[Resolved] New Malware:siodo.scr

Hi to everyone
I used Avast for many years and never have any problem.Yesterday i have my first one.I noticed that all the folders in my external H.D.D appears as shortcut.I checked if the files had been erased but the capacity of my HDD remained the same before had been infected by this malware.I wasn’t allowed to open any folder and the following message appeared:
“The siodo.scr element to which this shortcut has been changed or moved, so they do not work properly syntomefsi.thelete to delete this shortcut?”
I started running AVAST and have found this malware but although i choose to delete it,it has more effectivelly measures.
I suppose that the “autorun” of my HDD affected by this.
Any ideas are welcome
Thanks in advance
The Newbie

After a quick searching on “virustotal” it gave me the following:

Antivirus Version Last Update Result
AhnLab-V3 2010.07.31.00 2010.07.30 -
AntiVir 8.2.4.32 2010.07.30 TR/Dldr.VB.dxh
Antiy-AVL 2.0.3.7 2010.07.30 Worm/Win32.VBNA.gen
Authentium 5.2.0.5 2010.07.31 W32/VB.BA.gen!Eldorado
Avast 4.8.1351.0 2010.07.31 Win32:VB-PQX
Avast5 5.0.332.0 2010.07.31 Win32:VB-PQX
AVG 9.0.0.851 2010.07.31 SHeur3.AIMF
BitDefender 7.2 2010.07.31 Win32.Worm.Agent.QFS
CAT-QuickHeal 11.00 2010.07.31 Worm.VBNA.gen
ClamAV 0.96.0.3-git 2010.07.30 -
Comodo 5598 2010.07.31 -
DrWeb 5.0.2.03300 2010.07.30 Trojan.MulDrop1.39525
Emsisoft 5.0.0.34 2010.07.30 Worm.Win32.Vobfus!IK
eSafe 7.0.17.0 2010.07.29 -
eTrust-Vet 36.1.7753 2010.07.31 Win32/Vobfus!generic
F-Prot 4.6.1.107 2010.07.31 W32/VB.BA.gen!Eldorado
F-Secure 9.0.15370.0 2010.07.31 Worm:W32/Vobfus.BA
Fortinet 4.1.143.0 2010.07.31 -
GData 21 2010.07.31 Win32.Worm.Agent.QFS
Ikarus T3.1.1.84.0 2010.07.31 Worm.Win32.Vobfus
Jiangmin 13.0.900 2010.07.29 Worm/VBNA.vwo
Kaspersky 7.0.0.125 2010.07.31 Worm.Win32.VBNA.ajeu
McAfee 5.400.0.1158 2010.07.31 Downloader-CJX.gen.a
McAfee-GW-Edition 2010.1 2010.07.30 Heuristic.LooksLike.Win32.Suspicious.J
Microsoft 1.6004 2010.07.31 Worm:Win32/Vobfus.S
NOD32 5327 2010.07.30 Win32/AutoRun.VB.RD
Norman 6.05.11 2010.07.31 W32/Suspicious_Gen2.BOJHY
nProtect 2010-07-31.01 2010.07.31 Worm/W32.Agent.57344.BG
Panda 10.0.2.7 2010.07.31 W32/Vobfus.EQ
PCTools 7.0.3.5 2010.07.31 Malware.Changeup
Prevx 3.0 2010.07.31 High Risk Cloaked Malware
Rising 22.58.05.04 2010.07.31 -
Sophos 4.56.0 2010.07.31 W32/AutoRun-BFF
Sunbelt 6667 2010.07.31 Trojan.Win32.Vobfus.a (v)
SUPERAntiSpyware 4.40.0.1006 2010.07.31 Trojan.Agent/Gen-VB[Morsam]
Symantec 20101.1.1.7 2010.07.31 W32.Changeup
TheHacker 6.5.2.1.328 2010.07.30 W32/VBNA.ajeu
TrendMicro 9.120.0.1004 2010.07.31 WORM_VBNA.SMN
TrendMicro-HouseCall 9.120.0.1004 2010.07.31 WORM_VBNA.SMN
VBA32 3.12.12.7 2010.07.30 -
ViRobot 2010.7.31.3965 2010.07.31 Trojan.Win32.Generic.57344.D
VirusBuster 5.0.27.0 2010.07.30 Worm.VBNA.Gen.3
Additional information
File size: 57344 bytes
MD5…: e58d2e5c536d4e6536652f74ba8dbd36
SHA1…: 6de1e7a80741ada40f2fc4de103a511218928452
SHA256: dd54092a5897f650348da4c77e1aae2f6b02e474e001c3816e79f99257e3157e
ssdeep: 1536:N3fU+yfmV2D8HOXlXsX3XnkcUckD98kMEk7I:VfNyfk2yzkcUckD98kMEr

PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x11ac
timedatestamp…: 0x4c3c2722 (Tue Jul 13 08:43:14 2010)
machinetype…: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xd008 0xd200 5.35 f96dbaf41c19247f5852d561ca0a3205
.data 0xf000 0x1d14 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x11000 0x894 0xa00 2.71 a18bd28900dcd4feb84b4e7d854c0971

