synthnassizer 0 Posted June 13, 2013 Share Posted June 13, 2013 Hello everyone, I am not sure if what I have is a virus, or malware, but ESET Antivirus business edition can not find it in deep scans. What is most unfortunate is that I can not find information on exactly relevant symptoms out on the net. The OS is Win7 64bit The problem that I face is that something is enabling the "hidden" attribute of the 1st level of folders (only) under a network share I have AND creates some .exe files (as many are there are folders) with the exact folder name. So basically the folders disappear from plane sight and some .exe files are put in place. There is a "recycleBin.dll" file also placed next to the .exe files. The average user does not understand the difference. Windows 7 pop up a windows about whether they want to run the executable and only if you press "yes" you are taken to the folder. but god knows what else has been run. manually I can easily delete these exe files and deselect the hidden attribute of the folder. Soon enough however, the problem will reappear. from other computers too. I run deep scans in all the pcs (OS and c:), as well as on the network shares. ESET doesn't see anything wrong. I actually let ESET scan explicitly these .exe files and it didn't understand what was wrong. Looking around on the net, I came across the porn.exe, sexy.exe etc etc file which seem to have a similar behaviour in some respect. But this is a 2008 virus and surely has been inserted in virus definition files already. Additionally, there is NOwhere any mention of the "recycleBin.dll" file. I tried running ERARemover_x64.exe and ESETConfickerCleaner.exe but had no luck. Do you know anything about this ? Thank you very much for your help Link to comment Share on other sites More sharing options...
ESET Moderators Aryeh Goretsky 378 Posted June 14, 2013 ESET Moderators Share Posted June 14, 2013 Hello, The filenames are used by a worm to spread itself have nothing to do with the age, or naming of the malware. I would be very surprised if any malware from 2008 was not detected by ESET, so I am assuming this is something new. Please submit copies of the files in a password-protected archive to ESET's virus lab for analysis by following the instructions in ESET Knowledgebase Article 141, "How do I submit a virus, website or potential false positive sample to ESET's lab?." If you could include an ESET SysInspector log from a machine you believe is infected in the archive, that would be helpful as well.Regards,Aryeh Goretsky Link to comment Share on other sites More sharing options...
ESET Insiders PodrskaNORT 17 Posted June 14, 2013 ESET Insiders Share Posted June 14, 2013 Maybe our experience could help you: We had (probably) identical case at one user, with behavior described at the begining of this topic. We manually found infected file, cleaned it from user's computers, tested sample in our testing environment and submitted it to samples@eset.com. Result - it was new variant of Win32/Caphaw.I malware. Interesting was that ESET Endpoint Antivirus 5.0.2126.3 did not recognized it, but ESET NOD32 Antivirus 6.0.316.5 recognized it (correctly) even before new Virus Database Library update was published. Also at the moment of sample submision, Virustotal showed detection rate of this sample 0/47 ... Link to comment Share on other sites More sharing options...
Recommended Posts