URGENT!! beta-INSTALLER IS VIRUSED!
-
Trunx_
our systems are being cleaned by Stinger at the moment. Hopefully we will be back online in a bit ... sorry for the inconvenience ...
for those that have downloaded the file (should only be a couple of people because it was online for only 5 min or so) please do a full system scan with stinger: http://vil.nai.com/vil/stinger/
for those that have downloaded the file (should only be a couple of people because it was online for only 5 min or so) please do a full system scan with stinger: http://vil.nai.com/vil/stinger/
here is some more info about the virus ... it,s pretty harmless thank god.
Virus Characteristics
This is an encrypted parasitic file-infecting virus and network aware worm. It appends PE EXE and SCR files in the Windows directory and subdirectories on the local system, as well as on any accessible network share. The virus creates an additional PE section with a random 3 letter section header followed by the character "â¢".
The virus creates the following Registry key:
* HKEY_CURRENT_USERSoftwareMicrosoftWindows
CurrentVersionExplorerPINF
The virus does not store the original file size, and hence cleaning of this virus will not leave the original executables at their original size. In the majority of cases this will not cause an issue as the growth in file size is non-infectious "garbage" data at the end of the file. Certain applications which undertake a self-check will not run after cleaning and should be deleted and restored from backup.
Additionally the virus may mis-infect files with an incomplete virus body and leave the executable non-functioning. These damaged samples are detected as W32/Pate.b.dam, cannot be repaired, and should be deleted and restored from backup.
Indications of Infection Back to Top
- Increase in file size by approximately 177Kb
- Presence of aforementioned registry key
Method of Infection Back to Top
The virus drops a UPX packed executable in the user temporary directory and executes it.
This file is actually a DLL, 176,128 bytes in length, bearing a random filename with a .TMP extension (eg. SQH9.TMP ). The DLL is injected into the EXPLORER.EXE process, thus keeping the virus memory resident.
The virus enumerates all network shares and infects all PE .EXE and .SCR files that it has write access to.
Removal Instructions Back to Top
Use specified engine and DAT files for detection and removal.
Infected systems should be removed from the network and repaired prior to placing them back on to the network. Failure to do so can results in further infections.
Note: The UPX-packed dropped DLL is injected into the EXPLORER.EXE process for the virus to remain memory resident. Cleaning involves the unloading of this DLL from EXPLORER, which requires the 4.2.60 engine (or greater). A reboot may be required after the .dll is removed from explorer.exe.
As this threat seeks open shares, turn off full share to your system. If you have to use shares, use password protection to avoid being a future target.
Virus Characteristics
This is an encrypted parasitic file-infecting virus and network aware worm. It appends PE EXE and SCR files in the Windows directory and subdirectories on the local system, as well as on any accessible network share. The virus creates an additional PE section with a random 3 letter section header followed by the character "â¢".
The virus creates the following Registry key:
* HKEY_CURRENT_USERSoftwareMicrosoftWindows
CurrentVersionExplorerPINF
The virus does not store the original file size, and hence cleaning of this virus will not leave the original executables at their original size. In the majority of cases this will not cause an issue as the growth in file size is non-infectious "garbage" data at the end of the file. Certain applications which undertake a self-check will not run after cleaning and should be deleted and restored from backup.
Additionally the virus may mis-infect files with an incomplete virus body and leave the executable non-functioning. These damaged samples are detected as W32/Pate.b.dam, cannot be repaired, and should be deleted and restored from backup.
Indications of Infection Back to Top
- Increase in file size by approximately 177Kb
- Presence of aforementioned registry key
Method of Infection Back to Top
The virus drops a UPX packed executable in the user temporary directory and executes it.
This file is actually a DLL, 176,128 bytes in length, bearing a random filename with a .TMP extension (eg. SQH9.TMP ). The DLL is injected into the EXPLORER.EXE process, thus keeping the virus memory resident.
The virus enumerates all network shares and infects all PE .EXE and .SCR files that it has write access to.
Removal Instructions Back to Top
Use specified engine and DAT files for detection and removal.
Infected systems should be removed from the network and repaired prior to placing them back on to the network. Failure to do so can results in further infections.
Note: The UPX-packed dropped DLL is injected into the EXPLORER.EXE process for the virus to remain memory resident. Cleaning involves the unloading of this DLL from EXPLORER, which requires the 4.2.60 engine (or greater). A reboot may be required after the .dll is removed from explorer.exe.
As this threat seeks open shares, turn off full share to your system. If you have to use shares, use password protection to avoid being a future target.
-
Jeremy_
-
Jeremy_
Thanks for the name.
Bart's advices are corrects.
Here is more details if youve been infected or want to verified.
This virus is a file infector = infect .exe file and scr file.
PE exe file = program
UPX packed executable = install file, or autoextract zip file in exe format.
You need to verified that your anti-virus is scanning the PE and UPX files (this is not the case for the old Anti-Virus software as: McAfee VirusScan 4.03, McAfee VirusScan 4.5, etc...)
You need to be sure that you have the latest:
- anti-virus software version
- virus definitions version
- scan engine version
this virus is a quick virus = will infect all .exe file in a couple of minutes.
this virus will also spray on your network only if you do not use password on your share folder.
Some applications may not run after infection, and
cleaning = you will need to restore the oriinal exe file.
Bart's advices are corrects.
Here is more details if youve been infected or want to verified.
This virus is a file infector = infect .exe file and scr file.
PE exe file = program
UPX packed executable = install file, or autoextract zip file in exe format.
You need to verified that your anti-virus is scanning the PE and UPX files (this is not the case for the old Anti-Virus software as: McAfee VirusScan 4.03, McAfee VirusScan 4.5, etc...)
You need to be sure that you have the latest:
- anti-virus software version
- virus definitions version
- scan engine version
this virus is a quick virus = will infect all .exe file in a couple of minutes.
this virus will also spray on your network only if you do not use password on your share folder.
Some applications may not run after infection, and
cleaning = you will need to restore the oriinal exe file.