So I ran into a nasty virus today...anyone ever encounter it?

Fenster

I'd post this on the Security board, but I'd probably wind up banned or something. Anyhow.

Part of what I do is filter customer's machines before we send them on for full repair. If its a case of bad settings or a virus, I just sweep it or fix settings as needed and give it back. It saves them money and time, I get to while away an hour or two and we all go away happy.

Anyways, the machine came in yesterday with a note saying it was slow on the internet, as well as problems loading CD Roms, so when I had a chance, I fired it up in safe mode (you'd be amazed how many people are paranoid over their profiles, but never set an admin password...) and plug in my Shuffle, as I carry a hell of a lot of utilities on it. I run Hijack This, but suddenly, it closes and is deleted from my pendrive. I open up the task manager, it closes and I can't open it again. Same for msconfig.

The virus deletes any program that might affect its operation. It deletes taskmgr.exe, msconfig.exe, regedit.exe and several utilities on my pen drive. Additionally, it removed all of the AV software (Norton IS 2004) that had been installed.

I then go and copy the utilities back onto my drive from another machine and then burn them to a CD, along with msconfig.exe, regedit.exe and taskmgr.exe.

The machine is XP, SP1, incidently. The browser used was IE and there was no firewall, so there was little protection on it.

Loading taskmgr.exe, even with the virus closing and trying to delete it every few seconds and killed the main process: ACCWEIK386.bat, located in ~/windows/system32. It loads two other process', with different alphanumerical names each time, although both their names end with .EX_.

With the main process killed, I did a deep scan with clamav (the machine wasn't that stable or fast and I didn't want to go through installing AVG and patching it over dialup, when I had the latest clamav definitions on my pendrive).

It flagged ACCWEIK386.bat as a virus and so I removed it.

However, once its removed, the machine is unable to run .exe files (it says it can't find the .exe) and as far as I can tell, there are still further components on the machine, as there is a message on startup saying it cannot find ACCWEIK.bat, even after I disabled it specifically.

An extensive search of Google, Microsoft, Symantec and Security Focus websites didn't return anything at all on this, which is odd. More out of curiousity than anything else, I'm wondering if anyone has run into this virus and has a way of removing it. The machine in question will probably just be reimaged in the end, but if I see something once, I'm going to see it again.

I had the impression, lastly, that it was some sort of zombie mailer program.

aidan_dunne

I don't know if it's the same virus or not, but I came across something similar a couple of months ago. Right little bastard it was too. The infected machine was running Win XP SP1 with all the latest updates installed, plus had AVG, ZoneAlarm, Spybot and Adaware installed, all updated too. Now, I was told by the owner that they had received a file through MSN Messenger from someone and, when they opened it, nothing happened. File didn't open. Asked them what the file was supposed to be and they said a picture but, when they opened it, it didn't open. Nothing seemed to happen, in fact. Nothing opened, no error messages, nothing flashed on screen, nothing. Or, rather, they double-clicked on the picture to open it and nothing "seemed" to happen but obviously it launched something in the machine and then hid itself. They just deleted the picture then but whatever the picture was it was really a cover for some sort of virus or trojan or something and had now already ran itself and was now residing on the hard drive somewhere.

Anyway, they shut down the machine and, when they turned it on next time (following day), AVG and ZoneAlarm didn't automatically load on startup. When they tried to launch both programs manually, something wouldn't let them, therefore, they couldn't scan the system for a virus as AVG wouldn't load. They tried running a check for spyware and, guess what, neither Spybot or Adaware would open either.

When I got the machine, I checked for myself to see if all this was true and it was. Checked to see what was running in the background and there wasnt anything suspicious. However, when I went to do some manual checking of files, I went into Windows/System32 and as soon as I opened the folder, the whole computer locked up! Seems the virus/trojan/whatever the hell it was was hiding in the System32 folder. Rebooted the machine, then started getting a whole bunch of error messages. In the wind up, I just backed up all the data on the harddrive, wiped it (low level formatted it, just to be safe as well) and reinstalled Windows.

