strange new virus

VAR in Honolulu has a previously squeaky clean XP system now
infected with sonmething strange:
Symptom list:
1) All desktop icons disappeared
2) When recreated by hand, some days later they all were
rendered un-runnable because they had all been renamed with
an additional .lnk suffix.
3) On every boot, after the XP splash screen, but before
User Login (2 profiles), there is a 4" x 5" screen
with an Exit and an OK button. The screen shows a black
background which overlays the XP blue login screen; it looks
like a VB screen. The name in the top bar changes on every
boot, such as c:windowssystem32mup.sys, or i20mgr.sys,
etc. This full file name is preceded by usually 8 small box
characters. Inside the white body of the screen there are a
few special characters: [} and a character that looks like
an inverse equal sign, standing vertically.
4) CTRL-ALT-DEL at this point shows you flashes of blue
underneath
5) The Outlook .PST file is missing
6) My antivirus and all other SYSTRAY items are gone
7) IE6 or IE7 won't connect to home page, instead Internet
Properties opwns on the General Tab
8)Trend Micro PC-Cillin 2006 sees nothing, same with their
Housecall and WinSIC, or SYSCLEAN utilities.
9) MS RootkitRevealer finds nothing.

Infection route: while it could have been web browsing, or
email, I really think it came from an odd incident when a
client came in with CAD files to print on a thumb drive.
Trend says thumbdrives don't infect PCs, though I've looked
at the U3.com software available for a SanDisk Cruzer (and
several other makes)and it seems like there's a CPU in it,
because you can scan a new PC for viruses using Avast from
the thumb drive.



AT one point they sent me a tool to fix the associations
with applications, so that now Start Programs run most apps.


However, I've lost my email. This case has been open at
Trend for more than a month, and now they are telling me it
is not a virus and don't worry.

Not only that, when I call Trend Tech support, they hang up
on me repeatedly, or put my call back in the queue, or
promise to work the next day with me, and then don't. They
want me to go away, but I think this is a serious threat.

CAN a thumbdrive infect a system?
Has anyone seen anything like this, or know how to respond
to it and recover my email (besides backup)?

Thanks for any leads.

That can't be correct, is it?

------------------------------------------------------------
---------------
------------------------------------------------------------
---------------

On 12 Dec 2006 23:04:43 -0000
novovidahotmail.com wrote:

> VAR in Honolulu has a previously squeaky clean XP
system now infected with sonmething strange:
> Symptom list:
> 1) All desktop icons disappeared
> 2) When recreated by hand, some days later they all
were rendered un-runnable because they had all been renamed
with an additional .lnk suffix.
> 3) On every boot, after the XP splash screen, but
before User Login (2 profiles), there is a 4" x 5"
screen with an Exit and an OK button. The screen shows a
black background which overlays the XP blue login screen; it
looks like a VB screen. The name in the top bar changes on
every boot, such as c:windowssystem32mup.sys, or
i20mgr.sys, etc. This full file name is preceded by usually
8 small box characters. Inside the white body of the screen
there are a few special characters: [} and a character that
looks like an inverse equal sign, standing vertically.
> 4) CTRL-ALT-DEL at this point shows you flashes of blue
underneath
> 5) The Outlook .PST file is missing
> 6) My antivirus and all other SYSTRAY items are gone
> 7) IE6 or IE7 won't connect to home page, instead
Internet Properties opwns on the General Tab
> 8)Trend Micro PC-Cillin 2006 sees nothing, same with
their Housecall and WinSIC, or SYSCLEAN utilities.
> 9) MS RootkitRevealer finds nothing.

I haven't seen anything like this, but that doesn't mean
much 

> Infection route: while it could have been web browsing,
or email, I really think it came from an odd incident when a
client came in with CAD files to print on a thumb drive.
Trend says thumbdrives don't infect PCs, though I've looked
at the U3.com software available for a SanDisk Cruzer (and
several other makes)and it seems like there's a CPU in it,
because you can scan a new PC for viruses using Avast from
the thumb drive.

