Thumbcache_131.exe usb stick virus/trojan

Hi all-

Has anyone come across a USB stick trojan/virus which uses the following files?

usbdrive:/BOOTEX/Thumbcache_131.exe usbdrive:/autorun.inf

It is rampant at work so I really can’t use my mobile desktop suite… The XP boxes are all running a fully updated symantec ‘endpoint protection’ thingy which doesn’t seem to detect anything. Avast quite happily scans my infected USB stick and finds nothing…

There are references to the files elsewhere on the web but I can’t find a designation or a description of what it does. Simply deleting the /BOOTEX directory and the autorun seem to clean the stick but I can’t see exactly what else has been affected.

A boot-time scan (pre-FP problems) cleaned some things in my /system32 (new2.exe) but I can’t be sure that’s all that this potential virus does…

As far as I have seen it working, it creates the above files on every inserted USB stick in an infected machine. When these sticks are inserted into another machine (?infected or not?) the autorun settings insert an extra option at the top of the list in the ‘autoinsert options’ which looks similar to the windows explorer entry further down, but not the same. Beyond this, I haven’t seen any evidence of what else it does. I don’t remember if there’s a ‘new’ process running from the task manager list.

Initial scan with a couple of rootkit detectors turned up nothing.

Any ideas anyone? Thanks!

Hello Olster

you can upload Thumbcache_131.exe to virustotal.com and post the link to it here.

together with that,

If you have any suspicious files that are not detected by the latest version of our antivirus programs, you can send them to virus@avast.com. The ideal way to send such files is to compress them as a ZIP file with the password 'virus' (so that the attachment is not deleted by some other antivirus software on the way).

nmb

Thanks NMB-

Will upload as soon as I can remove the locks on it.
The sharing violation lock on the autorun.inf wasn’t too hard to break but having trouble with the BOOTEX directory. I’ll probably run it through R-Studio and ‘recover’ it as a lost file to bypass the [somehow] locked system and hidden status.

The command line ATTRIB find the files: (I have managed to rename the folder to ‘2’ but no more…)

F:\2>attrib A SH F:\2\Desktop.ini A SH F:\2\thumbcache_131.exe

Other than using a linux / mac box (which I don’t have) I’m not too sure that safe mode will support USB sticks… I’ll have more of a play tonight.

In the meantime, here’s the contents of the autorun.inf:

autorun] [autorun[ autorun[ [autorun :jmp8 open=BOOTEX\thumbcache_131.exe :jmp3 icon=%SystemDrive%\windowS\system32\SHELL32.dll,4 :jmp3 action=Open folder to view files using Windows Explorer :jmp0 shell\\\\open\command=.////BOOTEX/thumbcache_131.exe :jle7 shell\\\\\\\explore\command=BOOTEX/thumbcache_131.exe useautoplay=1 [AutoRun] :GOTO NULL

I’m not up on my autorun syntax so I’m not totally sure what this does other than [?]try to run thumbcache on insertion.

More later…

Thanks

Hi Olster,

Download Flash Disinfector from here: http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe
and save on some non windows drive.
Double click on it and it will ask you to insert USB flash drive and click ok. Do so. (see attached picture)

Clicking on ok will make your desktop go blank, don’t worry, its normal.
It will fix the autorun.inf virus and you are done partially. Yes, its a partial solution, it will lock the autorun file and you will see some file created by flash disinfector. If you remove the file, the virus get re activated. May be some future update of our antivirus softwares will have complete fix for this,

so I advise you to install this USB av-software for a more enlasting protection:
To protect your computer from viruses, Trojan or malware a good antivirus solution for your USB devices is a necessary. Mx One is such a free antivirus designed to protect you external storage devices like USB stick or pen drives , iPod., mp3, mp4, M2, SD, microSD. Download: http://jayaprakashkv.blogspot.com/2008/07/download-free-usb-sticks-antivirus-mx.html home-site for this tool: http://mxone.net/en/

Features.

  • Protection against: Virus, Trojans, Worms, Spyware (Spyware), Hacking Tools (Hacktools), Software Risk (Riskware).
  • Compatible with any antivirus resident like for example: Nod32 ™., Kaspersky ™. BitDefender ™. AVG ™., Norton ™., Panda ™. AVG ™, ™ Avast, Avira Antivir ™, among others.
  • Protection in realtime with …
  • System “CHECK AND DESTROY” detects and removes all viruses that attempt to infect your device while connected to an infected PC, even unknown viruses.
  • System Protection “Guardian” protects your PC from viruses that come in infected and USB devices to connect to your computer infected no matter what if the device has Mx One Antivirus installed or not, also detects even unknown viruses.
  • Protection against unknown viruses and new variants with “Heuristic ONE” AND “GENERIC ONE”
  • You only need very small 1Mb of space available on either the PC or on removable media.
  • Completely free,

polonus

Thanks Polonus-
I think that’s the next thing to do. I do need the USB stick to be used in both. IT at work is pretty minimal so I doubt they’d sort anything out before the new year.

