virus: HTML/Ramnit!generic

Viruses and worms
1

Hi all,

This is my first post. I do have a virus to report. Not sure how to go about this. Will be sending the info to avast at their virus alert email address. But I want to make sure I’ve got all the info they need.

My virus scanner passed the (non-)enclosed files although all are infected. [password-protected zip file obviously not included with this post]

Occurred on a network. Infected only the USB drive. I don’t remember if I booted the computer with the USB attached.

Virus scanner: eTrust Antivirus, Version 8.1.637; vet.dat 36.1 7958 05/11/2010

Microsoft Internet Explorer
Browser Version 6.0
Operating System Microsoft Windows XP
User Agent String Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)

I do not know if the virus infected the USB boot sector. (How do I tell?)

The virus creates the following files and directories:

-creates autorun.inf in USB root directory with +shr attributes;
-creates “Copy of Shortcut to (1).lnk”, “Copy of Shortcut to (2).lnk”, “Copy of Shortcut to (3).lnk”, “Copy of Shortcut to (4).lnk” in USB root directory; “(4)” was only 887 bytes, I no longer have the file, the virus scanner deleted the detected infected files;
-creates USB hidden root directory named Recycler;
-creates subdirectory with what I assume is the registry user i.d. (i.e. S-5-1-xx-354xxx7583-7877xxx562-356306123-xxxx);
-creates cpl and exe files inside the subdirectory, different names with each infection, but always one “cpl” and one “exe” file:

first infection:
igtaiwpk.exe
xrjnjuci.cpl

second infection:
uvjedcmv.exe
ltjyyprh.cpl

Virus alters infected files’ date & time stamp to date & time of infection. Virus adds lengthy code to end of html files in root directory and in subdirectories, bloating them out of shape. Virus did not seem to infect the “mht” file located in a sub-directory.

Virus changed two USB root directory “exe” files slightly, also changing date & time stamp; but did not change sub-directory exe files.

“exe” changes:

Comparing files ZIP.INFECTED and ZIP.EXE
00000140: 44 00
00000141: E3 F0

Comparing files UNZIP.INFECTED and UNZIP.EXE
00000130: 84 00
00000131: B2 C0
00000138: DA 80
00000139: C0 89

I think I may have booted my home computer with infected USB drive attached. I’m running Windows NT 4.0; I use third party USB software which loads last after I log on. There seems to be no sign of infection on my home computer. Thankfully I never opened the infected html files. I have compared the registry to a backup copy from several months ago. No suspicious files on hard drive either. No internet on home computer.

Anything else I need to add?

Thanks in advance for your patience and help.

2

welcome to the forum. if you know what file thats infecteed add it to the chest of avast and send from there.

a second tip is to run an antivirus scan with panda usb scanner and clean that usb then if you think you got hit from that.

http://www.pandasecurity.com/homeusers/downloads/usbvaccine/

good luck and let us know how it goes.

3

@ newbienew,

In addition to the good suggestions given by mikaelrask’s post, I would also do the following:

  1. Please let us know if Avast detected anything in your scans. If so, what is the name of the infection? A screen shot would be ideal; if not, please type the exact name of the infection. Hopefully you put it in the Virus Chest.

  2. Check your computer for malware with Malwarebytes’ Anti-Malware (MBAM).
    · Download free http://www.malwarebytes.org/ (the blue button) for an on-demand scanner.
    · Double Click mbam-setup.exe to install the application.
    · After install, click update so you have latest database before scanning.
    · Under Settings:
    o General: Automatically Save File After Scan Completes is checked off
    o Scanner Settings: Check all boxes
    o Updater: Download and install update if available is checked off
    · Once the program has loaded, select “Perform FULL Scan”, then click Scan.
    · The scan may take some time to finish, so please be patient.
    · When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
    · Click the “remove selected” button to quarantine anything found. You will find the infection details under the Quarantine tab.
    · The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    · Copy & Paste the entire report in your next reply.

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts – Click OK to either and let MBAM proceed with the disinfection process; If asked to restart the computer, please do so immediately.

  1. Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

Follow the directions for obtaining the OTL logs. Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post). Please do not make any further changes to your machine after you have provided the logs.

After reviewing the logs, we will refer you to one of our malware experts, named Essexboy. Please let us know if you have any questions. Thank you.

