Virus infection spread by portable devices, infects the recycler and autorun.inf

[Guest]

[dunerunner68]

On some of the computers that I use with Comodo, I am having an issue with a virus that infects the recycler.  When USB drives are inserted into a computer that has this \recycler\*\xop32.exe in the recycler, the USB devices recycler is infected and an autorun.inf file is written to the USB device or if an autorun.inf already exists, it gets over written and hidden.  The autorun batch points to this virus in the recycler so that it can infect other machines it is connected to even if the autorun is disabled; when you open a file on the USB drive, it infects the computer. 

This link will take you to a threatexpert page showing the recycler infections and other information similar to what I am experiencing with this virus.  It does list the virus as being Trojan.Agent.AZV but I have only seen the files it creates and some of the things it does.
http://www.threatexpert.com/report.aspx?md5=4603b4b43503b09c4dbc3227520974ec

My concern is that even though scheduled and manual scans pick this virus up the real-time scanner is not, even with the settings set higher than default.  Between scheduled scans an infection can re-occur. This was confirmed by doing a controlled test with a sample of this virus on a clean machine.  My current security settings being what they are, just simply inserting the infected USB drive does not infect but when a file on the USB drive is opened the computers recycler is infected, undetected by the real-time scanner.  The virus needs to be removed; quarantining the virus does not get rid of it only removing does.  I deploy Comodo as scheduled AV and real-time scanner and ClamAV for windows as a backup scheduled AV scanner.  I have seen another real-time scanner I have on one machine pick this virus up but with a slight delay (seconds), but it did detect the virus.  (Not making a pitch for another's software so I am leaving its name out unless asked)

With budgets getting tighter with the down economy Comodo has been a cost effective option for multiple computers, but if this keeps happing I might have to think about switching to another software (do not want to, I would like to continue to use Comodo).  Can someone tell me if Comodo is working on this or even aware of what this virus can do, I know someone at Comodo is aware of this virus to some degree because Comodo detects it on manual and scheduled scans?

[d194700]

I think you should try to use flash disinfector in order to overcome this. You can find out how to remove virus recycler here. Also, I have heard kaspersky also is good for this if you can have.

Try autorun eater too if you are not satisfactory with these solutions.

[Ringman]

And you need to remove a path "Recycle?" in scanner excluding in comodo too.

[Philee]

A friend of mine had once exactly the same virus.
I booted into Ubuntu & deleted the infected files and no more problems.

[dunerunner68]

Petit:
We had already removed "Recycler" from the exclusion path, weeks before posting, but thanks for replying.
Philee:
We can remove the infections, it is re-infection that is the issue, and Comodo's real-time scanning is not catching the infection.  Eraser an open source program deletes the infections even if the programs are locked in the recycler; it does a good job at deletion.
d194700:
The link you gave, once I went there and clicked on the USB flash disinfector, the site drove my popup blocker crazy and locked my computer up, so I will not be going back there.  Kaspersky is a resource hog and I will never use it again, Eset is better than Kaspersky and uses less resources but is expensive.

 Main problem is these computers are used by many individuals for various purposes (mainly studies) thereby flash drives are inserted all day long from different environments, which makes it hard to control, and flash drive use cannot be avoided.  Eset's IS suite catches this virus with its real-time scanner but is very expensive.  Comodo's real-time scanner is not catching it, but Comodo's scheduled and manual scanner is catching it, as stated in the original post above, in between scheduled scans a machine can pick up the virus again from an infected USB drive and infect other USB drives that are inserted.  This is done even if autorun is disabled, by opening files on the flash drive.  We have done several-controlled test with samples of this virus, we find that this virus is resourceful but inconsistent in its behavior.  The only solid temporary solution (and we cannot use shareware solutions only licensed or open source programs) is to make an autorun.inf file on your USB drives root path and make it read only and hidden.  This prevents any infections from passing the executable parts, although, the recycler still gets xop32.exe installed it is harmless without the viruses modified executable and batch files and can be easily deleted.  The problem is we cannot force people to do this, we are also trying a scheduled task that deletes recycler contents every 30mins until someone at Comodo figures out how to catch this infection with the real-time scanner or our budgets get approved to upgrade to a commercial AV or IS (not likely though). 