NMB-

Safe mode allowed me to access the files which were as I listed earlier. Avast does now pick them up, though when they were in the original directory it didn’t.

Here’s the virustotal link:
http://www.virustotal.com/analisis/cc0cffeaf4c8b346825ce4920040bc5157f471be9a11427f8e80ea42ee6497cf-1258992920

It seems to already be well known so definately a virus, maybe a different disguise.

Does anyone know what it actually does???

Thanks!

Olster,

when you upload the file, if VT shows that the file is already analysed, click scan again. lets see the latest results of this thing. the one which you have submitted is 23rd November one.

thanks
nmb

Hi Olster,

More info on this detection here:
http://www.pc1news.com/virus/alias-virtool-win32-delfinject-gen-j-17306.html

polonus

Thanks guys-

Here’s the new virustotal link:
http://www.virustotal.com/analisis/cc0cffeaf4c8b346825ce4920040bc5157f471be9a11427f8e80ea42ee6497cf-1260119695

Looking through my boot timne scan log, it copied itself to a root directory. C:_OTM
I still have no idea what this thing actually does though.

I now have Mx One running and protecting my USB sticks, though it doesn’t detect this virus…

Oli

Hi, I’m trying to find a solution to this virus too. It’s main reason is to spread to everything possible. HDD, USB, Network drives.

Our high school was infected with it at one computer, and it spread to every computer that was logged on to the network.

A friend of mine found the virus when he got home and for a couple of days thought not much about it.

But we soon found the virus was infecting the computers all around school and found the bootex folder and the autorun.inf (the file used to autorun the thumbcache_131.exe file in BOOTEX.

We tried many main stream antivirus programs and going through command prompt. But nothing worked.

We came across a solution AS OF TODAY of how to remove the virus off the computer (the Hard drive only).

It plants itself deep into the registry and in files. It will also restore itself if deleted. Same as the usb.

The only way to fix your USB devices is formatting in linux or deleting the BOOTEX folder + the autorun.inf file. When you delete those, delete the .TRASH*** folder that linux creates when files are deleted.

Don’t try to format you drive in a clean computer, and formatting a drive on an infected will reinfect the drive again.

http://www.virustotal.com/analisis/cc0cffeaf4c8b346825ce4920040bc5157f471be9a11427f8e80ea42ee6497cf-1260119695

http://www.threatexpert.com/report.aspx?md5=ad3acf9f761d4c650f95915a2308d8b6


Details from ThreatExpert

A network-aware worm that attempts to replicate across the existing network(s)

[file and pathname of the sample #1] 123,904 bytes

MD5: 0xAD3ACF9F761D4C650F95915A2308D8B6
SHA-1: 0xE7B3C83DE5C26CF8DF7419BABEC234A8ED32ED33

W32.SillyDC [Symantec]
P2P-Worm.Win32.Palevo.lhk [Kaspersky Lab]
BackDoor-EEF [McAfee]
Mal/EncPk-JU [Sophos]
VirTool:Win32/Injector.gen!AD [Microsoft]
Win-Trojan/Pher.103424 [AhnLab]

[b]

I wasn’t there when we found the tool to remove the files (requires safe mode + the .exe file)

We’re currently testing this method on a school infected computer, and if it succeeds, we’ll create a bat file to run in this way:[/b]

Restart (Confirm user shutdown in 60 seconds)
Computer reboots
Safe Mode is activated
Windows Loads in safe mode
bat file continues on with loading the cleaner file (.exe)
cleaner is paced through an automatic run from the bat file (any settings that ask for yes, no, ok, next, forward, etc) to run the program automatically.
Cleaner cleans house
Reboot into normal Windows


For USB’s only method that worked:

was a Linux OS opening the drive
Go to View > Show Hidden Files
Select the folder BOOTEX
Press delete
Select autorun.inf
Press delete
NOT THAT A NEW FOLDER WILL APPEAR, called .TRASH*** (*'s represent numbers)
That is the Linux backup recyle bin.
Select the folder, and delete it.

Your drive should be clean now, to make sure, you can scan with Prevx, Kaspersky, Avast. (IDK about AVG, I have no portable version to test).

A Linux Avast! is available for Ubuntu and other LINUX os: http://www.avast.com/eng/download-avast-for-linux-edition.html

download the .deb for Ubuntu and install
You need a register key from the website the program says for you to go to.
UPDATE IT, the virus is actually recent to the database, and the database is outdated anyways, but months.

Prevx is a great anti-malware program, and a free version is available.
This free version ONLY detects threats, it is VERY good at this job.

Prevx: http://prevx.com/

Install, it’ll do a learning scan.

Then if nothing comes up, go to my computer right click on the drive and click Scan with Prevx