Guys, good day to everyone.
I am trying to solve a computer problem (which I think is very interesting case of a computer nasty) from my sister's and her friends' computer. And also I want to share my discoveries and everything what I have found, and some queries.
Here's the scenario:
One day, my sister apporached me if i can fix an "unknown virus" which affected their computers.
I tried to figure it out, checked their computers, and found interesting things:
In every directory I explore (Their "
D:\Documents
" folder, for example), I tried to see if any hidden files are present (random-named files that is characteristic of a virus infection). But the folder options keeps on reverting to Windows-default selected options. (Don't show hidden files, Hide protected system files, Hide extensions on common file names. Those circles are selected.)I checked their Flash Drives (At my computer) and discovered that no
autorun.inf
is present. But these things I am investigating:A Shortcut link to their flash drive.
I investigated these thing, and showed as a gussied-up Windows Explorer Icon, like these:Location: rundll32 (C:\Windows\System32)
And I viewed the file properties. Here's the target:C:\Windows\System32\rundll32.exe ~$WBEHAX.NFC,crys xfnveaiqzhpygoxfn ygoxfnveaiqt
I think there's something nasty here. Looks like a shorcut vulnerability.As shown on the Shortcut target above, there's the 3KB-sized file
~$WBEHAX.NFC
file i found on the flash drive. (Different case on their friends' flash drives: "~$WHMCAT.FAT
", and other files identical to that files.)At some friends' flash drives, A random-named
.dll
file was found.
Not only that, in each of the folders, there is an.exe
file named as the same as to where directory they are placed. For example, in "{Flash Drive}:\documents
" (F:\Documents
) folder, there is a "documents.exe
" file. Same as to other directories in their flash drives. Avira flagged those applications as a trojan. (TR/Generic)Two legal-looking Windows files:
Thumbs.db
andDesktop.ini
.
I inspected the "thumbs.db" file, contained random characters. Looks legal.
But the "Desktop.ini" also contained random characters. I began to doubt, because I know that is not the correct format of a "desktop.ini" file. The file size is also large for a legal "desktop.ini". I can't remember exactly, but the size is in three digits, in KB.
I opened the suspicious shortcut link, on my computer. Some little bit suspicious things happened.
First, I checked my Task manager, and have seen some legal-named applicaton "TrustedInstaller.exe
", but is located at "C:\temp", not on the typical System32 folder.
Second, I have seen some run32dll.exe instances, related to the link above.
Third, it opens up browser windows (three windows), directing to some suspicious-looking Web links.
Finally, it created some shortcuts on some of my folders onC:\
, the same as redirecting to run32dll.exe.
Luckily, my computer which i was testing this, is locked with a special drive-locking application that refreshes the whole computer at each restart. I become a little-bit, panicked. Restarted my PC.
Anyways, their PCs use Windows XP SP3. And I doubt, their PC's are not patched correctly. Antivirus outdated.
Guys share to me what can be the solutions here to identify what kind of computer nasty inflicted their PCs, and steps to remove it. It would be a great help to me and my friends' computer if we all together can figure out what's going on there. Thank you guys.
Current status: Still figuring it out. I had seen some clues: W32/Conficker, W32/Sality, Windows Shell Vulnerabilities.