( 1 imports )

MSVBVM60.DLL: -, -, MethCallEngine, -, -, -, -, -, -, -, -, -, -, -, EVENT_SINK_AddRef, -, EVENT_SINK_Release, -, EVENT_SINK_QueryInterface, __vbaExceptHandler, -, -, -, -, -, -, ProcCallEngine, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -

( 0 exports )

RDS…: NSRL Reference Data Set

pdfid.: -
trid…: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher…: n/a
copyright…: n/a
product…: e
description…: n/a
original name: FSSLkWJE.exe
internal name: FSSLkWJE
file version.: 6.12
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned

http://info.prevx.com/aboutprogramtext.asp?PX5=9A2C0CF700208B2DE074009B5D0CC900096216C7

  1. Run a boot time scan with avast.
  2. Run free Mbam. http://www.malwarebytes.org/mbam.php
  3. Post your results.
    asyn

Thanks a lot Asyn!!!
I will do and i’ll tell you tommorow because of working today.Do you know if i lose all my data and folders?
Thanks

Hi asyn
I did what you said.The results are here:

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4379

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08/02/2010 11:30:18 PM
mbam-log-2010-08-02 (11-30-18). txt

Scan type: Full Scan (G: \ |)
Objects scanned: 213 620
Time elapsed: 37 minute (s), 40 second (s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Infected Registry Data Items: 1
Infected files: 0
Infected files: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Infected Registry Data Items:
HKEY_CLASSES_ROOT \ regfile \ shell \ open \ command \ (default) (Broken.OpenCommand) → Bad: (“regedit.exe” “% 1”) Good: (regedit.exe “% 1”) → No action taken.

Infected files:
(No malicious items detected)

Infected files:
G:\ROCK\Thin Lizzy\Thin.Lizzy - Dedication\P1-2.jpg (Extension.Mismatch) → No action taken.
G:\System Volume Information_restore{70C64950-8CA4-4E7C-A44C-7855A4BC8A0D}\RP553\A0092037.exe (Trojan.Agent) → No action taken.
G:\System Volume Information_restore{983F414C-4557-49EE-AD3B-C0C7BEE154FE}\RP37\A0007558.exe (Malware.Packer.Gen) → No action taken.
G:\System Volume Information_restore{983F414C-4557-49EE-AD3B-C0C7BEE154FE}\RP37\A0007561.exe (RiskWare.Tool.CK) → No action taken.
G:\System Volume Information_restore{983F414C-4557-49EE-AD3B-C0C7BEE154FE}\RP37\A0007562.exe (Malware.Packer.Gen) → No action taken.
G:\System Volume Information_restore{983F414C-4557-49EE-AD3B-C0C7BEE154FE}\RP37\A0007563.exe (RiskWare.Agent.CK) → No action taken.
C:\WINDOWS\system32\EHyuMPWj.exe.a_a (Trojan.Agent) → No action taken.

Finally although i deleted the infected files the problem remains the same.
Any other suggestion?

Let Mbam remove, what it found…!
Your log says ‘No action taken’
asyn

Hi Asyn
Unfortunatelly i didn’t notice when it came to my screen…
I’ve just performed a new boot scan again as you said but this time it found nothing:
Database version: 4384

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08/03/2010 1:22:35 PM
mbam-log-2010-08-03 (13-22-35). txt

Scan type: Full Scan (C: \ | D: \ | G: \ |)
Objects scanned: 301 119
Time elapsed: 1 hour (s), 23 minute (s), 42 second (s)

Memory Processes Infected: 0
Infected memory: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Infected Registry Data Items: 0
Infected files: 0
Infected files: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Infected Registry Data Items:
(No malicious items detected)

Infected files:
(No malicious items detected)

Infected files:
(No malicious items detected)

The problem remains the same again…i’m dissapointed

Did you run a boot time scan with avast yet…?
asyn

Turn off System Restore as virus has spread through the restore points.

- XP http://support.microsoft.com/kb/310405

Then run avast boot-time scan

http://www.schmahl.net/avastbootscan.php

Microsoft identifies the virus
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm:Win32/Vobfus.V

threatexpert
http://www.threatexpert.com/report.aspx?md5=5d891c97612df2b84d2abcec9f5e2383

avast
14.7.2010 - 100714-0
BV:Agent-DT [Trj], BV:Agent-DU [Trj], BV:Agent-DV [Trj], BV:Agent-DW [Trj], BV:Agent-DX [Trj], BV:Agent-DY [Trj], BV:Agent-DZ [Trj], BV:Agent-EA [Trj], BV:Agent-EB [Trj], BV:Agent-EC [Trj], JS:Downloader-YS [Trj], JS:Pdfka-AKB [Expl], NSIS:Downloader-BQ [Trj], NSIS:Downloader-BR [Trj], Win32:Alman-T, Win32:Alureon-HA [Trj], Win32:Alureon-HB [Rtk], Win32:AutoRun-BLS [Wrm], Win32:Bubnix-E [Rtk], Win32:Bubnix-F [Rtk], Win32:Bubnix-G [Rtk], Win32:Crypt-GWH [Drp], Win32:FakeAV-AMJ [Trj], Win32:Koobface-AZ [Rtk], Win32:Neptunia-FP [PUP], Win32:Patched-QK [Trj], Win32:Small-NMS [Trj], Win32:Stabs-G [Drp], Win32:StartPage-930 [Trj], Win32:Tiny-AGH [Trj], Win32:VB-PQT [Trj], Win32:VB-PQU [Trj], Win32:VB-PQV [Drp], Win32:VB-PQW [Drp], Win32:VB-PQX [Wrm]