4

+1 on that post there SafeSurf :smiley:

5

First off, thanks for all for your helpful posts. There’s so much to savour. I will respond to the other points and suggestions later. But for now…

Yes! But only 5 out of 7. I ran eTrust first and it deleted all but seven of the infected files. It found no trace of virus in those seven. I then ran Avast. AVAST identified the following virus in the seven remaining files:

Autorun.inf — INF:AutoRun-gen3
JSSERV.HTM — VBS:ExeDropper-gen
JSSERV1.HTM — VBS:ExeDropper-gen
TPComment.htm — VBS:ExeDropper-gen
TPStory.htm — VBS:ExeDropper-gen
Unzip.exe — no virus found
Zip.exe — no virus found

To save you the trouble of pouring through my first post, I’ll re-post the relevant section:

The virus changed two USB root directory “exe” files slightly, also changing date & time stamp; but did not change sub-directory exe files. (These changes are not version differences; I downloaded both files and saved a backup copy to a write-protected diskette many months ago.)

“exe” changes:

Comparing files ZIP.EXE (INFECTED) and ZIP.EXE (NORMAL)
00000140: 44 00
00000141: E3 F0

Comparing files UNZIP.EXE (INFECTED) and UNZIP.EXE (NORMAL)
00000130: 84 00
00000131: B2 C0
00000138: DA 80
00000139: C0 89

I still have all seven files. I have zipped and password-encrypted them for sending to Avast.

I renamed the extensions.

Question: Do I limit the possibility of exe and zip files getting infected if I rename their extensions? In other words I rename backup.exe and archive.zip to backup.ex_ and archive.zi_. Can a virus still attack these files?

6

Once a file is in the Virus Chest (VC), it is safe there and cannot harm your machine. I would have preferred that you not rename anything because I am going to refer you to a Certified Malware Expert and this may make it more difficult for him, but do not make any changes to them now that you have done this.

Please try to post a screen shot of the items in your VC so that we can see the entire file. Thank you.

Because you ran eTrust first and it deleted all but seven of the infected files, there could still be hidden malware in your machine.

In addition, to collect information I need for the malware removal expert, I also need you to do the following (read the directions carefully and please do not add other items or scans in on your own):

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

Follow the directions of obtaining an MBAM log…I still need it (make sure you update MBAM first) and the OTL logs. Post the MBAM log and the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).

I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily. I will continue to provide assistance in the meantime, then remain in the background while he works with you.

Please do not make any further changes to your machine once you have provided the logs.

Let me know if you have any questions. Thank you.

7

Thank you for your helpful comments. I do not have a VC. As I explain in my first post there are two computers. The network computer where the infection occurred, and my home computer where I discovered the USB infection. The network computer is not my responsibility. I have informed the IT department and they are aware of the problem; they have Deep Freeze and have ensured that their system is safe and virus-free; I have confirmed this myself. On this computer I ran an eTrust and AVAST virus check on my USB. eTrust passed seven infected files and AVAST passed the two exe files that I refered to in my previous post.

My own home computer and my USB drive are my primary concerns. I do not have internet on this computer. I can verify that my registry is safe; I have compared it to a year old text registry backup file. My hdd Master Boot Record is also safe; I also compared it to a several year old backup copy on a write-protected diskette. No mysterious new hidden files have appeared on my hard drive. No files have mysteriously changed date & time stamp or size. My USB drive boot sector is an unknown element since I have nothing to compare it to. However from what I’ve read on the internet this virus doesn’t seem to go there.

Unfortunately I cannot get mbam to work on my home computer. When I attempt to install mbam-setup-1.46.exe, I get the following error:

Runtime Error (at -1.0):
Cannot Import \is-QIUUC.tmp\mbam.dll

I cannot install setup_av_free.exe either. I get an error message telling me that the program is not a valid Windows NT application.

Sorry for any confusion. I’m new to all this.

Once again, many thanks for your advice and interest. :slight_smile:

8

I have contacted Essexboy for his opinion regarding your situation. He will respond to you in this thread. Since he is on UK time, he usually checks the forum late UK time zone. In the meantime, I will continue to provide you assistance. Thank you and patience.

9

Could you copy this programme to your USB and then run on your system. |Use the same route to get the log back here

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
File - Purity Scan

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

10

Unfortunately I get the following message when I attempt to unpack the program:

An application error has occurred and an application error log is being generated.

OTS.exe
Exception: (0xc0000025), Address: 0x77f892e5

I can however confirm that there are no abnormal error logs in my EventViewer. There are no new keys in my registry.

11

That is a generic memory error and has no specific meaning, but if you are happy your system is OK