OK, I just dealt with this over the weekend. U3-compatible
thumb drives emulate a CD-ROM drive (possibly a CD-Writer
according to some sources). First, that CD image that is on
the thumb drive is set to autorun. Second, last time I
checked (circa Windows 98), autorun.inf files were checked
for on any drive plugged into a Windows machine. I used to
change the icons of zip disks for the fun of it this way. So
the conclusion is that it is possible to automatically
install software from a thumb drive... at least one way,
probably more.

There isn't a CPU on the thumb drive. U3-compatible software
is allowed to use any (I think) resources on the host system
-- HD, memory, CPU, registry, etc. -- but has to remove any
traces of itself when you say you're ready to eject the
thumb drive. Then there are programs that run fine without
installation (TreeSize, for instance), and those can be run
from a thumb drive without a problem too.

> AT one point they sent me a tool to fix the
associations with applications, so that now Start Programs
run most apps. 
> 
> However, I've lost my email. This case has been open at
Trend for more than a month, and now they are telling me it
is not a virus and don't worry.

Mmmm, it does sound suspicious, but if they haven't seen it,
it is hard for them to do something about it.

> Not only that, when I call Trend Tech support, they
hang up on me repeatedly, or put my call back in the queue,
or promise to work the next day with me, and then don't.
They want me to go away, but I think this is a serious
threat.
> 
> CAN a thumbdrive infect a system?
> Has anyone seen anything like this, or know how to
respond to it and recover my email (besides backup)?

Pretty much, I'd say if there is a rogue program doing
things to your system, your best bet is to reload and
restore from backups. Sorry. Oh, and disable AutoRun 

------------------------------------------------------------
---------------
------------------------------------------------------------
---------------

It's very doubtful that a thumbdrive simply being plugged in
can infect 
a computer. In order to force a program on a thumbdrive to
run one would 
have to re-write the little ROM chip on them that tells the
PC what it 
is, what driver to use, its name etc, unless they are
getting away from 
roms and using a small portion of the memory thats
"hidden" to normal 
programs (this would explain why you can rename it and its
name carries 
from machine to machine). If someone wrote a little piece of
arbitrary 
code saying to "use this file to see this drive
properly" or something 
and point to a hidden .exe on the flash then its possible
simply 
plugging it in can infect a PC. I haven't found an autorun
for USB files 
thats silent like you do for CD's that install rootkits when
you pop 
them in.
Another thing you may check is ask whoever plugged in the
drive if a 
window appeared asking to open the folder, play the audio,
play the 
video, you know the standard window autoplay window that
pops up, they 
could have possibly clicked on something in that, that
triggered an 
infection.
There was a virus threat to Windows in that one could be
hidden and ran 
from an image file using its macros, but CAD files weren't
affected by 
this, doubt this is the case.
Also judging by the description it didn't hit any system
files, those 
are all basic operations an admin can perform, what it looks
like is a 
custom script/vb app someone has made, you can write a
program to start 
pre-win logon, this will appear after you hit ctrl+alt+del
or on an XP 
box that doesn't logon that way on the user
"welcome" screen, it sounds 
like a "cutesy" virus that plays with a system,
being more of an 
annoyance than a harm, although losing the PST file is a bad
deal.
when Trend says its not a virus, what they're really saying
is that its 
something that hasn't spread enough to be on their radar,
remember that 
a virus is any program that replicates itself and spreads,
you may have 
a localized instance that doesn't go any further.

