Malware: SLATKO\torta.exe

[oleg1]

Hello,

I am using Avast 4.8 Professional, and it does not detect malware on USB flash disk.
Malware consists of "autorun.inf" file with a reference to "torta.exe" executable in "\SLATKO" subdirectory.
In that subdirectory the file "desktop.ini" is also present, which contains CLSID to display the content of the subdirectory as Recycle Bin.
Kaspersky Antivirus detects the malware as "Trojan.Win32.AutoRun.sl", "HEUR:Trojan.Win32.Invader", and "HEUR:Worm.Win32.Generic".

The computer of my chief is infected by this malware and Avast 4.8 Demo which we have installed on it does not find a file with the malware that loads into computer memory and infects flash disks inserted. On my computer autorun from removable drives is turned off, so I had inserted infected flash disk, but Avast 4.8 Professional did not find any viruses on it.

I have posted malware files to virus@avast.com on 2009-12-30. Can I expect the malware to be included into Avast virus database, so I can find infected file on my chief's computer, remove the malware, and prevent further malware propagation?

Oleg Volkov

[Lisandro]

Thanks for posting.
Hope they increase detection soon.

[polonus]

Hi oleg1,

There is a free removal tool here: http://www.kaspersky.com/removaltools?vtopen=154293695#open

polonus

[oleg1]

Thank you, polonus, but I can not allow myself to try removal tool without a description, license, and with executable having ".com" extension instead of ".exe", even when it comes from www.kaspersky.com.
Can you give me a link to a page with that removal tool description?

[spg SCOTT]

I think it is here, I don't know anything about it though, that would be where Pol comes in

http://support.kaspersky.com/viruses/solutions?qid=193238496


a .com file is similar to an .exe, they are both executables...
http://en.wikipedia.org/wiki/COM_file

[oleg1]

Scott, thank you for the reply!
I had launched "klwk.com" program on infected computer, but it did not find any viruses in computer memory
(the file "torta.exe" have appeared on flash disk inserted, however).
This is not surprising, because the name of the malware, as Kaspersky Antivirus detects it, is absent in the list of viruses "klwk.com" program detects and cleans. That list of viruses is located at http://support.kaspersky.com/viruses/solutions?qid=193238496, this is a link from your reply.

[polonus]

Hi oleg1.

Get it on the desktop: navilog.exe IL-MAFIOSO
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.exe

= Installs
= Double-click navilog1 which is on the desktop
= Press a button until reaching the options
= Choose option 1 (= type 1)
do not use the other without notice, there may be legitimate processes

The report is in c: fixnavi.txt

Post this report here as an attached txt file...

Well I have tested the Kaspersky tool site for you - it is clean...

I checked the download link here with DrWeb's online URL checker: Checking: http://support.kaspersky.com/viruses/solutions?qid=193238496
Engine version: 5.0.1.12222
Total virus-finding records: 929914
File size: 39.07 KB
File MD5: 586b773932d163c26d3af50c24222cea

http://support.kaspersky.com/viruses/solutions?qid=193238496 - archive HTML
>http://support.kaspersky.com/viruses/solutions?qid=193238496/Script.0 - Ok
>http://support.kaspersky.com/viruses/solutions?qid=193238496/Script.1 - Ok
>http://support.kaspersky.com/viruses/solutions?qid=193238496/JavaScript.2 - Ok
>http://support.kaspersky.com/viruses/solutions?qid=193238496/Script.3 - Ok
>http://support.kaspersky.com/viruses/solutions?qid=193238496/JavaScript.4 - Ok
>http://support.kaspersky.com/viruses/solutions?qid=193238496/JavaScript.5 - Ok
http://support.kaspersky.com/viruses/solutions?qid=193238496 - Ok

Kaspersky forum thread on this: http://forum.kaspersky.com/lofiversion/index.php/t96929.html

You have to temporarily disable system restore to cleanse:
Also run MBAM and update to the latest version:
http://www.malwarebytes.org/mbam-download.php

polonus

[oleg1]

polonus, thank you for the reply.
Again, you are not giving me a link with the description of the program you recommend me to try.
And I can not try it because it comes from a web site I do not know and trust.
When I had posted the message to this forum I expected to obtain a reply from somebody from Avast support team with a hint about time span they add the malware to Avast virus database, so I can get rid of the malware in standard way.
This forum is the only place I can write to ask for standard solution for the problem -- to include malware description to Avast virus database.
I am using the version of Avast antivirus I payed money for, so I've considered I have the right to make a posting to this forum.

[polonus]

Halio oleg1,

OK, I fully understand your point of view and hopefully the upload of the virus sample will lead to an av update for this malware asap.

As you say that this is on an USB flash disk, you could run this tool:

Flash Disinfector is a Flash Zip Drive, Pen Drive, Thumbdrive & Portable / Pocket Hard Disks Malware removing tool. It’s a neat and handy tool to handle all of the messes done by those pesky flash malwares.
Description and download link...
Flash Disinfector will target the following Flash malwares (in general):

W32/Perlovga (copy.exe | host.exe)
VBS_RESULOWS.A (Hacked by Godzilla, Hacked by Moozilla)
Bha.dll.vbs
w32automa worm (Autorun.vbs)
Trojan.Win32.VB.atg | Win32/Dzan | Worm_vb.bnr (tel.xls.exe | mmc.exe)
W32/RJump.worm (RavMonE)
Worm.Win32.Delf.bf | W32.Fujacks (spoclsv.exe)
W32.Fujacks.BH (Fucker.vbs)
WORM_AGENT.PGV (soundmix.exe)
W32/Hakaglan.worm (RVHost.exe)
Trojan.Win32.VB.ayo [AVP] (Macromedia_Setup.exe)
Trojan.VBS.DeltreeY.b#1 (Destrukto!!! | destrukto.vbs)

What will Flash Disinfector Do
- Clean up junks created by flash malwares
- Deletes autorun.inf from every root folder
- Fix back damages done to your system
- Creates an autorun.inf folder in the root of your system drives

How To Use The Tool

Important : Disable any Antivirus / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process.

Download Flash Disinfector from: http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe
* bleepingcomputer  is an trusted official Qualified Malware Eliminating Site

Removal Instructions :

Plugin All the USB Drive to your PC.
Double-click Flash_Disinfector.exe to run it. Follow any prompts that may appear.
Your desktop will vanish for a while, and then reappear. This is normal.
Wait until the program has finished scanning, then please exit the program.
Restart your computer and see if problem still persists,

pozdrawiam,

polonus