On 12 Dec 2006 23:04:43 -0000 [EMAIL PROTECTED] wrote: > VAR in Honolulu has a previously squeaky clean XP system now infected with > sonmething strange: > Symptom list: > 1) All desktop icons disappeared > 2) When recreated by hand, some days later they all were rendered un-runnable > because they had all been renamed with an additional .lnk suffix. > 3) On every boot, after the XP splash screen, but before User Login (2 > profiles), there is a 4" x 5" screen with an Exit and an OK button. The > screen shows a black background which overlays the XP blue login screen; it > looks like a VB screen. The name in the top bar changes on every boot, such > as c:\windows\system32\mup.sys, or i20mgr.sys, etc. This full file name is > preceded by usually 8 small box characters. Inside the white body of the > screen there are a few special characters: [\} and a character that looks > like an inverse equal sign, standing vertically. > 4) CTRL-ALT-DEL at this point shows you flashes of blue underneath > 5) The Outlook .PST file is missing > 6) My antivirus and all other SYSTRAY items are gone > 7) IE6 or IE7 won't connect to home page, instead Internet Properties opwns > on the General Tab > 8)Trend Micro PC-Cillin 2006 sees nothing, same with their Housecall and > WinSIC, or SYSCLEAN utilities. > 9) MS RootkitRevealer finds nothing.
I haven't seen anything like this, but that doesn't mean much :) > Infection route: while it could have been web browsing, or email, I really > think it came from an odd incident when a client came in with CAD files to > print on a thumb drive. Trend says thumbdrives don't infect PCs, though I've > looked at the U3.com software available for a SanDisk Cruzer (and several > other makes)and it seems like there's a CPU in it, because you can scan a new > PC for viruses using Avast from the thumb drive. OK, I just dealt with this over the weekend. U3-compatible thumb drives emulate a CD-ROM drive (possibly a CD-Writer according to some sources). First, that CD image that is on the thumb drive is set to autorun. Second, last time I checked (circa Windows 98), autorun.inf files were checked for on any drive plugged into a Windows machine. I used to change the icons of zip disks for the fun of it this way. So the conclusion is that it is possible to automatically install software from a thumb drive... at least one way, probably more. There isn't a CPU on the thumb drive. U3-compatible software is allowed to use any (I think) resources on the host system -- HD, memory, CPU, registry, etc. -- but has to remove any traces of itself when you say you're ready to eject the thumb drive. Then there are programs that run fine without installation (TreeSize, for instance), and those can be run from a thumb drive without a problem too. > AT one point they sent me a tool to fix the associations with applications, > so that now Start Programs run most apps. > > However, I've lost my email. This case has been open at Trend for more than a > month, and now they are telling me it is not a virus and don't worry. Mmmm, it does sound suspicious, but if they haven't seen it, it is hard for them to do something about it. > Not only that, when I call Trend Tech support, they hang up on me repeatedly, > or put my call back in the queue, or promise to work the next day with me, > and then don't. They want me to go away, but I think this is a serious threat. > > CAN a thumbdrive infect a system? > Has anyone seen anything like this, or know how to respond to it and recover > my email (besides backup)? Pretty much, I'd say if there is a rogue program doing things to your system, your best bet is to reload and restore from backups. Sorry. Oh, and disable AutoRun :) --------------------------------------------------------------------------- ---------------------------------------------------------------------------
