I've isolated a virus that goes straight through NAV2009 and NIS2009. I used Malwarebytes to get rid of it on the PC. I have an isolated PC with vaious AV's installed on different partitions/Win XP's. Malware ID's this as Trojan.Agent. Kaspersky ID's it as Worm.Win32.Agent.VL. Nod32 ID's it as Win32/Autorun.Agent.KC. Bitdefender ID's it as Trojan.Autorun.AAT and/or Trojan.Generic.1446476. All of them stopped the infection from entering the system, only NAV/NIS 2009 misses. Here's Malwares info on the infection.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67kln5j0-4opm-00we-aax5-77ef1d187562} :
C:\RESTORE\k-1-3542-4232123213-7676767-8888886 (Trojan.Agent)

c:\RESTORE\k-1-3542-4232123213-7676767-8888886\JUZZ.exe (Trojan.Agent)

c:\RESTORE\k-1-3542-4232123213-7676767-8888886\Desktop.ini (Trojan.Agent)

 I still have the infected Flash.

I've isolated a virus that goes straight through NAV2009 and NIS2009. I used Malwarebytes to get rid of it on the PC. I have an isolated PC with vaious AV's installed on different partitions/Win XP's. Malware ID's this as Trojan.Agent. Kaspersky ID's it as Worm.Win32.Agent.VL. Nod32 ID's it as Win32/Autorun.Agent.KC. Bitdefender ID's it as Trojan.Autorun.AAT and/or Trojan.Generic.1446476. All of them stopped the infection from entering the system, only NAV/NIS 2009 misses. Here's Malwares info on the infection.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67kln5j0-4opm-00we-aax5-77ef1d187562} :
C:\RESTORE\k-1-3542-4232123213-7676767-8888886 (Trojan.Agent)

c:\RESTORE\k-1-3542-4232123213-7676767-8888886\JUZZ.exe (Trojan.Agent)

c:\RESTORE\k-1-3542-4232123213-7676767-8888886\Desktop.ini (Trojan.Agent)

 I still have the infected Flash.

Hi Pexley

Thanks for the response. I have 2 PC's. The 1st only has NAV2009 and now Malwarebytes. It is isolated, as in not connected to my network. I use this primarily to check customers flash sticks before being used on our equipment. This is the PC that I've used to transfer the virus. I insert the infected flash, the PC is then infected. I then insert a 2nd flash to get it infected and then use the 2nd flash for testing on the 2nd PC

The 2nd PC has 5 partitions with 5 WinXP installed, each WinXP only has 1 flavour of AV installed, because I agree that 2 AV on 1 PC causes problems. I am doing a sort of trial on the varius AV's. I am not that familiar with Kaspersky (its only the trial version) but I will have a look at the "open safely" option and see if I can submit it.

All of the WinXP's are on atleast SP2 if not SP3. We retail NAV/NIS2009 and this is why I'd like to get this virus submitted else I'm gonna have egg on my face.

Raggety

I am assuming here that you don't mind reinfecting your NIS 2009 pc because it is isolated?

Anyway, assuming I'm right, do the following:

1) Download Zip Genius from www.download.com and put it on the not-yet-infected flsh drive

2) Install on the isolated pc

3) Put the flash drive with the viruses on it into the isolated pc

4) find the virus files and add them to archives (zip)

5) put them on the flash drive

6) put flash drive in non-isolated pc with a partition and AV that detects these viruses

7) allow the auto-protect of the other AV to delete the active viruses on the flash drive

8) Upload the archives to the above link (previous post)

Matt

Hi Matt

You are correct. I don't mind infecting either of the boxes, that's my line of defense against viruses on flashes(which is probably the most common method of virus transfer in our neighbourhood). I have the following situation at the moment (following your concise steps). I cannot seem to do step 4, because I cannot see the virus file. My file options are set to view hidden and view system files. At the moment the 1st PC (as described above) has the virus infection on the HDD. The path for the virus file is : -

c:\RESTORE\k-1-3542-4232123213-7676767-8888886\JUZZ.exe

c:\RESTORE\k-1-3542-4232123213-7676767-8888886\Desktop.ini

This is according to Malwarebytes.

The method I've used to kill the thing of other PC's (had +/- 40 PC's infected) is to run Malwarebytesand let it remove the infected files. To remove the virus from the flash I run Malwarebytes with the stick in the PC and the stick needs to remain through the reboot of the PC. This is done by right-click on stick in 'My Computer" and "Scan with Malwarebytes".

Is a virus that is in a ZIP folder safe?

I just realised that I may be going about this the wrong way. As has been mentioned, "Turn Autorun OFF" and then I'll see if I can get the virus files zipped from the stick directly.

Thanks for the responses

Hi

Also there is http://www.precisesecurity.com/tools-resources/adware-tools/flash-disinfector/

If you zip infected files and password the zip folder then they are safe from accidental opening of the Malware and re-infection.

Quads 

Thanks Quads I'll get that now.

Just a note on disabling autorun in XP I've used the reg file from this site http://antivirus.about.com/od/securitytips/ht/autorun.htm

If I've read it correctly this will disable autorun even if the security patch has not been loaded.

Hi Quads

When trying to download from http://www.precisesecurity.com/tools-resources/adware-tools/flash-disinfector/ NAV2009 blocks a trojan horse in file c:\...\temp internet files\content.ie5\pd1 ey98\flash_disinfector[1].exe so I'm assuming the thing is broken.

