Mystery virus in Malawi

edanto

We have recently lost a few workstations to a nasty worm. It's picked up by our AV, but not completely removed and is becoming a bit of a problem.

We've tried a good few things, but the problem persists, and below is what my colleague in Malawi reports. All suggestions are welcome.

Our main problem has been that even when we re-ghost machines and undate the AV (FEP2010), as soon as we connect the external drives to put that data back on the machines are re-infected. Something we'll try next is to delete the autoinf file and see if that stops the re-infection, then we can mount and scan the drives.

Does anyone know of a *nix Live CD that will carry out an up to date virus scan of attached storage? I'm concerned that this is a new worm in the wild since our updated Microsoft AV can't kill it properly. As I said, this is happening in Malawi, where local tech know how is rare and expensive, but still there is good broadband and plenty of opportunity for malware writers to get a foothold or a botnet.

---

(the report from Malawi)

1. All machines are infected with Worm:Win32/Autorun!inf in XXXXXXX office, YYYYY district
2. FEC and FEP2010 (Microsoft AV products) aren't being quite helpful to get rid of this virus permanently.
3. Both AVs identify the worm, clean it but unable to remove it from the machine permanently.
4. The external devices have been cleaned from this worm by using the tool 'Virus Shortcut Remover'. Using this tool, it also restored the folders which got hidden inside the USB drive and deletes the subfolder ‘Newfolder’.
(FEP and FEC do not remove the worm completely from the external USB devices).
WARNING: DON’T ATTEMPT TO OPEN THE SUBFOLDER ‘NEWFOLDER’ FROM THE USB DEVICE. THIS ACTION WOULD TRANSFER THE WORM AND THE MACHINE WOULD BE INFECTED TOO.
5. One machine (laptop) which was going black/blank after reboot, has been restored by using 'System Recovery Option'. But it required a lot of work to update this machine with latest Windows and MS Security patches. It also removed the user’s logon profile but the good thing is this that it didn’t remove the files and folders. So the data of the user is saved.
6. However the other laptop with the same behaviour couldn't be restored to the previous Restore Point using the same method. This worm keeps coming back on this machine.
7. This worm runs and hides behind a MS OS an essential and generic process named as SVCHOST.exe. The actual name of the process for this particular worm is identified as SSVICHOSST.exe. This process is triggered through an Autorun.ini file stored inside C:\Windows\System32. Usually this is a hidden file and can be made visible and deleted by changing the attributes of this file.
8. It also creates a subfolder 'SSVICHOSST' inside directory C:\Windows\
9. Both - the file Autorun.ini and the subfolder SSVICHOSST were deleted manually. But it didn't solve the problem. Upon reboot, the problem reappears. The worm creates the file Autorun.ini and subfolder SSVICHOST and the screen of the machine get dark upon reboot/logon.
10. I also installed the graphic driver by rebooting the machine in the SAFE (Dos prompt) mode without any success. The display screen of machine goes black after reboot/logon.
11. Using IDE/SATA to USB converter, I scanned this disk drive on another machine without any success. As stated above, FEP identifies the worm, clean it but doesn't remove it permanently. It is quite a stubborn, perhaps stored inside the registry and gets triggered every time the system reboots.
12. I also RDP to the infected machine but gets the same results - blank screen. In short, the screen gets blank whether you logon to machine in Normal, Safe and/or through RDP.

Beside the two AVs, I also used various tools such as Malwarebytes, RougheKiller, Stinger and Virus Shortcut Remover [we are not sure of the provenance of this last tool, other than it appeared to fix a different malware in Zambia recently] tools to remove this worm.

We need to find out how the registry settings can be changed by connecting the HDD of infected machine via a IDE/SATA to USB convertible cable to another machine.

I’ve surfed the Net but couldn’t find the answer. Perhaps we may find the answer to this by posting the query to communities on the Net.

---

Would anyone be able to suggest some things we could try? thx

White Wolf Airsoft

Download Gmer and Malware bytes and run scans with them

old_aussie

Why would you risk stuffing another PC by connecting an infected HDD to it?

How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon

Follow the link below to remove your rootkit

http://support.kaspersky.com/faq/?qid=208280684

PS Microsoft couldn't get rid of dust let alone a virus.

edanto

White Wolf Airsoft wrote: »

Download Gmer and Malware bytes and run scans with them

Have tried mwb already both on the infected machines and on the external drives and no joy. Will try Gmer.

edanto

old_aussie wrote: »

Why would you risk stuffing another PC by connecting an infected HDD to it?

Granted, it sounds a little stupid without the explanation. All the backed up data is on the external drives, and we have tried to scan the drives to no avail.

Will try your suggestion thanks.

uch

Download Spybot search and Destroy, update, scan.