I had to clean a bunch of flash drives for a project this morning and I noticed one folder was not being cleaned. It was called Pozuda and of course it had a desktop.ini inside there that made the folder look like the Recycle Bin. Therefore, when you click on it, the folder takes you to the Recycle Bin as well.
I scanned the folder on my laptop (MacBook, Windows 7) with Avast Home (4.8.1355, defs from today), and it didn’t find anything. I knew there was something in there, because it was 150 kb, which is too much for just a .ini file.
I scanned the same flash drive on another computer with up to date AVG 9.0 (just reformatted last night). Nothing.
I scanned the same flash drive on another computer with up to date Bit Defender Business Client (enterprise ed). Nothing.
So I rebooted into Mac, and of course, there inside the folder was a file called malena.exe. I’ve removed both the autorun.ini and the Pozuda folder and have them sitting here on my Mac.
Why the hell couldn’t these three (reputable) AVs detect it?
Edit: I’m seeing a lot of these things that Avast isn’t removing, so I’m semi-seriously thinking about just running Mac OS all the time on my laptop (and using VMs for my dev work). It’ll be hard, as I’ve been using Windows about 99% of the time now. And maybe Ubuntu for the desktop back at home. What a bugger. WTF Windows/AV vendors?
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
The reason I suggest this is that jotti uses linux versions of the AV and two virustotal uses the windows versions and there are 40/41 different scanners.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
I couldn’t send the file to the chest because of the desktop.ini file (completely blocked access to the real pozuda folder (trying open it always redirects to Recycle Bin). So that’s why I had to reboot into Mac.
You might be able to double zip it, with the inner one password protected, or you could try using 7zip which uses the 7zp file type, which may get round the primitive/pathetic gmail blocking of .zip files.
You should presumably having been able to access the file from the MAC, it would be possible to rename the desktop.ini file to desktopOLD.ini and that may remove the protection of the pozuda folder. Or make a copy of the file in a different location, which may allow the file to be sent to the chest.
When it comes to flash drives, should consider using “SPECIALITY” programs,
like the FREE “Flash Disinfector” or a-squared’s HijackFree . IF the flash drive
is known to be “clean”, then consider using “Panda USB Vaccine” .
well… no
I’ve seen just this virus as well (malena.exe in pozuda folder). AVAST in the newest version ( 091126-1.26.11) does NOT recognize it. I’ve pretty much tried everything - either it’s not found, or it can’t be properly cleaned. Spyware Doctor, which I bought(!), for example claims to find “Buzus”, removes it and… voila, it’s there again.
it also phones home, e.g. tries to contact other hosts for updates and a special host of organization “balkan hosting” with contact in bosnia, but hosted in frankfurt. crazy stuff.
Serious? The only reason I said Avast detected it was because that’s what it now says on VirusTotal.
And with my original system, with BitDefender, they told me that BD will now detect it, but it doesn’t… And I think I also have the virus running on the system. I did a full system and it didn’t pick up anything. I’m having svchost.exe memory errors (on shut down) and nissan.exe application faults (what the hell is nissan.exe?).
System restore is turned off, so it shouldn’t be hiding in there…
Let me know if you get anything. Like I said, I’m semi-seriously thinking of just leaving Windows except for VMs. What a pain in the ass.
Also, do you happen to know of any flash drives on the market that have read-only switches? I used to have an old 64 MB Kingston that had the feature and it was great for using on infected computers.