[Resolved] New Malware:siodo.scr

[durion6]

Hi to everyone
I used Avast for many years and never have any problem.Yesterday i have my first one.I noticed that all the folders in my external H.D.D appears as shortcut.I checked if the files had been erased but the capacity of my HDD remained the same before had been infected by this malware.I wasn't allowed to open any folder and the following message appeared:
"The siodo.scr element to which this shortcut has been changed or moved, so they do not work properly syntomefsi.thelete to delete this shortcut?"
I started running AVAST and have found this malware but although i choose to delete it,it has more effectivelly measures.
I suppose that the "autorun" of my HDD affected by this.
Any ideas are welcome
Thanks in advance
The Newbie

[durion6]

After a quick searching on "virustotal" it gave me the following:

Antivirus Version Last Update Result
AhnLab-V3 2010.07.31.00 2010.07.30 -
AntiVir 8.2.4.32 2010.07.30 TR/Dldr.VB.dxh
Antiy-AVL 2.0.3.7 2010.07.30 Worm/Win32.VBNA.gen
Authentium 5.2.0.5 2010.07.31 W32/VB.BA.gen!Eldorado
Avast 4.8.1351.0 2010.07.31 Win32:VB-PQX
Avast5 5.0.332.0 2010.07.31 Win32:VB-PQX
AVG 9.0.0.851 2010.07.31 SHeur3.AIMF
BitDefender 7.2 2010.07.31 Win32.Worm.Agent.QFS
CAT-QuickHeal 11.00 2010.07.31 Worm.VBNA.gen
ClamAV 0.96.0.3-git 2010.07.30 -
Comodo 5598 2010.07.31 -
DrWeb 5.0.2.03300 2010.07.30 Trojan.MulDrop1.39525
Emsisoft 5.0.0.34 2010.07.30 Worm.Win32.Vobfus!IK
eSafe 7.0.17.0 2010.07.29 -
eTrust-Vet 36.1.7753 2010.07.31 Win32/Vobfus!generic
F-Prot 4.6.1.107 2010.07.31 W32/VB.BA.gen!Eldorado
F-Secure 9.0.15370.0 2010.07.31 Worm:W32/Vobfus.BA
Fortinet 4.1.143.0 2010.07.31 -
GData 21 2010.07.31 Win32.Worm.Agent.QFS
Ikarus T3.1.1.84.0 2010.07.31 Worm.Win32.Vobfus
Jiangmin 13.0.900 2010.07.29 Worm/VBNA.vwo
Kaspersky 7.0.0.125 2010.07.31 Worm.Win32.VBNA.ajeu
McAfee 5.400.0.1158 2010.07.31 Downloader-CJX.gen.a
McAfee-GW-Edition 2010.1 2010.07.30 Heuristic.LooksLike.Win32.Suspicious.J
Microsoft 1.6004 2010.07.31 Worm:Win32/Vobfus.S
NOD32 5327 2010.07.30 Win32/AutoRun.VB.RD
Norman 6.05.11 2010.07.31 W32/Suspicious_Gen2.BOJHY
nProtect 2010-07-31.01 2010.07.31 Worm/W32.Agent.57344.BG
Panda 10.0.2.7 2010.07.31 W32/Vobfus.EQ
PCTools 7.0.3.5 2010.07.31 Malware.Changeup
Prevx 3.0 2010.07.31 High Risk Cloaked Malware
Rising 22.58.05.04 2010.07.31 -
Sophos 4.56.0 2010.07.31 W32/AutoRun-BFF
Sunbelt 6667 2010.07.31 Trojan.Win32.Vobfus.a (v)
SUPERAntiSpyware 4.40.0.1006 2010.07.31 Trojan.Agent/Gen-VB[Morsam]
Symantec 20101.1.1.7 2010.07.31 W32.Changeup
TheHacker 6.5.2.1.328 2010.07.30 W32/VBNA.ajeu
TrendMicro 9.120.0.1004 2010.07.31 WORM_VBNA.SMN
TrendMicro-HouseCall 9.120.0.1004 2010.07.31 WORM_VBNA.SMN
VBA32 3.12.12.7 2010.07.30 -
ViRobot 2010.7.31.3965 2010.07.31 Trojan.Win32.Generic.57344.D
VirusBuster 5.0.27.0 2010.07.30 Worm.VBNA.Gen.3
Additional information
File size: 57344 bytes
MD5...: e58d2e5c536d4e6536652f74ba8dbd36
SHA1..: 6de1e7a80741ada40f2fc4de103a511218928452
SHA256: dd54092a5897f650348da4c77e1aae2f6b02e474e001c3816e79f99257e3157e
ssdeep: 1536:N3fU+yfmV2D8HOXlXsX3XnkcUckD98kMEk7I:VfNyfk2yzkcUckD98kMEr
 