Maybe I'm posting this in the wrong section, if so can someone please tell me where I should post this problem, again main problem is the real-time scanner is not able to pick this virus up but other IS's and/or AV's real-time scanners can, and I do not want to have to switch from using Comodo.

[Creasy]

Petit:
We had already removed "Recycler" from the exclusion path, weeks before posting, but thanks for replying.
Philee:
We can remove the infections, it is re-infection that is the issue, and Comodo's real-time scanning is not catching the infection.  Eraser an open source program deletes the infections even if the programs are locked in the recycler; it does a good job at deletion.
d194700:
The link you gave, once I went there and clicked on the USB flash disinfector, the site drove my popup blocker crazy and locked my computer up, so I will not be going back there.  Kaspersky is a resource hog and I will never use it again, Eset is better than Kaspersky and uses less resources but is expensive.

 Main problem is these computers are used by many individuals for various purposes (mainly studies) thereby flash drives are inserted all day long from different environments, which makes it hard to control, and flash drive use cannot be avoided.  Eset's IS suite catches this virus with its real-time scanner but is very expensive.  Comodo's real-time scanner is not catching it, but Comodo's scheduled and manual scanner is catching it, as stated in the original post above, in between scheduled scans a machine can pick up the virus again from an infected USB drive and infect other USB drives that are inserted.  This is done even if autorun is disabled, by opening files on the flash drive.  We have done several-controlled test with samples of this virus, we find that this virus is resourceful but inconsistent in its behavior.  The only solid temporary solution (and we cannot use shareware solutions only licensed or open source programs) is to make an autorun.inf file on your USB drives root path and make it read only and hidden.  This prevents any infections from passing the executable parts, although, the recycler still gets xop32.exe installed it is harmless without the viruses modified executable and batch files and can be easily deleted.  The problem is we cannot force people to do this, we are also trying a scheduled task that deletes recycler contents every 30mins until someone at Comodo figures out how to catch this infection with the real-time scanner or our budgets get approved to upgrade to a commercial AV or IS (not likely though). 

Maybe I'm posting this in the wrong section, if so can someone please tell me where I should post this problem, again main problem is the real-time scanner is not able to pick this virus up but other IS's and/or AV's real-time scanners can, and I do not want to have to switch from using Comodo.

The conficker you said, it was a big issue on Dec.2008~Jan.2009.

It is 100% same as that one.-Mutated Conficker.
Also there is another mutated Conficker.
It changes your PC time to year 2090.
In case of your Conficker(downadup), little bit different from MS08-067.

Fisrt, it's your company's fault.
Because they didn't update windows security patch.
Your Conficker is spreaded by both Network and USB device.
That's why we call it Conficker Worm.
It has been issued from last year.

To prevent it.
1.Update windows(up to date)
2.remove network sharing.
  Otherwise, make a password over 12 characters.
(mixed characters eg.numbers+symbols+alphabets(Lower+Upper)
3.Turn off Autorun function for your removable drive.
4. Use encryption tool for your USB memory and removable drive.-there are many free tools.
   (It prevents those infections 100%)

If your shared folders, USB memory, any removable drives are protected by password, the Conficker tries to break the password with Dictionary Attack.

That conficker uses following passwords list to break the password.(if more mutated + more passwords).




MS08-067 vulnerability.
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx

Conficker(Downadup)

Follwing links provide you a tool which is only for downadup.

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exe

http://ftp://ftp.antivirus.fi/anti-virus/tools/beta/f-downadup.zip

http://download.bitdefender.com/resources/files/Download/en/anti-downadup.zip

[Philee]

I don't think it's Conficker because in my case it was also a file xop32.exe and that was about one year ago.

As soon as my friend plugged his flash drive into my laptop Comodo D+ and Nod 32 constantly alerted me.
Thanks to Comodo and Nod32 my laptop didn't get infected

But we tried to clean my frind's laptop and flash drive.
It was very annoying and Nod32 couldn't get rid of this thread.
So we tried many things. I can't remember every steps we tried.
Comodo D+ quarantine, Nod32 virus removal, manualy deleting with Unlocker,...
In the end I think booting into Linux and deleting all the suspected files and the trash solved the problem.

Edit:
Here are two sites with instructions how to remove the infection:
http://inspiration.nyp.edu.sg/virus.html
http://www.oral8.cn/viruscom/viruscom_15478.html

[Creasy]

I don't think it's Conficker because in my case it was also a file xop32.exe and that was about one year ago.

