miércoles, octubre 28, 2009

Untangling the mystery

http://www.meetsinglepeople.org/ (don’t go there!)
Portions Copyright (c) 1999,2003 Avenger by NhT
sysusb\usbdur.exe

(Perdón por hacer el post en inglés)

It’s been a hard morning.

Yesterday, I was at the Concibe doing a small workshop about IP telephony and XML web applications for WML enabled phones, it was a nice experience. However, because I was the one with the presentation on the laptop, and a couple files we needed to distribute, my computer had some unprotected SEx (Software Exchange), coming from an university network where you can find almost any imaginable virus, something had to bypass the antivirus and infect my machine, almost 4 hours for the antivirus (AVG) claimed that my laptop was virus free.

However, my machine kept poping out the site http://www.meetsinglepeople.org/ at random intervals, using my digital camera (which pretty much work like a usb drive) I noticed that a locked autoexec.inf (which I couldn’t delete or open) was being written every time I connected the camera (I formatted the memory every time I unplugged it) and a hidden recycle bin folder named sysusb, inside that folder, 2 files: a desktop.ini which tells windows that the sysusb folder is a recycle bin and a usbdur.exe which I presume is the virus.

However, usbdur.exe seems to use a trick in order to be executed: it relies on the user to clic in the “Open folder to view files using Windows Explorer” option in the autorun menu, once it is on the system, it copies itself to any removable media and network drives, creating the autorun.inf and desktop.ini files.

Using my trusty Hex Editor, I managed to find a string “Portions Copyright (c) 1999,2003 Avenger by NhT” which a quick google search revealed some additional information, as it seems to be from a Delphi unit and also seem to be included in some Russian backdoor malware, sadly I can´t read machine code.

AVG currently (as of Octuber 28, 2009) does not recognize the file as a virus, using the Jotti’s Malware Scan reveals that most antivirus don’t recognize it either. I already mailed the file to the AVG team and decided to write this in order to present a bit more information than what I found originally (most results are quation to public forums, where they only suggest installing and running antivirus/antimalware, yet nobody had claimed that it worked, and somebody already said that formatting the machine trice didn’t work at all).

I’ll try to keep working on this, it may be just annoying to have a site poping up, but I´m paranoid to think that there may be something else, like a keylogger or a trojan.



Moose out

Etiquetas: , , , , ,

publicadas por MooseHP a la/s 4:00 PM

8 Comentarios:

  • pls do post in english

    Por Anonymous Anónimo, A la/s 2:08 AM  

  • Muchas gracias por la info! me pasó lo mismo! lo del sitio de solteros, pero ahora (que formatié y volví a instalar el antivirus) el antivirus me reconoció el usbdur.exe como amenaza.
    estoy ocupando "spyware terminator" lo bajé de softonic.com por si te sirve.

    saludos!

    Por Blogger Pame, A la/s 3:25 PM  

  • Hola, amigo, creo que tuve el mismo problema, me acabo de encontrar un archivo autorun.inf en mi memoria recién desinfectada y al abrirlo vi que hacía la llamada a un archivo llamado usbdur.exe, el cual ya no existe, ni tampoco la carpeta en la que se encontraba porque fue destruida. Yo utilizo el ESET Smart Security 4, así que imagino que fue el que lo destruyó, o quizás fui yo mismo porque regularmente limpio mis memorias desde Ubuntu. Es interesante descubrir que se trataba de un virus relativamente raro.

    Por Blogger Manuel de la Fuente, A la/s 8:51 AM  

  • zzz...
    I got the same file from my college in a usb pen drive...
    As I use fedora (Linux Distro) too, I rebooted my comp in fedora and manually deleted the files. But it seems to have affected my windows files as it reappears every time i connect it to windows (Once formatted in linux, its completely gone, so i can connect it to any comp without harm). AVG 9 still has no clue about it...
    This sucks...

    Maybe I should stick to Linux.

    Btw, if you find a way to get it out of the system, please post it on your site (and hopefully mail me too).

    Por OpenID fasterthanlight, A la/s 9:00 AM  

  • beleive it or not I successful make the virus stop writing to the usb disk and I think I have already clear the virus which located at the C:\recycler\S-1-5-21-5862474……
    what ever just delete the file in the C:\recycler and the one u cant delete is the virus

    use filemon or process monitor to see the creating file,and use the WinRAR to delete and view files is much easier

    Por Blogger 无聊的斋, A la/s 8:47 PM  

  • I also can confirm that I think I cleaned the virus deleting the archives in C:\Recycler
    I booted in "Safe mode with command prompt" and doing "RMDIR /S C:\Recycler"
    Al least when I login, IExplorer doesn't pop up automatically pointing to the meet local people website.

    Por Anonymous Anónimo, A la/s 2:20 AM  

  • Encontré una aparente solución. Instalé el Advanced System Protector (versión personal/la gratuita) y realicé un Scan. Encontró varios Malwares y los eliminó; complementé la protección con el Autorun Eater, y reinicié.

    Conecté una memoria USB y no se contaminó; parece que el resultado fue exitoso.

    Por Anonymous Man in Flames, A la/s 1:06 PM  

  • Hola...proba con este hilo http://www.forospyware.com/t285304.html#post1245108...con el malwarebites sale con fritas!

    Por Anonymous Anónimo, A la/s 10:10 PM  

Publicar un comentario

Suscribirse a Comentarios de la entrada [Atom]



<< Página Principal