You need to ensure that you keep yr system fully up to date
with yr system fully up to date, you should pick up this virus and remove it from both yr system and the external HDD

how well did the bootscan go?

Thanks a lot all of you!!! i apreciate your help a lot!!!
I’ve made the boot scan with Avast as ASYN said above but it found nothing…
I will try tommorow the solution of the other guys and i’ll tell you.
Thanks a lot again

You’re welcome…!
Keep us updated…
asyn

Before running MBAM, you need to ALWAYS update it prior to running a scan.

I set my system resore off and AVAST performed again a boot scan for discs C,D & F (external).It gave no viruses and after that the updated MALWAREBYTES gave me nothing again:

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4384

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08/04/2010 1:03:53 PM
mbam-log-2010-08-04 (13-03-53). txt

Scan type: Full Scan (C: \ | D: \ | G: \ |)
Objects scanned: 301 472
Time elapsed: 1 hour (s), 14 minute (s), 16 second (s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Infected Registry Data Items: 0
Infected files: 0
Infected files: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Infected Registry Data Items:
(No malicious items detected)

Infected files:
(No malicious items detected)

Infected files:
(No malicious items detected)

I didn’t understand were the walware was! My external HD’s folders still appeared as shortcut…

Open the avast interface by clicking the orange ball ‘a’ icon and go down to Maintenance → Virus chest and have a look what is in there. The chest will inform you what and where virus were found.

if the external disk is still showing shortcuts instead of folder names, it is likely that the malware has tried to cover itself by replacing ID of these folder with a false ID. This happens, although I havent had the shortcut situation myself so I cannot say for sure.

For starters you should check the integrity of the external disk -
I wont suggest the best utility to do this with, but leave it open to the forum members.

Basically you test the external disk with a CHKDSK utility

  • if it is NTFS format there should be no worries, the command should be chkdsk /f or chkdsk /f/r
  • FAT32 not so straightforward (ages since I did this, tho do it on system drives to good effect all the time)
  • this is good means to bringing yr disk drives back to good condition, especially after infections

If no replies I will look up a utility or method myself, but a little busy at the mo.

MKIs Thanks a lot
If the problem instist on my PC,Maybe is it a good idea to re-install the windows? I think that is the desperation solution due to the malware changed some registry entries.

Before you decide to reinstall…
You can also try it here: http://support.emsisoft.com/forum/6-malware-removal-help/
asyn

oh sorry was mbam that picked up that infection
some of the other instances were in yr System Restore, so that is why i recommended turn it off for time being

because the shortcuts situation was there before that infection was quarantined and deleted, does not necessarily mean still infected but you can run chkdsk on the system drive using the Start → Run utility - just type in chkdsk in the Run box and click OK and see how you go

MKIS I’ve already done it:

The filesystem type is FAT32.
Check the Windows files and folders …
The Windows found errors on the drive, but will not correct
because controlling the drive was not the parameter F (correction).
The size of the record \ Documents and Settings \ JOHNNY \ Local Settings \ Temp \ ~ D
F3AF3.tmp is invalid.
The \ WINDOWS \ Prefetch \ CHKDSK.EXE-0C6DCB55.pf first allocation unit is Installation of
yri. The entry will be truncated.
Finished verifying files and folders.
Convert lost chains to files (Y / N);

okay I’m guessing you are talking about the system drive
next time try typing ‘chkdsk /f /r’ (without quotations) in the Run box and click OK
it will probably tell you chkdsk will run on the next boot - so Restart and see how you go with that
the /f parameter which was not used last time is the Fix command and the /r is the Repair command - so that should help
but the chkdsk scan may take a long time

check the screenshot below for a chkdsk scan that I ran on an 512mb external hard drive - took ages, there were lots of movies on the drive
for an external drive you will need to type ‘cmd’ into the Run box to bring up the command line, and at the prompt at the end of the command line when it comes up you need to type in the drive letter of your external drive followed by a colon (see how my drive letter was G - I typed G: to bring the command line to what you see on the top line of the screenshot (G:>)
then type in chkdsk /f /r like I did and follow the scan through - be warned scan may run for a very long time

So that gives you both the system drive and the external hard disk that you can test with chkdsk /f /r and see what happens

but firstly may help to clean yr system with ccleaner or TFC and perhaps defrag the system as well so that chkdsk scan can run a lot smoother.

TFC - http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
ccleaner - http://www.filehippo.com/download_ccleaner/

okay I have to run now, as Im in the middle of a job