As soon as my friend plugged his flash drive into my laptop Comodo D+ and Nod 32 constantly alerted me.
Thanks to Comodo and Nod32 my laptop didn't get infected

But we tried to clean my frind's laptop and flash drive.
It was very annoying and Nod32 couldn't get rid of this thread.
So we tried many things. I can't remember every steps we tried.
Comodo D+ quarantine, Nod32 virus removal, manualy deleting with Unlocker,...
In the end I think booting into Linux and deleting all the suspected files and the trash solved the problem.

Yes it's one of Confickers. It's mutated one.
That's why we say 'downadup worm'.

[Creasy]

I don't think it's Conficker because in my case it was also a file xop32.exe and that was about one year ago.

As soon as my friend plugged his flash drive into my laptop Comodo D+ and Nod 32 constantly alerted me.
Thanks to Comodo and Nod32 my laptop didn't get infected

But we tried to clean my frind's laptop and flash drive.
It was very annoying and Nod32 couldn't get rid of this thread.
So we tried many things. I can't remember every steps we tried.
Comodo D+ quarantine, Nod32 virus removal, manualy deleting with Unlocker,...
In the end I think booting into Linux and deleting all the suspected files and the trash solved the problem.

Edit:
Here are two sites with instructions how to remove the infection:
http://inspiration.nyp.edu.sg/virus.html
http://www.oral8.cn/viruscom/viruscom_15478.html

http://www.threatexpert.com/report.aspx?md5=8c459defece8731b4f73b20676a079fe

http://www.bleepingcomputer.com/startups/xop32.exe-23862.html

http://www.prevx.com/filenames/X655384257657942566-X1/XOP32.EXE.html

Also, I've an expierince to take care of it with PCTOOLS Spyware Doctor.
Exactly same one.

[Philee]

Yes it's one of Confickers. It's mutated one.
That's why we say 'downadup worm'.

I thought Conficker was quite new and my contact with xop32 was about one year ago.
Was Conficker already out then or does it use the same filename now?

[Creasy]

I thought Conficker was quite new and my contact with xop32 was about one year ago.

There are many Confickers Conficker.A, Conficker.B, Conficker.C, Conficker.D etc.
And mutated confickers.
It's has been mutated from a year ago.

Was Conficker already out then or does it use the same filename now?

It's using different file name. It depands on who mutate those Confickers based on Conficker code.
Conficker is still mutating by bad people.

That's why
http://www.microsoft.com/Presspass/press/2009/feb09/02-12ConfickerPR.mspx

[Philee]

Okay, thanks for your answer.

[dunerunner68]

Creasy:
Windows is up to date, no network sharing on the computers in question, autorun off(again it is still able to infect by opening files on an infected USB drive, we have tested and confirmed this and autorun is disabled and we are using highest XP security template) I have not read all the links you listed, but my research into this virus has not seen that it is a mutated conflicker, not saying you’re not right, but your links from 4/21 7:53:22pm post, do not list it as a conflicker but I have not checked your other links yet. The worst this virus does, other than infect and spread by USB devices, is change appearance settings on our computers; our security settings does not let it do anything else it has been claimed to do.  On the rare occasion that someone tried to manually execute the xop32.exe, it has inserted registry entries, that’s been confirmed from our own test as well; when that happens it has to be unlocked to delete from the recycler.  Again removing the virus has not been a problem, stopping it from infecting our computers from USB drives to prevent spreading is our problem.  I was hoping to get insight  to whether or not Comodo’s real-time scanner will be updated to prevent infections of this type, I know other real-time scanners can, my ESET IS suite at home catches this infection on real-time scanning. 

I’m out of time at the moment, I’ll have to add additional comments later but thanks to all that have replied to my posts. 

[webwizard2]

Has anyone found a solution to this    ?:\Recycle?\*   I read all the posts but don't see anything new.
Thanks
Dale

[Candle Moon]

Use Ninja Pendisk download from http://ninjapendisk.com/
This ninja awaits quietly in the system tray for the times whenever a USB pendisk is inserted on the computer which will be examined to uncover the commonly malicious or virulent files known as “autorun.inf” and “ctfmon.exe” amongst many others.

[Tags:]