Some things to check.
in HKLM there is a key you might want to check its under 
SoftwareMicrosoftWindows NTcurrentWinLogon
The key is userinit, make sure you dont have anything funky
in there 
other than C:WindowsSystem32Userinit.exe, in this key one
can append 
programs with the , this key runs every time someone logs
in, its not 
like the startup menu where you can turn those off, put it
there and it 
will run, make sure that its an .exe, if its a .bat .cmd
.vbs .something 
change it to .exe and nothing else is tagged on to the end
that doesn't 
look normal, i.e. haha.exe is probably not a good program to
have there.
Another thing, check the startup menu and msconfig, this
virus looks 
simple enough to concoct the writer may have not known about
or used the 
userinit.
With the AV and systray items gone it looks like they may
have just 
turned off the services/apps from starting in msconfig and
services.msc. 
for the AV being gone, if you mean uninstalled then one
possibility, in 
this virus, it went through the registry and looked at a few
keys, 
specifically the uninstall under 
SoftwareMicrosoftWindowscurrentUninstall* our list of
add/remove 
apps, most generally commercial apps are installed with
msi's or wise, 
simply sending something like this to the command line
(found in the 
registry) will get rid of your AV : msiexec /uninstall
trendmicroav.msi 
/qn, and all of a sudden your AV disappears off the desktop
and systray.
Try re-installing your AV, if for some reason you can't even
run the 
install or after the install it doesn't work, that means
your bug is 
still running in the background, at that point check the
processes again.

Thats about all I can help with without seeing the system,
the biggest 
problem you may have is that second user account, if its a
generic 
account any number of people use, take it down to a user
level and 
nothing higher, and restrict that further with gpedit.msc,
if your just 
printing cad files, set it up to do just that.

novovidahotmail.com wrote:
> VAR in Honolulu has a previously squeaky clean XP
system now infected with sonmething strange:
> Symptom list:
> 1) All desktop icons disappeared
> 2) When recreated by hand, some days later they all
were rendered un-runnable because they had all been renamed
with an additional .lnk suffix.
> 3) On every boot, after the XP splash screen, but
before User Login (2 profiles), there is a 4" x 5"
screen with an Exit and an OK button. The screen shows a
black background which overlays the XP blue login screen; it
looks like a VB screen. The name in the top bar changes on
every boot, such as c:windowssystem32mup.sys, or
i20mgr.sys, etc. This full file name is preceded by usually
8 small box characters. Inside the white body of the screen
there are a few special characters: [} and a character that
looks like an inverse equal sign, standing vertically.
> 4) CTRL-ALT-DEL at this point shows you flashes of blue
underneath
> 5) The Outlook .PST file is missing
> 6) My antivirus and all other SYSTRAY items are gone
> 7) IE6 or IE7 won't connect to home page, instead
Internet Properties opwns on the General Tab
> 8)Trend Micro PC-Cillin 2006 sees nothing, same with
their Housecall and WinSIC, or SYSCLEAN utilities.
> 9) MS RootkitRevealer finds nothing.
>
> Infection route: while it could have been web browsing,
or email, I really think it came from an odd incident when a
client came in with CAD files to print on a thumb drive.
Trend says thumbdrives don't infect PCs, though I've looked
at the U3.com software available for a SanDisk Cruzer (and
several other makes)and it seems like there's a CPU in it,
because you can scan a new PC for viruses using Avast from
the thumb drive.
>
>
>
> AT one point they sent me a tool to fix the
associations with applications, so that now Start Programs
run most apps. 
>
> However, I've lost my email. This case has been open at
Trend for more than a month, and now they are telling me it
is not a virus and don't worry.
>
> Not only that, when I call Trend Tech support, they
hang up on me repeatedly, or put my call back in the queue,
or promise to work the next day with me, and then don't.
They want me to go away, but I think this is a serious
threat.
>
> CAN a thumbdrive infect a system?
> Has anyone seen anything like this, or know how to
respond to it and recover my email (besides backup)?
>
> Thanks for any leads.
>
> That can't be correct, is it?
>
>
------------------------------------------------------------
---------------
>
------------------------------------------------------------
---------------
>
>
>
>   


------------------------------------------------------------
---------------
------------------------------------------------------------
---------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thumb drives usually cannot infect a computer just inserting
them (at
least I never heard of that) but they can contain infected
files that
you can open and run.

I don't think Trend Micro can do anything to help you unless
you provide
them some infected files.

