Yesterday I spent about 3 hours fighting a virus called Trojan Backdoor Generic4.HUH. Apart from the small snicker I got thanks to the whole "Trojan" and "Backdoor" think in the same sentence, it was a very annoying troubleshoot.
This trojan basically infects a computer and then infects any flash drives plugged into the machine. On the flash drive, it hides in a folder like d:\recycler\recycler and is named autorun.exe. It is 24kb. The folder is a hidden and system file, so you have to go into Folder options and uncheck "Hide protected operating system files" just to see it. Once you do that, go to the Processes tab of task manager and find a task called "KOfcpfwSvcs.exe" and kill it. Then you can delete the autorun.exe that lives in d:\recycler\recycler and the folder too if you want. If you don't kill the process first, the recycler folder will just come back.
DO NOT DELETE the Recycler folder on a hard drive. That's part of Windows. You can delete the folder called Recycler that's inside the normal Recycler folder safely, but you still have to kill the process first.
I also found this file on the hard drive in c:\windows\system32\KOfcpfwSvcs.exe. I deleted that the same way.
As of now, McAfee Virusscan doesn't detect this, but AVG does. I've captured a sample of it and am sending it in to McAfee for addition to their next DAT.
Don't forget to recheck the box for "Hide protected operating system files." We don't want users dinking around with those kind of files/folders.
Also take into account that the file may not always be named "KOfcpfwSvcs.exe" on the hard drive. I would expect it always to be named "autorun.exe" on a flash drive because that's what propagates the infection back to a PC from the flash.
Here's one link I found.
No comments:
Post a Comment