Rags

Norton does detect it as a Trojan, don't worry, just get norton to exclude it then restore the file, 

Quads 

Hi Quads

I'm having difficulty locating the exclusion in Norton. I'm going to VERY temporarily switch off Auto-Protect and try and get it.

I have been able to get the files into a zip and have submitted it to Symantec. It's been a helluva thing trying to make sure that there is no active virus on the stick after inserting an infected one and then an uninfected one, but I think I've got it out safely (lol time will tell). I'll put a step-by-step together on the method I've used. I had to take a bit of a risk, but it wasn't so bad once I'd disabled the Autorun using the reg file method as I mentioned previously. I did this on both my isolated PC and the 1 I use connected to our network. This prevents the autorun.inf from doing its thing, even if you tell it to install (right-click on autorun.inf, Instal). The infection JUZZ.EXE itself is not visible and its not possible to launch it manually. The steps are as follows: -

Equipment used: -

1 x PC1 Isolated - XP Pro - SP3 - NAV2009 - Malwarebytes (to check if the virus has jumped and to clear it when necessary)

1 x PC2 connected to network and internet

3 x USB Flash Sticks called A, B and C

Flash A is the primary infected Flash and is never "cleaned". This is used to reinfect PC1 as many times as necessary.

Flash B is used to check that the virus can jump from PC1 to the flash. Its also used to make sure it can be killed before using B elsewhere

Flash C is used for copying downloaded files from PC2 to PC1

Method: -

1. DISABLE AUTORUN ON BOTH PC's. Until doing this I could not stop FlashA infecting PC1. I used the registry method as suggested from this website
http://antivirus.about.com/od/securitytips/ht/autorun.htm

NOTE: REBOOT after doing the registry change.(I missed that step and infected FlashB)

2. Run Malwarebytes on PC1 to make sure the is no current infection.

3. Insert FlashA into PC1

4. Open FlashA and archive both the autorun.inf and the Restore floder. This creates a file called restore.zip

5. Remove FlashA and run Malwarebytes to make sure there is no infection on PC1. My assumption here is that disabling the Autorun made the virus action inert because there was no infection on the PC1.

6. Insert FlashA into PC1 and FlashB into PC1. Copy the zip file from FlashA to FlashB. Remove both Flash disks.

7. Run Malwarebytes again on PC1. Just to make sure.

8. Insert FlashB into PC1. Check the contents to make sure that there is only thezip file onboard.

9. Insert FlashB into PC2 and submit to Symantec.

10. Run Malwarebytes on PC2. Just to make sure.

A bit long winded but i couldn't think of a safer way to do this. I would like to thank all member of the community for the help. I hope that Symantec will be able to use the file I've submitted to give us more protection.

Kind regards
Rags

Hi Raggety

Sorry that my initail instructions didn't work, I realised they might not while I was typing, and I was going to suggest safe mode... but then I couln't remember if safe mode had USB support, and I couldn't find a program, or instructions, for zipping files in safe mode!!! **bleep**. Anyway, well done with what u did! I would hang on to one of the flash drives though...

May I ask, if your one pc is isolated from the network, is it from the internet as well? if so, how do you update your Norton?:) through intelligent updater?

Either way, I would suggest scanning those viruses with Norton in a few days time and see if the defs have been added... if not, please let us know and give us the Tracking Numbers so we can see if we can get the attention of one of the mods to have a look for you if at all possible:)

Regards

Matt

Hi Matt

Thank you very much for your step-by-step instruction. It helped to get ordered thinking. As I said, step 4 didn't work and I think there should maybe have been a step 4a, which would have been to kill the virus from the flash again, before step 5. which I would have modified to read "put the zip files on an uninfected flash". The point is you did help and I appreciate it.

I've kept the zipped virus on the isolated PC and it now seems inert(not active). I've tested restoring the zip onto a flash stick (and enabling autorun) and it works. This morning I went to a callout where they had exactly the same virus so I re-infected one of my sticks, so in a sense I still have the alpha on a flash again. Another thing happened which was slightly different, Norton was reporting (fairly regularly) that a Trojan Horse had been blocked. The path to the Trojan Horse is "C:\Documents and Settings\usrename\e9w7h1z7x3s2.exe". I'm positive this is part of the virus as a similar thing was happening with the NIS2009 PC's (where i initially found the infection) except that Nortons wasn't alerting (may be a setting, I'm not there to check now) and the .exe's remained on disk but failed to launch and merely produced a number of dos boxes. I didn't worry to much about the .exe's because they were failing. It was more important to kill the infection. The .exe filenames change with every failed launch so you end up with dozens of them. Once the infection is killed just delete the .exe's from all the profiles.

I've actually got 2 PC's isolated from the network. When starting something like this the PC's are normally reloaded from images and then Norton is loaded and updated while the PC is connected to the network. We also run a Linux Squid proxy (in transparent mode) so when the update gets to 16.5 version we have to run a patch to get more updates (bit of a sore point with me coz there so many reboots). I try to avoid using Intelligent Updater because previously it didn't contain program updates, I'm not sure if thats changed in the 2009 release. I will certainly update this thread when Norton catches the virus.

Incidently, if anyone tries something similar PLEASE make sure you have the infected flashes stored very safely. Mine was accidently borrowed while I was out, causing extra work.

Kind regards

Rags

I've just white listed SecurityResponse and got their automation e-mail. It says that it cannot find any malicious content in the files submitted. Do i have to do something more? Maybe I should submit those .exe's after all. I just feel that the exe's are a symtom and not the cause.

Rags