Try to check if any unusual process is running in the
background, check
in the registry, configuration files and the startup folder
for every
executable file run at startup.

The small boxes and other odd characters may be a message in
a language
your computer windows doesn't support (probably East Asian
or Cyrillic).

It may also be possible that you executed a program that
completely
messed up your system, installed programs, libraries or
drivers in a
foreign language and deleted some of your files including
it-self.

Given the level of damage, if I were you, I would format the
hard disk
and reinstall everything. It's the only way to be sure your
computer is
clean. Of course, you may still have copies of the virus in
thumb
drives, diskettes, memory cards, etc.

If you really want to find out about this you can contact an
anti virus
company (Doesn't need to be Trend Micro) and ship them your
hard disk.


Regards,


Paolo.


novovidahotmail.com wrote:
> VAR in Honolulu has a previously squeaky clean XP
system now infected with sonmething strange:
> Symptom list:
> 1) All desktop icons disappeared
> 2) When recreated by hand, some days later they all
were rendered un-runnable because they had all been renamed
with an additional .lnk suffix.
> 3) On every boot, after the XP splash screen, but
before User Login (2 profiles), there is a 4" x 5"
screen with an Exit and an OK button. The screen shows a
black background which overlays the XP blue login screen; it
looks like a VB screen. The name in the top bar changes on
every boot, such as c:windowssystem32mup.sys, or
i20mgr.sys, etc. This full file name is preceded by usually
8 small box characters. Inside the white body of the screen
there are a few special characters: [} and a character that
looks like an inverse equal sign, standing vertically.
> 4) CTRL-ALT-DEL at this point shows you flashes of blue
underneath
> 5) The Outlook .PST file is missing
> 6) My antivirus and all other SYSTRAY items are gone
> 7) IE6 or IE7 won't connect to home page, instead
Internet Properties opwns on the General Tab
> 8)Trend Micro PC-Cillin 2006 sees nothing, same with
their Housecall and WinSIC, or SYSCLEAN utilities.
> 9) MS RootkitRevealer finds nothing.
> 
> Infection route: while it could have been web browsing,
or email, I really think it came from an odd incident when a
client came in with CAD files to print on a thumb drive.
Trend says thumbdrives don't infect PCs, though I've looked
at the U3.com software available for a SanDisk Cruzer (and
several other makes)and it seems like there's a CPU in it,
because you can scan a new PC for viruses using Avast from
the thumb drive.
> 
> 
> 
> AT one point they sent me a tool to fix the
associations with applications, so that now Start Programs
run most apps. 
> 
> However, I've lost my email. This case has been open at
Trend for more than a month, and now they are telling me it
is not a virus and don't worry.
> 
> Not only that, when I call Trend Tech support, they
hang up on me repeatedly, or put my call back in the queue,
or promise to work the next day with me, and then don't.
They want me to go away, but I think this is a serious
threat.
> 
> CAN a thumbdrive infect a system?
> Has anyone seen anything like this, or know how to
respond to it and recover my email (besides backup)?
> 
> Thanks for any leads.
> 
> That can't be correct, is it?
> 
>
------------------------------------------------------------
---------------
>
------------------------------------------------------------
---------------
> 
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org


iD8DBQFFf9RjqAaEpZvj+VMRApInAJ94rp8BCdLdTvQNVC5KS4Ro5P8BBgCg
iTfZ
H+T47silMGuwdHy6zKjHTcM=
=A3Mv
-----END PGP SIGNATURE-----

------------------------------------------------------------
---------------
------------------------------------------------------------
---------------

Are they trying to say that you can't run an exe from a
thumbdrive or that
you can't copy an infected file from a thumbdrive? Weird
thing to say. Or
maybe they're saying that their software will stop that from
happening?

Not sure if the ability to scan from a thumbdrive means that
the drive has a
cpu on it-you can boot an OS (eg puppylinux) from a
thumbdrive and load it
to RAM and use the native CPU and do lots of things.

