A real Virus warning - not messing about...

blastman

blastman

blastman

Associate
Joined
8 Mar 2007
Posts
2,176
Location
between here and there
hey guys,

if you're anything like me you'll tend to ignore the rubbish FB and twitter warnings about specific threats however today i have a real one for you.

See this thread for the details;

http://www.bleepingcomputer.com/forums/topic464206.html/page__gopid__2804850#entry2804850

The end result is a process that hides all your word and excel files, creates a short cut in the same location but changes the target link to open the command prompt and run a file called 'Thumbs.db2'

So far today I've removed over 20,000 short cuts for only 2 Thumb.db2 files.

Needless to say, that is a real threat that so far this month has wasted over 20 hours of my life.

Thought i'd give a heads up, so to speak.
 

blastman

blastman

blastman

Associate
OP
Joined
8 Mar 2007
Posts
2,176
Location
between here and there
yep. been a real nightmare.

Only noticed it when nagios starting reporting slow network speeds. then got a call from a user saying all his documents had gone and was only left with shortcuts. By the time I'd relised what was going on it had been 10 minutes since the first shortcut creation and so boom! 20,000 links later....

Also, it seems have messed up my ACL's as well. now got to rebuild from scratch.

The most annoying thing is that it's new so there is NO documentation on it apart from what I already know.
 

blastman

blastman

blastman

Associate
OP
Joined
8 Mar 2007
Posts
2,176
Location
between here and there
well she's reared her ugly head once more...

yesterday I removed 97'000 links :(

I've had to create a AV policy to block all read, creation, modify and write requests to the file 'thumbs.db2'.

Created a GPO to block cmd.exe so it can't be run.

Have noticed that the file thumbs.db2 has changed in size since last week. (So this must be a newer slightly different version)

Have submitted all files to antivirustotal.com

getting board of this one now!

:(
 

blastman

blastman

blastman

Associate
OP
Joined
8 Mar 2007
Posts
2,176
Location
between here and there
ok, so a little bit more info for you;

The files associated to this virus have now increased (according to other users on another forum).

Files to watch out for are;

desItop.ini
desktops.ini
desktope.ini
desktopw.ini
desktop.iqi
reYdme.txt
thumbs.db2
thumbs.dbh
thumbs.du
thumbs.Fb


I suggest adding a policy to your AV server blocking all read, write, modify and execute requests to the above files.

If you can, block cmd usage as well. (not possible in all env as most 2003 domains will be using login scripts)

You'll then be covered should you get hit.
 

blastman

blastman

blastman

Associate
OP
Joined
8 Mar 2007
Posts
2,176
Location
between here and there
this thread has much more detail;

https://community.mcafee.com/thread/47666?start=0&tstart=0

We appear to be over the worst. the AV blocking did the trick. We're currently updating all AV clients to the newer version, but still keeping a close eye on the AV reports and web access logs, just in case.

If anyone gets stuck with this, trust me an email and I'll offer some advice first hand.
 
You must log in or register to reply here.
Back
Top Bottom