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x11ac
timedatestamp.....: 0x4c3c2722 (Tue Jul 13 08:43:14 2010)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xd008 0xd200 5.35 f96dbaf41c19247f5852d561ca0a3205
.data 0xf000 0x1d14 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x11000 0x894 0xa00 2.71 a18bd28900dcd4feb84b4e7d854c0971

( 1 imports )
> MSVBVM60.DLL: -, -, MethCallEngine, -, -, -, -, -, -, -, -, -, -, -, EVENT_SINK_AddRef, -, EVENT_SINK_Release, -, EVENT_SINK_QueryInterface, __vbaExceptHandler, -, -, -, -, -, -, ProcCallEngine, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -

( 0 exports )
 
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: e
description..: n/a
original name: FSSLkWJE.exe
internal name: FSSLkWJE
file version.: 6.12
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
 
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=9A2C0CF700208B2DE074009B5D0CC900096216C7' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=9A2C0CF700208B2DE074009B5D0CC900096216C7</a>

[Asyn]

1. Run a boot time scan with avast.
2. Run free Mbam. http://www.malwarebytes.org/mbam.php
3. Post your results.
asyn

[durion6]

Thanks a lot Asyn!!!!
I will do and i'll tell you tommorow because of working today.Do you know if i lose all my data and folders?
Thanks

[durion6]

Hi asyn
I did what you said.The results are here:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4379

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08/02/2010 11:30:18 PM
mbam-log-2010-08-02 (11-30-18). txt

Scan type: Full Scan (G: \ |)
Objects scanned: 213 620
Time elapsed: 37 minute (s), 40 second (s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Infected Registry Data Items: 1
Infected files: 0
Infected files: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Infected Registry Data Items:
HKEY_CLASSES_ROOT \ regfile \ shell \ open \ command \ (default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "% 1") Good: (regedit.exe "% 1") -> No action taken.

Infected files:
(No malicious items detected)

Infected files:
G:\ROCK\Thin Lizzy\Thin.Lizzy - Dedication\P1-2.jpg (Extension.Mismatch) -> No action taken.
G:\System Volume Information\_restore{70C64950-8CA4-4E7C-A44C-7855A4BC8A0D}\RP553\A0092037.exe (Trojan.Agent) -> No action taken.
G:\System Volume Information\_restore{983F414C-4557-49EE-AD3B-C0C7BEE154FE}\RP37\A0007558.exe (Malware.Packer.Gen) -> No action taken.
G:\System Volume Information\_restore{983F414C-4557-49EE-AD3B-C0C7BEE154FE}\RP37\A0007561.exe (RiskWare.Tool.CK) -> No action taken.
G:\System Volume Information\_restore{983F414C-4557-49EE-AD3B-C0C7BEE154FE}\RP37\A0007562.exe (Malware.Packer.Gen) -> No action taken.
G:\System Volume Information\_restore{983F414C-4557-49EE-AD3B-C0C7BEE154FE}\RP37\A0007563.exe (RiskWare.Agent.CK) -> No action taken.
C:\WINDOWS\system32\EHyuMPWj.exe.a_a (Trojan.Agent) -> No action taken.


Finally although i deleted the infected files the problem remains the same.
Any other suggestion?

[Asyn]

Let Mbam remove, what it found..!
Your log says 'No action taken'
asyn

[durion6]

Hi Asyn
Unfortunatelly i didn't notice when it came to my screen....
I've just performed a new boot scan again as you said but this time it found nothing:
Database version: 4384

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08/03/2010 1:22:35 PM
mbam-log-2010-08-03 (13-22-35). txt

Scan type: Full Scan (C: \ | D: \ | G: \ |)
Objects scanned: 301 119
Time elapsed: 1 hour (s), 23 minute (s), 42 second (s)

Memory Processes Infected: 0
Infected memory: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Infected Registry Data Items: 0
Infected files: 0
Infected files: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Infected Registry Data Items:
(No malicious items detected)

Infected files:
(No malicious items detected)

Infected files:
(No malicious items detected)

The problem remains the same again...i'm dissapointed

[Asyn]

Did you run a boot time scan with avast yet..?
asyn

[mkis]

Turn off System Restore as virus has spread through the restore points.

