The "New.exe" process is running
in the task manager as a "Not Responding" process. You can kill it if you
try but obviously it will be back on next reboot. Additionally, there is
another process running now under the "Processes" Tab as scvhost.exe, not to
be confused with svchost.exe. "scvhost.exe" is registered as a W32/Agobot-S
virus through www.ProcessLibrary.com. The problem is that the process is
supposed to live in "C:\Windows\Tasks". I tried to find this file using a
cmd windows with the "/a" option on the directory listing and it is not
showing up. Is it just a fake indicator in the process tab? Hummmm....?
Given the current situation and the risk associated with a process that is
registered as a back door for remote exploitation I decided this could not be
chanced.

Corrective action:
Using a base system with Windows XP Pro and McAfee Virus scan 11.2 with
current definitions:

I attached the infected drive to my base system with autorun disabled. The
virus was found in both "New.exe" and in the "System Volume Information"
directory. I will get what the viruses were in a future posting (I forgot
the paper I wrote them down on). They were all deleted. After scanning and
subsequent deletion of the virus (or worm or trojan horse or whatever other
name we choose to give the malicious code), I found that I could no longer
double click on the drive and see it's contents in windows explorer.
Supposedly you have to remove the "autorun.inf" file and you should be able
to double click to access the drive. I couldn't make it work. Either way, I
saved all needed information to a local disk. I then formated and prepared
the drive for a new operating system. With the beauty of having a drive
cloner on hand (just coincidence) I was able to have 5 systems up and
running by 530 the next morning (started approximately 830 at night).

Current:
I'm currently using the last computer (source of the virus) on a closed
network with my Fedora Core box monitoring all network traffic to see if it
is trying to comm with anything. This seems unlikely by what I have read so
far but I would love to know what anyone else thinks.
.

Relevant Pages

  • Re: Zero Memory?
    ... I'm glad to hear you don't think all children are perverts but jumping ... mp3s or by a virus is flawed and lazy analysis and rude to assume ... Do you have kids? ... > | total size is the drives capacity regardless of how much ...
    (microsoft.public.windowsxp.hardware)
  • Re: Hacker Help
    ... Try cleaners you can get from the major AV vendors, ... files it is likely indicating what virus is involved, ... That your firewall is on is good, ... Both these drives can be ...
    (microsoft.public.windowsxp.security_admin)
  • Re: bios/security
    ... have absolutely no affect upon you BIOS or the CMOS EEPROM. ... gives me any reason to believe that you have fallen victim to a virus. ... > distributor or Asus support after some three emails. ... > with so I abandon the idea of dual drives and went back ...
    (microsoft.public.windowsxp.security_admin)
  • Re: bios/security
    ... >have absolutely no affect upon you BIOS or the CMOS ... EEPROM, such ... victim to a virus. ... >> with so I abandon the idea of dual drives and went back ...
    (microsoft.public.windowsxp.security_admin)
  • Re: bios/security
    ... >>have absolutely no affect upon you BIOS or the CMOS ... > victim to a virus. ... which is necessary during an OS installation. ... >>> with so I abandon the idea of dual drives and went back ...
    (microsoft.public.windowsxp.security_admin)