Have you got a list of running processes? Personally I'd
think it was a
virus going by symptoms alone but still you'd want to check
so many other
things-a registry that is shot for instance.
Can you do a system restore? Make sure you've isolated it
from the network
first of course.

Can you get into safe mode with command prompt? Then run
netstat -a -o to
see what processes are running and trying to connect.

Lost email? Have you tried running searches etc? Use *.pst
as a search term.
Or perhaps the extension got changed. If the pst has been
deleted and you've
been using the machine all this time then you may find it
hard to recover
the file-it would have been marked as empty space and then
any
booting/saving of files etc will be writing to that empty
space and
potentially over your lost pst file.

You could download some free undelete type software to see
old files that
have simply had their headers removed and see if you can
find the file.

Take an image of the drive and then at least you have a copy
of what it
looks like now. And make it a binary image so that you don't
lose
space/slack that may be important-see the security focus
basics list for the
thread about dd and windows disks.(I learnt something
invaluable this week!)
Helped me out immeasurably.

Also have you tried running spybot and hijackthis in safe
mode?



-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of novovidahotmail.com
Sent: Wednesday, December 13, 2006 9:05 AM
To: focus-mssecurityfocus.com
Subject: strange new virus

VAR in Honolulu has a previously squeaky clean XP system now
infected with
sonmething strange:
Symptom list:
1) All desktop icons disappeared
2) When recreated by hand, some days later they all were
rendered
un-runnable because they had all been renamed with an
additional .lnk
suffix.
3) On every boot, after the XP splash screen, but before
User Login (2
profiles), there is a 4" x 5" screen with an Exit
and an OK button. The
screen shows a black background which overlays the XP blue
login screen; it
looks like a VB screen. The name in the top bar changes on
every boot, such
as c:windowssystem32mup.sys, or i20mgr.sys, etc. This
full file name is
preceded by usually 8 small box characters. Inside the white
body of the
screen there are a few special characters: [} and a
character that looks
like an inverse equal sign, standing vertically.
4) CTRL-ALT-DEL at this point shows you flashes of blue
underneath
5) The Outlook .PST file is missing
6) My antivirus and all other SYSTRAY items are gone
7) IE6 or IE7 won't connect to home page, instead Internet
Properties opwns
on the General Tab
8)Trend Micro PC-Cillin 2006 sees nothing, same with their
Housecall and
WinSIC, or SYSCLEAN utilities.
9) MS RootkitRevealer finds nothing.

Infection route: while it could have been web browsing, or
email, I really
think it came from an odd incident when a client came in
with CAD files to
print on a thumb drive. Trend says thumbdrives don't infect
PCs, though I've
looked at the U3.com software available for a SanDisk Cruzer
(and several
other makes)and it seems like there's a CPU in it, because
you can scan a
new PC for viruses using Avast from the thumb drive.



AT one point they sent me a tool to fix the associations
with applications,
so that now Start Programs run most apps. 

However, I've lost my email. This case has been open at
Trend for more than
a month, and now they are telling me it is not a virus and
don't worry.

Not only that, when I call Trend Tech support, they hang up
on me
repeatedly, or put my call back in the queue, or promise to
work the next
day with me, and then don't. They want me to go away, but I
think this is a
serious threat.

CAN a thumbdrive infect a system?
Has anyone seen anything like this, or know how to respond
to it and recover
my email (besides backup)?

Thanks for any leads.

That can't be correct, is it?

