[RESOLVE]Winece.exe New found Virus in Philippines..

[creamzero]

marks all .doc and docx files hidden and system file...

replaces the doc with the same name but with the extension .exe..

infection in my documents and all removable disk (flash drives, external drives etc.)

size of worm, 14.7 MB!  

changes the wallpaper and registers winece.exe as startup with label microsoft office tools..

It is still not confirmed if the worm can spread in the network since I disabled all modification of shared folders...

Once it spread the system, the windows will be corrupted but can still be fixed in the windows recovery console...

Avast can't seem to detect it...

C:\WINDOWS\winece.exe

[Yanto.Chiang]

Hi Creamzero,

It was looked like that your machine infected some kind like virut families as reference link information :

http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

If you do have the source file for winece.exe, you may try to submit to virustotal.com and see what is the result displayed?

And then please submit your infected source file and compress with name virus.zip and given password "virus" to : virus@avast.com

cheers,

[scythe944]

Might want to watch what you download with that uTorrent client there cream.

Not saying that's where it came from, but there's a good chance.

[creamzero]

@Yanto Chiang :

thanks for the info, i tried submitting it, it has no match..
hope it'll be included in the avast virus database in the next update..

@scythe944 :

thanks, but im not downloading anything, it spreads if mistakenly double-clicked... still cant find the source in the internet.. i have a feeling it was only developed here in my country...

[Coolmario88]

i don't know if this will help or not but super anti spyware or something may dectect it

[creamzero]

@Coolmario88cp :

Haha.. is avast not yet considered super anti spyware?

[13thSlayer]

@Coolmario88cp :

Haha.. is avast not yet considered super anti spyware?

Nah... SAS is some other product.

[scythe944]

Or try MBAM (Malwarebytes' Anti-Malware).  http://www.malwarebytes.org

[creamzero]

13thSlayer : Oh I see.. Sorry My bad.. I'll try.. I'll have too many application since I also have Malwarebytes..

scythe944 : I have one.. same result.. no infections detected...

[oxygenate]

Thanks for your post, creamzero!

My PC got infected in the very same way after someone plugged in a flash drive. I've been 4 days without any solution.

But because of information from your post, I was finally able to confirm identity of the pest (yes, it's the winece.exe worm). I have just located and deleted it, deactivated it at startup, and ended its process thru Task Manager.

My desktop background has been restored, and Word files I place in the folder affected no longer hide and change into .exe files. To make sure, I deleted all the changed Word files, which I had transferred to a new "safety" folder when I first noticed the problem. I can do without these files anyway.

Thanks again, creamzero!

[creamzero]

 

This thread is closed! Hahahaha

THANK YOU SO MUCH AVAST FOR THE EARLY UPDATE!!!

This post should have been done last week, sorry been busy managing business... $_$

@oxygenate : walang anuman brad.. hahahaha badtrip yang virus na yan... panira ng ng server... If you have a new virus just send it to virus@avast.com

@Yanto.Chiang! : thank you man!

[SafeSurf]

creamzero,

This thread is closed!
THANK YOU SO MUCH AVAST FOR THE EARLY UPDATE!!!

Now that your issue is now resolved/fixed, please go back to the first open post in this topic, click the modify button in that Post and change the title/subject, add [Resolved] to the beginning of the title so this thread can be closed. 

Feel free to come back any time you need help, to learn something new, or just to ask questions.  We are here 24/7 for your convenience.  Thank you.

[creamzero]

yez sir! :]

[irex]

san mu nalocate ung winece.exe? tsaka panu burahin?
patulong naman po. :'(

[creamzero]

@Irex : pare/mare, wag ka na umiyak dyan.. naka avast ka ba? magupdate ka na po... nilagay ko na sa una kong post kung san nakalocate, pero para sayo sge uulitin ko..

c:\windows\winece.exe

para makita mo sya,

folder options,show hidden files, tapos uncheck mo ung do not show file extensions for known files tska hide protected vied para makita mo yung virus...

ang attribute kasi ng virus read only, hidden tska system file.. ok?

kung tumatakbo sya sa process, kill mo na.. para mabura mo.. hindi mo kasi sya mabubura kung tumatakbo sya sa process.. kung hindi mo alam, task manager, ctrl + alt + del or ctrl +shift + esc.. punta ka sa tab na process, tapos hanapin mo n sya.. kung wala, punta ka na sa windows folder.. wokie?