ESET Smart Security can't protect me from .lnk malware

Status
Not open for further replies.

WinXPert

Level 25
Verified
Trusted
Malware Hunter
Jan 9, 2013
1,461
right click on a shortcut (*.lnk) and select Properties

2ur9e2e.jpg


see what's on target. In my example a vbs is the source of the worm.
 
  • Like
Reactions: Maxxx58

Khairul

Level 2
Verified
Feb 3, 2015
89
May need to format USB drives. Also, Installing Panda USB Vaccine may be beneficial. Mainly to disable autorun. Also repeated infection could mean you have a rootkit or a Worm on your pc somewhere. Would recommend running MBAM, and TDSSKiller. SuperAntiSpyware may be beneficial to check for adware. From the sounds of it its some sort of Autorun worm. Very common tactic, and Depending on other issues with the PC, could Mean a Sality or Gamarue Infection. Gamarue is quite common. so is Sality. Despite MSE's downfalls, Microsoft safety Scanner In personal experiences has detected Gamarue pretty consistently. So its worth a shot.

ah, about that, the vaccination never really worked, i have tried them before, and yes, this is a new virus. If you still find your pc infected with this shortcut, tried a noob step like i always do. launch task manager, look for any weird apps launch or at startup section. It might be there launching startup along with other startup program. right click open file location, and it should point you to where the malware are.

Simply isolate the malware folder and put it into Arvhive (Rar/ZIP). Didnt know how to do this? Let me do it for you. Im just simply crazy love malware and love to help.

Assuming that according to all of the stories here, this is a new type viruses that undetectable by AVs (Based on 3 different AV that used here, and 4 different Av engine that only able to remove the lnk but not the source of infection).
 

Khairul

Level 2
Verified
Feb 3, 2015
89
Not leftover, it is a valid file from Microsoft.

Its a valid file, but i can ensure you that it didnt created there y the user themselves. Thast why i called it "left over". As it being created by the virus.
 

Maxxx58

Level 13
Dec 20, 2014
619
Thank you all of you for supporting me! @WinXPert , @Huracan, @Khairul @NatsuruHaveALife :D @Enju
But now, I think my computer isn't infected anymore (Thanks to @jamescv7 guide above), because when I plug USB in again, it doesn't show any USB shorcut in drive. I just want to know how to protect my computer from USB infection (as mentioned above, ESET SS, Zemana and EEK can't protect me). Can someone guide me how to that because I'm very scared about that type of malware (past till now)
 

Enju

New Member
Jul 16, 2014
443
Assuming that according to all of the stories here, this is a new type viruses that undetectable by AVs (Based on 3 different AV that used here, and 4 different Av engine that only able to remove the lnk but not the source of infection).
It's not undetectable, but it was 0-day when he got infected with it.
Its a valid file, but i can ensure you that it didnt created there y the user themselves. Thast why i called it "left over". As it being created by the virus.
The file is a legitimate and needed Windows executable, it's included in every installation and by removing it you get an unbootable system.
Thank you all of you for supporting me! @WinXPert , @Huracan, @Khairul @NatsuruHaveALife :D @Enju
Can someone guide me how to that because I'm very scared about that type of malware (past till now)
Disable autoplay and don't open any unknown executable files contained on an USB stick, even if it's from a friend.
 

Khairul

Level 2
Verified
Feb 3, 2015
89
Thank you all of you for supporting me! @WinXPert , @Huracan, @Khairul @NatsuruHaveALife :D @Enju
But now, I think my computer isn't infected anymore (Thanks to @jamescv7 guide above), because when I plug USB in again, it doesn't show any USB shorcut in drive. I just want to know how to protect my computer from USB infection (as mentioned above, ESET SS, Zemana and EEK can't protect me). Can someone guide me how to that because I'm very scared about that type of malware (past till now)

I agreed with @Enju disable the autoplay. It will stop it from automatically entered your PC. But still, there isn't anyway that we could say, guaranteed its 100% safe. Its still up to you to carefully examined things on the thumb drive before clicking any. Have a nice day ;)
 
  • Like
Reactions: Maxxx58

Maxxx58

Level 13
Dec 20, 2014
619
I agreed with @Enju disable the autoplay. It will stop it from automatically entered your PC. But still, there isn't anyway that we could say, guaranteed its 100% safe. Its still up to you to carefully examined things on the thumb drive before clicking any. Have a nice day ;)
Have a nice day, too!
Before, when I use Windows XP and 7, after install Windows, I always disable autorun. But when I use Windows 8.1, I missed it (because I think most of AV can detect and kill this old type malware). Henceforth, I always disable autonrun on my Windows.
 

Khairul

Level 2
Verified
Feb 3, 2015
89
Have a nice day, too!
Before, when I use Windows XP and 7, after install Windows, I always disable autorun. But when I use Windows 8.1, I missed it (because I think most of AV can detect and kill this old type malware). Henceforth, I always disable autonrun on my Windows.

Even though it look like old, but theres is always a new way hackers will make the current viruses undetected.
 
  • Like
Reactions: Maxxx58

WinXPert

Level 25
Verified
Trusted
Malware Hunter
Jan 9, 2013
1,461
Thank you all of you for supporting me! @WinXPert , @Huracan, @Khairul @NatsuruHaveALife :D @Enju
But now, I think my computer isn't infected anymore (Thanks to @jamescv7 guide above), because when I plug USB in again, it doesn't show any USB shorcut in drive. I just want to know how to protect my computer from USB infection (as mentioned above, ESET SS, Zemana and EEK can't protect me). Can someone guide me how to that because I'm very scared about that type of malware (past till now)

360 TS (Built-in)

63u6hg.jpg


Autorun Protector

2808ww2.jpg


http://www.usb-guardian.com/

mttox3.png


Make sure this is configure to start with Windows

The best AV will still be common sense.
 
  • Like
Reactions: Maxxx58

Khairul

Level 2
Verified
Feb 3, 2015
89
This viruses arrive at one of cyber cafe that are agreed to be under my watch, and we able to identify the whole part of the virus.

It mainly undetectable by most AV except:

https://www.virustotal.com/en/file/...44d7b2d6cb9f48931fbb2847/analysis/1432341188/

it hidden on 2 places which is program data, and users folder, and store part of its process on the "operating memory". Each time deleted manually, it will auto replace it self again. Once the process on the "operating memory" are killed, it cannot reproduced.

Spreading via LNK Trojan (Shortcut) and each time, the source of the malware on the thumbdrive changes ex: ~$jyckliqymkezoei.bak / ~$aazunsme.bak /~$kalmfskemd.bak

The only way to stop this is to kill the shortcut, and the .bak wont be any function at all.

And the malware files, are hell big, around 94Mb. As my internet are slow, will share the sample to this community once it has been uploaded.
 
Status
Not open for further replies.
Top