Having read your post, Fenster, it sounds as if you may have had the same virus on that machine you were working on as the one I had, or something very similar because of the way it went to lengths to "protect" itself being discovered, so to speak, i.e. shutting down AVG, ZoneAlarm, Spybot and Adaware and then not letting them be started, either, and then causing the machine to lock up when you tried to access the folder it may have been hiding in.

Whatever it was, it was a sneaky little bastard. Seems viruses are starting to become more and more sophisticated to prevent them being discovered and wiped from machines.

Unfortunately, Fenster, I can't help you out with ways of removal, other than backing up/ghosting data and reinstalling Windows, but this definitely is a little bastard of a thing so, if you do come up with any solutions, please let me know as, like you, I wouldn't be surprised if I come across this thing again somewhere.

cerbeus

Fenster,

Don't know if this is feasible but would the owner consider letting Symantec have a look/ghost image of the computer to study?

If it is a new virus/worm it would be good to have a cure developed.

Fenster

cerbeus wrote:

Fenster,

Don't know if this is feasible but would the owner consider letting Symantec have a look/ghost image of the computer to study?

If it is a new virus/worm it would be good to have a cure developed.

It isn't, unfortunately.

MrShadow

problem with virus's like that is they can make a balls of the registry.
Used to be a case where it wa possible to take the hard drive out of one machine and put it into another uninfected one to run the scan. But that doesnt fix all the registry entries that can mess up windows.

Boro

I was fixing a machine for a client about 2 weeks ago and it had a very similar virus. The filenames were different but the general behaviour was similar. It used to close the taskmanager, spybot, norton etc and either delete them or stop them running. I tracked it down to the virus w32.Serflog.A

Symantec had a removal tool that i was able to use and it worked. I think i also did some manual removing of files but i struggle to remember breakfast so two weeks ago is decidedly blurry

http://securityresponse.symantec.com/avcenter/venc/data/w32.serflog.a.removal.tool.html

jessy

you could try to find a live version of Linux (knoppex or SuSE), and do an online scan form Panda or BitDefender (both have good Heuristic searches).

Gilgamesh

tbh, I think the least tiring way to solve this matter would be to boot up into knoppix, backup the customer's data onto pendrive, and reinstall the machine, then run virus check on the contents of the pendrive and if clean, put it back to the fresh system

Blub2k4

Try Mcafees stinger, it is a tool which is downloadable and can remove most known viruses.

jessy

Blub2k4 wrote:

can remove most known viruses.

No it can’t!

Even if it could he said he can’t run .exe files so no chance of running stinger.

snakeater

Yeah I had that virus on my desktop , it removed files belonging to norton anti virus and firewall. Also when I was chatting to a friend on msn it tried to install on her pc

Inspector Gadget

Fenster:

I haven't read the post in detail yet, but you need to *seriously* entertain the notion of buying a pendrive with a physical write-protect switch on it - I shudder to think what kind of cross-contamination you're leaving yourself open to by using the same write-enabled drive in machines where you *know* some have viruses running loose...

(I have a PNY Attache which does just this - it's brilliant)

[edit]
Okay, I've read the post now. In reference to Stinger, it's specific role is to kill viruses that go out of their way to kill anti-virus programs (such as, umm, let's see, McAfee's offerings ). When it comes to opening the file, how are you doing it? From explorer, from a command line? If it's from an explorer window, it's possible that the "open" key on the EXE file type's been messed with, but you might have more luck from a DOS Prompt/Command (assuming you can start one).

Also, it's useful to remember that .SCR and .PIF are also "executable" by Windows (or at least they were, don't know about XP SP2), so as well as renaming programs you don't want this virus to kill (such as taskmgr.exe) to something else, maybe changing its extension might help too?

In case it helps...
[/edit]

Gadget

Fenster

Inspector Gadget wrote:

Fenster:

I haven't read the post in detail yet, but you need to *seriously* entertain the notion of buying a pendrive with a physical write-protect switch on it - I shudder to think what kind of cross-contamination you're leaving yourself open to by using the same write-enabled drive in machines where you *know* some have viruses running loose...

(I have a PNY Attache which does just this - it's brilliant)
Gadget

I run Linux at home and did an fdisk on my pendrive to be safe.

CyberGhost

wow that sounds like an interesting virus