Jump to content

Nominations for Tractor of the Month
Garden Tractors and Parts on eBay



Photo
- - - - -

PE.EXE watch for this one


  • Please log in to reply
7 replies to this topic

#1 MH81 ONLINE  

MH81

    Proud to be Deplorable

  • Staff Admin
  • Staff
  • -GTt Supporter-
  • Contributor
  • Member No: 802
  • 27,334 Thanks
  • 28,642 posts
  • Location: N. W. PA

Posted May 18, 2011 - 11:33 AM

We got this one at work thru a USB flash drive. Now it's spreading thru EXE files via shared docs. Doing best to quarantine, trying to kill it. It's a self-replicating, automatically changing it's name, and attaching to EXE files to try to override and access email and other programs.

Keep your virus stuff up to date and I'll let you know if we get it, what programs and etc were able to do the job.
  • Bolens 1000, mjodrey, caseguy and 3 others have said thanks

#2 wvbuzzmaster OFFLINE  

wvbuzzmaster

    Squeaky Wheel

  • Senior Member
  • -GTt Supporter-
  • Contributor
  • Member No: 1792
  • 4,493 Thanks
  • 7,341 posts
  • Location: West Virginia

Posted May 18, 2011 - 12:54 PM

Sounds like a pita, hope you get it killed.

#3 tractorgarden ONLINE  

tractorgarden

    Junk Whisperer

  • Senior Member
  • -GTt Supporter-
  • Member No: 2291
  • 1,277 Thanks
  • 1,432 posts
  • Location: northwest pa

Posted May 18, 2011 - 01:10 PM

Thanks keep us posted

#4 MH81 ONLINE  

MH81

    Proud to be Deplorable

  • Staff Admin
  • Staff
  • -GTt Supporter-
  • Contributor
  • Member No: 802
  • 27,334 Thanks
  • 28,642 posts
  • Location: N. W. PA

Posted May 18, 2011 - 05:19 PM

What I know so far... It polymorphic ( changes it's name, size, location and even it's code), it can save itself into BIOS, and the harder you fight to get it out, the more it moves around. It's a Trojan that tries to steal info. Email, keystrokes, et al. Seems to be getting around via email or filesharing of exe files, but on the computer that seems to have it, it's a .dll . So far, we think it's only infected the units that have used a particular USB in the last 2 weeks. The best way to tell if you have it, is if you can't tell if you have it. Real B!

One file that my coworker figured out could be it was a dll that we opened as text and found a name, belcarra technologies. I think it started as a legit file that has been changed.

Linux is looking better every minute.

#5 wvbuzzmaster OFFLINE  

wvbuzzmaster

    Squeaky Wheel

  • Senior Member
  • -GTt Supporter-
  • Contributor
  • Member No: 1792
  • 4,493 Thanks
  • 7,341 posts
  • Location: West Virginia

Posted May 18, 2011 - 07:52 PM

Solution to fixing infected computer: :spamani:

#6 NUTNDUN OFFLINE  

NUTNDUN

    Lost in Cyber Space

  • Admin
  • Staff
  • -GTt Supporter-
  • Contributor
  • Member No: 3
  • 10,266 Thanks
  • 15,618 posts
  • Location: Pennsylvania

Posted May 18, 2011 - 08:04 PM

Linux is the better option, especially with how far it has come with gui interfaces :D

Hope you are able to fix the virus.

#7 MH81 ONLINE  

MH81

    Proud to be Deplorable

  • Staff Admin
  • Staff
  • -GTt Supporter-
  • Contributor
  • Member No: 802
  • 27,334 Thanks
  • 28,642 posts
  • Location: N. W. PA

Posted May 19, 2011 - 03:32 PM

OK, Update: We had AVG on both machines that got infected. So Far, So Good on all the rest, they were running AntiVir.

The AVG has been running oddly thru this whole process, showing duplicates in task manager, not responding normally... even to hovering over the "shrink" box in the header... weird. After renaming that recurring dll file and installing ThreatFire, Antivir was able to see the problem and try to kill it, however, AVG (even after we had shut down AVG) popped up with virus warnings that AntiVir was infected and must be removed. Ignored these warnings and allowed Antivir to do it's thing.

Short version long, AVG was infected. There was a pseudo program running and it was all tied to the virus known by Antivir as TR/crypt.zpack.Gen2

This was a bunch of messing around. 2 days on 2 computers, lost man hours, and etc. We are also destroying all removable media that has been on that machine in the last 2 months. excessive, sure, but preventative.

If it wasn't for the keen eye of my fellow employee seeing odd stuff moving, and duplicate processes in taskmanager, we'd have never known and probably had it in the server. That is a problem we think we managed to avoid.

#8 mjodrey OFFLINE  

mjodrey

    Accumulator

  • Senior Member
  • Contributor
  • Member No: 92
  • 2,343 Thanks
  • 13,481 posts
  • Location: Upper Granville, Nova Scotia, Canada

Posted May 19, 2011 - 03:55 PM

Linux is the better option, especially with how far it has come with gui interfaces :D

Hope you are able to fix the virus.


Well,hopefully I'm good to go then,seeing as I have Linux.




Top