------------------------------------------------------------
---------------
------------------------------------------------------------
---------------




------------------------------------------------------------
---------------
------------------------------------------------------------
---------------

Just found this to do with U3 technology- I wonder if that
could have
something to do with the problems?

http://www.sandisk.com/Retail/Default.aspx?CatID=1450#Q5




-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of novovidahotmail.com
Sent: Wednesday, December 13, 2006 9:05 AM
To: focus-mssecurityfocus.com
Subject: strange new virus

VAR in Honolulu has a previously squeaky clean XP system now
infected with
sonmething strange:
Symptom list:
1) All desktop icons disappeared
2) When recreated by hand, some days later they all were
rendered
un-runnable because they had all been renamed with an
additional .lnk
suffix.
3) On every boot, after the XP splash screen, but before
User Login (2
profiles), there is a 4" x 5" screen with an Exit
and an OK button. The
screen shows a black background which overlays the XP blue
login screen; it
looks like a VB screen. The name in the top bar changes on
every boot, such
as c:windowssystem32mup.sys, or i20mgr.sys, etc. This
full file name is
preceded by usually 8 small box characters. Inside the white
body of the
screen there are a few special characters: [} and a
character that looks
like an inverse equal sign, standing vertically.
4) CTRL-ALT-DEL at this point shows you flashes of blue
underneath
5) The Outlook .PST file is missing
6) My antivirus and all other SYSTRAY items are gone
7) IE6 or IE7 won't connect to home page, instead Internet
Properties opwns
on the General Tab
8)Trend Micro PC-Cillin 2006 sees nothing, same with their
Housecall and
WinSIC, or SYSCLEAN utilities.
9) MS RootkitRevealer finds nothing.

Infection route: while it could have been web browsing, or
email, I really
think it came from an odd incident when a client came in
with CAD files to
print on a thumb drive. Trend says thumbdrives don't infect
PCs, though I've
looked at the U3.com software available for a SanDisk Cruzer
(and several
other makes)and it seems like there's a CPU in it, because
you can scan a
new PC for viruses using Avast from the thumb drive.



AT one point they sent me a tool to fix the associations
with applications,
so that now Start Programs run most apps. 

However, I've lost my email. This case has been open at
Trend for more than
a month, and now they are telling me it is not a virus and
don't worry.

Not only that, when I call Trend Tech support, they hang up
on me
repeatedly, or put my call back in the queue, or promise to
work the next
day with me, and then don't. They want me to go away, but I
think this is a
serious threat.

CAN a thumbdrive infect a system?
Has anyone seen anything like this, or know how to respond
to it and recover
my email (besides backup)?

Thanks for any leads.

That can't be correct, is it?

------------------------------------------------------------
---------------
------------------------------------------------------------
---------------




------------------------------------------------------------
---------------
------------------------------------------------------------
---------------

|Thumb drives can't infect a computer... ?
|
Make an autorun.inf file on the thumb drive and put the
following lines 
in it.
|[autorun]
open=Killme.bat
ACTION = Autorun shouldn't be enabled for your own good

