A real Virus warning - not messing about...

[blastman]

hey guys,

if you're anything like me you'll tend to ignore the rubbish FB and twitter warnings about specific threats however today i have a real one for you.

See this thread for the details;

http://www.bleepingcomputer.com/forums/topic464206.html/page__gopid__2804850#entry2804850

The end result is a process that hides all your word and excel files, creates a short cut in the same location but changes the target link to open the command prompt and run a file called 'Thumbs.db2'

So far today I've removed over 20,000 short cuts for only 2 Thumb.db2 files.

Needless to say, that is a real threat that so far this month has wasted over 20 hours of my life.

Thought i'd give a heads up, so to speak.

 

[Deleted member 77746]

Cheers. Sounds like a nightmare.

 

[edscdk]

sounds the same as most well written virus...

 

[theheyes]

Strange. At first glance it looks like it's more of an annoyance, but maybe the end goal is to catch a domain admin napping by linking all the files in the share to whatever this executable is and then when they go to investigate user complaints by opening one of the "documents"... bang.

 

[Deleted member 77746]

Strange. At first glance it looks like it's more of an annoyance, but maybe the end goal is to catch a domain admin napping by linking all the files in the share to whatever this executable is and then when they go to investigate user complaints by opening one of the "documents"... bang.

I recon so too.

 

[blastman]

yep. been a real nightmare.

Only noticed it when nagios starting reporting slow network speeds. then got a call from a user saying all his documents had gone and was only left with shortcuts. By the time I'd relised what was going on it had been 10 minutes since the first shortcut creation and so boom! 20,000 links later....

Also, it seems have messed up my ACL's as well. now got to rebuild from scratch.

The most annoying thing is that it's new so there is NO documentation on it apart from what I already know.

 

[theheyes]

Hopefully the definitions will be rolling out soon so others don't suffer the same fate. Sounds like you're taking one for the team here bud.

Joking aside I feel for you, it sounds like a right grind. Since you're on it anyway it would be cool if you updated this thread with anything you learn especially if you find the method of infection.

 

[blastman]

thanks.

Looks like a few AV companies (as of yesterday) have started including it in thier defs.

The trogan is called Trojan.Shylock!gen4, details from symantec here...

http://www.symantec.com/security_response/writeup.jsp?docid=2012-071307-0243-99&tabid=3

 

[Deleted member 77746]

As long as it doesn't start to replicate as something else you should be OK. I remember one that self replicated on shared drives and changed it's detection state!

 

[IT Troll]

Had a relatively contained breakout of this today. I'm not sure how it got in or managed to propogate as our AV does detect and block both the thumbs.db2 and malicious shortcuts.

I have taken the extra measure of blocking the execution of thumbs.db2 through a software restriction policy.

 

[Deleted member 77746]

Are you an IT Troll?

 

[MADMAN]

wonder how long it will take for combofix/malwarebytes to fix it

 

[IT Troll]

Are you an IT Troll?

I've been an IT Troll for most of my life. Since the time before Internet trolls existed.

 

[MADMAN]

good name id be proud of it

 

[Deleted member 77746]

Not so sure if IT Trolls are allowed here.

 

[blastman]

well she's reared her ugly head once more...

yesterday I removed 97'000 links

I've had to create a AV policy to block all read, creation, modify and write requests to the file 'thumbs.db2'.

Created a GPO to block cmd.exe so it can't be run.

Have noticed that the file thumbs.db2 has changed in size since last week. (So this must be a newer slightly different version)

Have submitted all files to antivirustotal.com

getting board of this one now!

 

[blastman]

ok, so a little bit more info for you;

The files associated to this virus have now increased (according to other users on another forum).

Files to watch out for are;

desItop.ini
desktops.ini
desktope.ini
desktopw.ini
desktop.iqi
reYdme.txt
thumbs.db2
thumbs.dbh
thumbs.du
thumbs.Fb


I suggest adding a policy to your AV server blocking all read, write, modify and execute requests to the above files.

If you can, block cmd usage as well. (not possible in all env as most 2003 domains will be using login scripts)

You'll then be covered should you get hit.

 

[MADMAN]

wow this virus is getting stronger and mutating....

bet malwarebytes would stop it in its tracks

 

[Drneb]

Malware bytes doesn't even find it.

I have been on the phone to symantec as our enterprise installation of endpoint protection couldn't even find it.

A rapid release has been created for anyone using a symantec product. contact support and they will ftp you to a location where you can either distribute it using SEPM or by updating the definitions locally and running SEPC for a full scan.

it picks up thumbs.db2. the other files such as thumbs.dbh/.fb etc aren't infected.

It's a nasty little bugger!

 

[Drneb]

ok, so a little bit more info for you;

The files associated to this virus have now increased (according to other users on another forum).

Files to watch out for are;

desItop.ini
desktops.ini
desktope.ini
desktopw.ini
desktop.iqi
reYdme.txt
thumbs.db2
thumbs.dbh
thumbs.du
thumbs.Fb


I suggest adding a policy to your AV server blocking all read, write, modify and execute requests to the above files.

If you can, block cmd usage as well. (not possible in all env as most 2003 domains will be using login scripts)

You'll then be covered should you get hit.

Great advice.