- XP   http://support.microsoft.com/kb/310405

- Vista and Win7   http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/


Then run avast boot-time scan

http://www.schmahl.net/avastbootscan.php 

[mkis]

Microsoft identifies the virus
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm:Win32/Vobfus.V

threatexpert
http://www.threatexpert.com/report.aspx?md5=5d891c97612df2b84d2abcec9f5e2383

avast
14.7.2010 - 100714-0
BV:Agent-DT [Trj], BV:Agent-DU [Trj], BV:Agent-DV [Trj], BV:Agent-DW [Trj], BV:Agent-DX [Trj], BV:Agent-DY [Trj], BV:Agent-DZ [Trj], BV:Agent-EA [Trj], BV:Agent-EB [Trj], BV:Agent-EC [Trj], JS:Downloader-YS [Trj], JS:Pdfka-AKB [Expl], NSIS:Downloader-BQ [Trj], NSIS:Downloader-BR [Trj], Win32:Alman-T, Win32:Alureon-HA [Trj], Win32:Alureon-HB [Rtk], Win32:AutoRun-BLS [Wrm], Win32:Bubnix-E [Rtk], Win32:Bubnix-F [Rtk], Win32:Bubnix-G [Rtk], Win32:Crypt-GWH [Drp], Win32:FakeAV-AMJ [Trj], Win32:Koobface-AZ [Rtk], Win32:Neptunia-FP [PUP], Win32:Patched-QK [Trj], Win32:Small-NMS [Trj], Win32:Stabs-G [Drp], Win32:StartPage-930 [Trj], Win32:Tiny-AGH [Trj], Win32:VB-PQT [Trj], Win32:VB-PQU [Trj], Win32:VB-PQV [Drp], Win32:VB-PQW [Drp], Win32:VB-PQX [Wrm]


You need to ensure that you keep yr system fully up to date
with yr system fully up to date, you should pick up this virus and remove it from both yr system and the external HDD

how well did the bootscan go?

[durion6]

Thanks a lot all of you!!! i apreciate your help a lot!!!
I've made the boot scan with Avast as ASYN said above but it found nothing...
I will try tommorow the solution of the other guys and i'll tell you.
Thanks a lot again

[Asyn]

You're welcome..!
Keep us updated...
asyn

[SafeSurf]

Before running MBAM, you need to ALWAYS update it prior to running a scan. 

[durion6]

I set my system resore off and AVAST performed again a boot scan for discs C,D & F (external).It gave no viruses and after that the updated MALWAREBYTES gave me nothing again:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4384

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08/04/2010 1:03:53 PM
mbam-log-2010-08-04 (13-03-53). txt

Scan type: Full Scan (C: \ | D: \ | G: \ |)
Objects scanned: 301 472
Time elapsed: 1 hour (s), 14 minute (s), 16 second (s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Infected Registry Data Items: 0
Infected files: 0
Infected files: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Infected Registry Data Items:
(No malicious items detected)

Infected files:
(No malicious items detected)

Infected files:
(No malicious items detected)


I didn't understand were the walware was! My external HD's folders still appeared as shortcut.....

[mkis]

Open the avast interface by clicking the orange ball 'a' icon and go down to Maintenance -> Virus chest and have a look what is in there. The chest will inform you what and where virus were found.

if the external disk is still showing shortcuts instead of folder names, it is likely that the malware has tried to cover itself by replacing ID of these folder with a false ID. This happens, although I havent had the shortcut situation myself so I cannot say for sure.

For starters you should check the integrity of the external disk -
I wont suggest the best utility to do this with, but leave it open to the forum members.

Basically you test the external disk with a CHKDSK utility
- if it is NTFS format there should be no worries, the command should be chkdsk /f or chkdsk /f/r
- FAT32 not so straightforward (ages since I did this, tho do it on system drives to good effect all the time)
- this is good means to bringing yr disk drives back to good condition, especially after infections

If no replies I will look up a utility or method myself, but a little busy at the mo.