undead viruses
 

I run my laptop on Ubuntu. Here in the college library, I use my pen drive to store things I download on their comp (Win XP). Must have picked up a virus.
jwgkvsq.vmx
I'm not very worried, as I presume it can't touch Linux.
The virus checker on this machine tells me every time I plug the pen drive in, that it has a virus. When I go home, I plug it into my computer and delete the whole directory recycled, put there by the virus checker.

But when I come back the library comp tells me I have it again on the pen drive.

I delete it as root, and presume it is gone. How does it survive? Can there be more copies of it on the pen drive, somehow unseen? I generally have show hidden files ticked, so I know what is on my comp.
The fact that I'm in China, and the anti virus is in Chinese is not very helpful---- I can't read what it says!

Any suggs?

You can try taking a backup of the useful data from the pen drive, format the pen drive and restore the data from the backup., though running a good antivirus would have been a better option.

Heuristic Piece Wise. It's infected with subsequent code other inert files. A triggering event re-assembles.

And to get rid of it?

Re-format?
Do you know this particular beast? What does it do apart from get on my nerves?

Pen drive uses FAT so the virus could have marked itself as a system file, in which case no (Windows-based) AV software will be able to remove it (as the OS will prevent the delete operation). Use the attrib command to remove any attributes, or just (re)format the thing if there's no data that needs to be salvaged.

Now that I think about it, you can boot off a pen drive too, so you should really repartition before reformatting, just in case the MBR has also been corrupted.

I once encountered a boot sector virus that encrypted the FAT table itself. Remove the virus and the whole disk became unreadable. Leave it there and your system ran really slowly but it ran, as did the botnet software, anywho...

Oh well, going down for a re-partition then. Little bastard thingy. Does it actually do anything then?

According to this page this file is probably connected to the Conficker (Kido, Downadup) worm. In essence, your stick may be able to infect Windows systems with that malware, which is currently the most successful and dangerous piece of malware extant. You should really delete all partitions on that stick and then rebuild it.

Robin

You might also want to inform the library that their computers are infected. It probably is no surprise to them, but they really should do something about it. Like not run Windows, but they probably wouldn't like that suggestion.

You should use dd to zero the drive then format it again.

!0 million to one, it will be reinfected at the library. But if I format it ext3 or so, Win XP in the library won't read it!

Didn't get that bit about dd, can you elaborate?

According to McAfee, it is the downadup (conficr) worm.
http://threatinfo.trendmicro.com/vin...M_AUTORUN.CHN;

I don't like what you said about the chinese language removal tool. Did you fall for scare-ware which may itself contain malware? Linux isn't immune from people who run trojan'ed download installers. Rely on your package manager and only use vetted code.

If you have an older pendrive, reformat it using a live distro, and insert it in the computer in the library. If it gets the malware on it, then it is the library computer that is the cause.

I do have chkrootkit.
I have set it in motion several times. It finds nothing.
What was that with dd? Do you know?

Live disk is good: I have Knoppix 6. Just it talks so much, and I'm not blind!

where 'of=' points to the USB drive. Be careful not to zero your HDD, it's very easy to put in sda instead of sdb and the like. This is a dangerous command, so be careful.

Then you can use fdisk or cfdisk to re-partition the USB drive. As for the library, I usually upload to gmail from the library, no need for the primitive USB stick method.

Thanks, I'll kill the beast now!

Did that, zeroed it, then formatted using gparted. Now it doesn't appear: fdisk -l shows only the harddrive, no sdb1 Oh dear!

You probably didn't do it right, so here's what I do to clear the whole USB stick of anything:

That's it, then I mount /dev/sdb as usual and it works fine.

Maybe a loose wire in the usb, or it is just a cheap stick. Wobble it a bit, and try it in different ports, and it works.

BUT: stuck it in the library comp today, and the anti virus promptly said: same virus. And it had written an auto forget what .bat or inf to the stick.

Is it so: I insert the stick, the virus copies itself onto the stick. The anti virus then tells me there is a virus? In that case, how come the anti virus doesn't see it on the library comp?

Anyway, I'll follow your advice to the letter, kill the bugger again. As I said: undead viruses! I have a Zombie!

PS: should the stick be free of everything after treatment, or does the partition table use space? Bcause after zeroing then formatting, there was about 50Kb used. Or was that my friend the virus?

dd won't talk to me!
Doesn't it have an -v option to make it output something. It is taking forever! Think it has gone wrong!

kill -s INFO $5321; wait $5321

This didn't make it output anything either.

It's possible for the virus to do that and the antivirus could only be able to detect it on the USB stick.

How big is the USB stick ? It may take a while to zero the drive, you're basically writing zeroes to the whole drive. Technically you shouldn't do this too often as it will wear down the drive, but AFAIK there is nothing that can escape this zeroing. The virus would be wiped. If dd is slow, try using a different often larger 'bs=' option for dd. Like 'dd bs=1M if=whatever of=drive'.

It's a 2GB stick, cheap one, Kingston.

Did what you said last night. Worked apart from dd won't talk to me, and was taking so long, I thought it had hanged itself, so I killed the process. After this I re formatted as per your instructions. On remounting, there were 14Kb of the stick in use. Is that the partition table? Or leftover from dd being killed?

And: today, in the library, got it again. Must remember to use gmail!

You really should notify the library of the infection. The Conficker worm is a really bad thing, you only have to google a bit for the name to find a lot of info about it. And they are spreading it like Typhoid Mary. Normally the worm comes in through an unpatched security leak in Windows (unpatched by the administration, that is: MS issued a patch last October). It will keep Windows from patching, will keep the system from accessing antivirus vendors' sites and getting updates etc. It will also spread scareware. This worm already shut down the communication systems of the British Navy, the French Airforce, 3000 computer in Austrian hospitals and lots more, cleaning up after it often took weeks.

Once it is on a system it infects removable media like your stick by writing auto-executing information on it, which will then go on to infect any Windows computers the stick gets connected to. This infects even systems which already have the MS patch.

Robin