Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Exe files changing to .USS 1
- Thread starter Hainley
- Start date
Scan all the network drives that could have possibly been accessed by the infected computer while it was infected. We started out with one infected computer, which then spread itself to a connected application server (infecting all executable files on the server). Then, all computers that accessed those applications became infected.
I installed the new definitions and scanned the application server as well as every computer on the network (via the clients on each computer). So far it's cleaned several dozen files on the app server, and hasn't found any on the clients yet (I restored from backup the apps that are used by the clients and reimaged the infected clients themselves, so this is good news). The app server is a java-based Snap server, so I seriously doubt it could catch the virus itself.
However, if your AV software isn't finding the infected EXE files, this approach may not do much good. You're probably best off taking the network server down and reformatting any infected computers again. Then you can either restore the server from a known clean backup or wait until usable AV defs come out and clean out the server that way.
I installed the new definitions and scanned the application server as well as every computer on the network (via the clients on each computer). So far it's cleaned several dozen files on the app server, and hasn't found any on the clients yet (I restored from backup the apps that are used by the clients and reimaged the infected clients themselves, so this is good news). The app server is a java-based Snap server, so I seriously doubt it could catch the virus itself.
However, if your AV software isn't finding the infected EXE files, this approach may not do much good. You're probably best off taking the network server down and reformatting any infected computers again. Then you can either restore the server from a known clean backup or wait until usable AV defs come out and clean out the server that way.
Hi, thanks!
I have scanned the file server... but since it's not yet detecting the virus, it's pointless. We are in a novell environment, so not hyper-concerned about the servers getting infected (more that the virus may reside out there for someone to find), so have removed rights from the public directory. Have run scans on other pc's randomly and none are infected. I have removed the infected pc from the network.
Just received another response back from CA, and they are currently working on another new signature update.
Thanks again!
I have scanned the file server... but since it's not yet detecting the virus, it's pointless. We are in a novell environment, so not hyper-concerned about the servers getting infected (more that the virus may reside out there for someone to find), so have removed rights from the public directory. Have run scans on other pc's randomly and none are infected. I have removed the infected pc from the network.
Just received another response back from CA, and they are currently working on another new signature update.
Thanks again!
Symantec just released a writeup on the Tunk Worm/Virus:
It's a one-two punch. The file "UssaShohhdi.vbs" is the Worm portion that is run by the virus after infection. The virus portion is nearly every .exe file on the local computer, after infection (though they fail to mention that it attacks network drives as well; it did on mine).
Their latest LiveUpdate definitions are supposed to add protection from this, so it looks like they've finally caught up with the game. CA doesn't have it listed yet, though; I found them very frustrating in this manner when I ran their software (several years ago).
It's a one-two punch. The file "UssaShohhdi.vbs" is the Worm portion that is run by the virus after infection. The virus portion is nearly every .exe file on the local computer, after infection (though they fail to mention that it attacks network drives as well; it did on mine).
Their latest LiveUpdate definitions are supposed to add protection from this, so it looks like they've finally caught up with the game. CA doesn't have it listed yet, though; I found them very frustrating in this manner when I ran their software (several years ago).
Computer Associates final diagnosis 4/8/2004:
Win32.Shodi.B
Aliases reported by other AV products are listed here:
(I-Worm.Shoder) (W32/Shoder.a@MM) (W32.Tunk.A)
Vet update 11.4.8266 will have the cure, and they are still working on this release.
InoculateIT update 23.64.63 cures the infected files.
Thanks
Win32.Shodi.B
Aliases reported by other AV products are listed here:
(I-Worm.Shoder) (W32/Shoder.a@MM) (W32.Tunk.A)
Vet update 11.4.8266 will have the cure, and they are still working on this release.
InoculateIT update 23.64.63 cures the infected files.
Thanks
Regarding Virus EXE file:
The virus seemed to either embedded itself into a valid exe file or it replaces a valid exe file. We discovered this when we rebuilt a workstation and went to reinstall the client software. When we ran the setup.exe for the client install that newly built workstation became infected. This setup.exe file is the one we sent to McAfee in which they did the ID against and generated the EXTRA.DAT file. I am not sure how McAfee makes their EXTRA.DAT's available to other customers. As of 4/7/04 new DAT release this virus has not been included yet.
Scanning for the Virus:
After McAfee provided us with the EXTRA.DAT file we scanned infected workstations. Example, we scanned a XP pro. workstation and McAfee found and cleaned 300 exe files which were located throughout the hard drive. Most exe files were names of valid Windows files; netlogon.exe, etc. as well as other well know exe files like winword.exe, etc. So when ever you ran one of these standard exe files you become re-infected. (Note; even though McAfee stated the files were clean, we still rebuilt all infected workstations).
Mass Mailer Piece: The VBS script
FYI the vbs file that is created is suppose to be a mass mailer; fortunately it does not appear to work.
Good luck.
The virus seemed to either embedded itself into a valid exe file or it replaces a valid exe file. We discovered this when we rebuilt a workstation and went to reinstall the client software. When we ran the setup.exe for the client install that newly built workstation became infected. This setup.exe file is the one we sent to McAfee in which they did the ID against and generated the EXTRA.DAT file. I am not sure how McAfee makes their EXTRA.DAT's available to other customers. As of 4/7/04 new DAT release this virus has not been included yet.
Scanning for the Virus:
After McAfee provided us with the EXTRA.DAT file we scanned infected workstations. Example, we scanned a XP pro. workstation and McAfee found and cleaned 300 exe files which were located throughout the hard drive. Most exe files were names of valid Windows files; netlogon.exe, etc. as well as other well know exe files like winword.exe, etc. So when ever you ran one of these standard exe files you become re-infected. (Note; even though McAfee stated the files were clean, we still rebuilt all infected workstations).
Mass Mailer Piece: The VBS script
FYI the vbs file that is created is suppose to be a mass mailer; fortunately it does not appear to work.
Good luck.
- Thread starter
- #26
Symantec calls the main portion W32.Tunk.A, and the secondary (mass-mailer) portion VBS.Tunk.A. The definitions they've released for the past few weeks all contain information for it. I was able to use it to completely clean my existing infected systems and files.
- Status
Similar threads
- Locked
- Question