A brand new USB drive was used to copy a file folder from computer A to computer B, both running Windows XP Home. When the USB drive was inserted, B was connected to the Internet (and, unfortunately, in a profile with administrative rights). Before B could begin copying the intended file folder, its firewall started to alert about multiple Win32 Trojans attempting Internet access. To avoid further damage, B was disconnected from the network, but was allowed to run for a few minutes while the firewall identified requests from various Win32 agents: [vwwixjz.exe]*, Paladin antivirus, Virus.Win32.Gpcode.ak, Net-Worm.Win32.Mytob.t, [Zhj.exe]*, Virus.Win32.Hala.a, Trojan-Downloader.JS.Multi.ca, Trojan.Win.Agent.dcc, Trojan.Win32.Agent.dcc, Rootkit.Win32.Agent.pp, [zhl.exe]*, msa.exe.
*[The significance of filenames enclosed in brackets is that they are simply different, randomly-generated, filenames for the same Trojan, and thus you can't search for info by those names.]
Safe-mode exploration of computer B found the TDSS rootkit (iexplore.exe), which was removed with the Kapersky tool TDSSkiller.exe.
For investigation and treatment, I took the USB drive to machine C, running Win XP Pro SP3, with Autorun disabled. A manual SAV scan [SAV 9.0.1.1000 with latest updates] identified the culprit as W32.Changeup!gen, and quarantined the files, which were named heozo.exe and heozo.scr - but again, those filenames are not significant: Every time the virus sees a new storage path, it replicates itself with a different filename, randomly generated, so there really is no significance to the filenames.
The second part of its replication script creates a set of false "folders" - which are really aliases/shortcuts to the new script - named Documents[ ], Music[ ], New Folder[ ], Passwords[ ], Pictures[ ], Video[ ]. [The space in brackets following each of those folder names represents spaces following the folder name - taking advantage of the Windows LFN (long filename) whitespace properties: Each space has LFN significance, but trailing spaces (though significant) are not shown in Windows Explorer. This allows the virus to set up multiple sets of these false folders in any directory, just by appending different numbers of spaces to the names.] Clicking on any of those false folders executes the script to load the rootkit. The other file elements of this package were a batch file generated by the script (a.bat) and an autorun script (autorun.inf).
That analysis came from investigating the USB drive while the offending files were quarantined. Then I wanted to zip up the whole set of files (*.exe, *.scr, a.bat, autorun.inf and the sets of pseudo-folders) for later analysis. To that end, I tried to Restore the files from Quarantine, and apparently succeeded - in that the files disappeared from Quarantine - but they did not then show up in their original location! It looks like the files were released from Quarantine and immediately deleted! Could that be right? A subsequent scan showed no evidence of the virus, and file searches showed no sign of the files. What could have happened to them?
By the way, copies of those files are still in SAV's Backup, and might be restored from there, but I don't want to take a chance of losing them by trying to restore them from Backup - and then having the same disappearing act. Any idea how to recover those files?
John