Guys, good day to everyone.

I am trying to solve a computer problem (which I think is very interesting case of a computer nasty) from my sister's and her friends' computer. And also I want to share my discoveries and everything what I have found, and some queries.

Here's the scenario:

One day, my sister apporached me if i can fix an "unknown virus" which affected their computers.
I tried to figure it out, checked their computers, and found interesting things:

  1. In every directory I explore (Their "D:\Documents" folder, for example), I tried to see if any hidden files are present (random-named files that is characteristic of a virus infection). But the folder options keeps on reverting to Windows-default selected options. (Don't show hidden files, Hide protected system files, Hide extensions on common file names. Those circles are selected.)

  2. I checked their Flash Drives (At my computer) and discovered that no autorun.inf is present. But these things I am investigating:

    1. A Shortcut link to their flash drive.
      I investigated these thing, and showed as a gussied-up Windows Explorer Icon, like these:
      Location: rundll32 (C:\Windows\System32)
      And I viewed the file properties. Here's the target:
      C:\Windows\System32\rundll32.exe ~$WBEHAX.NFC,crys xfnveaiqzhpygoxfn ygoxfnveaiqt
      I think there's something nasty here. Looks like a shorcut vulnerability.

    2. As shown on the Shortcut target above, there's the 3KB-sized file ~$WBEHAX.NFC file i found on the flash drive. (Different case on their friends' flash drives: "~$WHMCAT.FAT", and other files identical to that files.)

    3. At some friends' flash drives, A random-named .dll file was found.
      Not only that, in each of the folders, there is an .exe file named as the same as to where directory they are placed. For example, in "{Flash Drive}:\documents" (F:\Documents) folder, there is a "documents.exe" file. Same as to other directories in their flash drives. Avira flagged those applications as a trojan. (TR/Generic)

    4. Two legal-looking Windows files: Thumbs.db and Desktop.ini.
      I inspected the "thumbs.db" file, contained random characters. Looks legal.
      But the "Desktop.ini" also contained random characters. I began to doubt, because I know that is not the correct format of a "desktop.ini" file. The file size is also large for a legal "desktop.ini". I can't remember exactly, but the size is in three digits, in KB.

  3. I opened the suspicious shortcut link, on my computer. Some little bit suspicious things happened.
    First, I checked my Task manager, and have seen some legal-named applicaton "TrustedInstaller.exe", but is located at "C:\temp", not on the typical System32 folder.
    Second, I have seen some run32dll.exe instances, related to the link above.
    Third, it opens up browser windows (three windows), directing to some suspicious-looking Web links.
    Finally, it created some shortcuts on some of my folders on C:\, the same as redirecting to run32dll.exe.

Luckily, my computer which i was testing this, is locked with a special drive-locking application that refreshes the whole computer at each restart. I become a little-bit, panicked. Restarted my PC.

Anyways, their PCs use Windows XP SP3. And I doubt, their PC's are not patched correctly. Antivirus outdated.

Guys share to me what can be the solutions here to identify what kind of computer nasty inflicted their PCs, and steps to remove it. It would be a great help to me and my friends' computer if we all together can figure out what's going on there. Thank you guys.

Current status: Still figuring it out. I had seen some clues: W32/Conficker, W32/Sality, Windows Shell Vulnerabilities.

Recommended Answers

All 4 Replies

Because you're having fun playing with it, I'll keep it simple:
You should search $WEBHAX.NFC,crys - possibly a phone hack. Note spelling.
http://news.softpedia.com/news/Microsoft-Experts-Details-Clever-Propagation-Mechanism-of-Gamarue-Malware-333499.shtml
http://blogs.technet.com/b/mmpc/archive/2013/02/27/the-strange-case-of-gamarue-propagation.aspx
Just delete the files and reg entries, there are no protections. The second link gives you clues as to how.
TrustedInstaller.exe is used by the Windows Module Installer service in W7, for Windows Update and Automatic Updates. It resides in Windows\Servicing, not in a temp folder. But you can see that from the second link.

I have now read it, same scenario.
Ah, i have tested it today. That's so extremely complex, it evades all normal security measures.
(most of my antiviruses cannot detect it.)

And everytime I plugged a flash drive, here's what happens. I'll post some images related to that one.

Thanks for the links, mate. I now understand.

Had not heard back, so I thought I would drop this in. Should take care of the problem for you.
If you are using XP, then make this registry change on the computer {clean or infected one} that you will use to clean the thumb drives [UFDs]; just paste it into a cmd window:

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t reg_dword /d 0xDF /f
[this changes value from default 0x91]; this will disable Autorun.inf activation for all but CD drives. The worm cannot then self-activate from the inserted UFD.
If you are using W7, then cancel any Autoplay window that pops. Autorun.inf files are ignored by default for drives other than CD type.
Finally, insert and delete unusual files from your UFDs.
Next, for XP or W7 on the infected computers, make this batch file: copy the following lines into a notepad; save as MyBatch.bat, all files, to your desktop:

@echo off
 cd "%homepath%\desktop"
 reg query HKCU\SOFTWARE > rq.txt
 reg query HKLM\SOFTWARE\Microsoft >> rq.txt
 reg query HKCU\SOFTWARE /v e_magic >> rq.txt
 if not errorlevel 1 reg delete HKCU\SOFTWARE /v e_magic /f
 reg query HKLM\SOFTWARE\Microsoft /v 0022ff03 >> rq.txt
 if not errorlevel 1 reg delete HKLM\SOFTWARE\Microsoft /v 0022ff03 /f
 rq.txt
 exit

...cos I'd like to see those entries. And that should stop it in its tracks.

The soluation is that you tell this problem to your " Antivirus Service " team.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.