-Mike

|||
Paolo Scarabelli wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Thumb drives usually cannot infect a computer just
inserting them (at
> least I never heard of that) but they can contain
infected files that
> you can open and run.
>
> I don't think Trend Micro can do anything to help you
unless you provide
> them some infected files.
>
> Try to check if any unusual process is running in the
background, check
> in the registry, configuration files and the startup
folder for every
> executable file run at startup.
>
> The small boxes and other odd characters may be a
message in a language
> your computer windows doesn't support (probably East
Asian or Cyrillic).
>
> It may also be possible that you executed a program
that completely
> messed up your system, installed programs, libraries or
drivers in a
> foreign language and deleted some of your files
including it-self.
>
> Given the level of damage, if I were you, I would
format the hard disk
> and reinstall everything. It's the only way to be sure
your computer is
> clean. Of course, you may still have copies of the
virus in thumb
> drives, diskettes, memory cards, etc.
>
> If you really want to find out about this you can
contact an anti virus
> company (Doesn't need to be Trend Micro) and ship them
your hard disk.
>
>
> Regards,
>
>
> Paolo.
>
>
> novovidahotmail.com wrote:
>   
>> VAR in Honolulu has a previously squeaky clean XP
system now infected with sonmething strange:
>> Symptom list:
>> 1) All desktop icons disappeared
>> 2) When recreated by hand, some days later they all
were rendered un-runnable because they had all been renamed
with an additional .lnk suffix.
>> 3) On every boot, after the XP splash screen, but
before User Login (2 profiles), there is a 4" x 5"
screen with an Exit and an OK button. The screen shows a
black background which overlays the XP blue login screen; it
looks like a VB screen. The name in the top bar changes on
every boot, such as c:windowssystem32mup.sys, or
i20mgr.sys, etc. This full file name is preceded by usually
8 small box characters. Inside the white body of the screen
there are a few special characters: [} and a character that
looks like an inverse equal sign, standing vertically.
>> 4) CTRL-ALT-DEL at this point shows you flashes of
blue underneath
>> 5) The Outlook .PST file is missing
>> 6) My antivirus and all other SYSTRAY items are
gone
>> 7) IE6 or IE7 won't connect to home page, instead
Internet Properties opwns on the General Tab
>> 8)Trend Micro PC-Cillin 2006 sees nothing, same
with their Housecall and WinSIC, or SYSCLEAN utilities.
>> 9) MS RootkitRevealer finds nothing.
>>
>> Infection route: while it could have been web
browsing, or email, I really think it came from an odd
incident when a client came in with CAD files to print on a
thumb drive. Trend says thumbdrives don't infect PCs, though
I've looked at the U3.com software available for a SanDisk
Cruzer (and several other makes)and it seems like there's a
CPU in it, because you can scan a new PC for viruses using
Avast from the thumb drive.
>>
>>
>>
>> AT one point they sent me a tool to fix the
associations with applications, so that now Start Programs
run most apps. 
>>
>> However, I've lost my email. This case has been
open at Trend for more than a month, and now they are
telling me it is not a virus and don't worry.
>>
>> Not only that, when I call Trend Tech support, they
hang up on me repeatedly, or put my call back in the queue,
or promise to work the next day with me, and then don't.
They want me to go away, but I think this is a serious
threat.
>>
>> CAN a thumbdrive infect a system?
>> Has anyone seen anything like this, or know how to
respond to it and recover my email (besides backup)?
>>
>> Thanks for any leads.
>>
>> That can't be correct, is it?
>>
>>
------------------------------------------------------------
---------------
>>
------------------------------------------------------------
---------------
>>
>>
>>
>>     
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

>
>
iD8DBQFFf9RjqAaEpZvj+VMRApInAJ94rp8BCdLdTvQNVC5KS4Ro5P8BBgCg
iTfZ
> H+T47silMGuwdHy6zKjHTcM=
> =A3Mv
> -----END PGP SIGNATURE-----
>
>
------------------------------------------------------------
---------------
>
------------------------------------------------------------
---------------
>
>
>
>   

------------------------------------------------------------
---------------
------------------------------------------------------------
---------------

I wouldn't be so sure about that.  Check out:

http://www.schneier.com/blog/archives/2006/06/
hacking_compute.html

-----Original Message-----
From: listbouncesecurityfocus.com
[mailto:listbouncesecurityfocus.com]On Behalf Of Paolo
Scarabelli
Sent: Wednesday, December 13, 2006 4:22 AM
To: novovidahotmail.com
Cc: focus-mssecurityfocus.com
Subject: Re: strange new virus


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thumb drives usually cannot infect a computer just inserting
them (at
least I never heard of that) but they can contain infected
files that
you can open and run.

I don't think Trend Micro can do anything to help you unless
you provide
them some infected files.

Try to check if any unusual process is running in the
background, check
in the registry, configuration files and the startup folder
for every
executable file run at startup.

The small boxes and other odd characters may be a message in
a language
your computer windows doesn't support (probably East Asian
or Cyrillic).

It may also be possible that you executed a program that
completely
messed up your system, installed programs, libraries or
drivers in a
foreign language and deleted some of your files including
it-self.

Given the level of damage, if I were you, I would format the
hard disk
and reinstall everything. It's the only way to be sure your
computer is
clean. Of course, you may still have copies of the virus in
thumb
drives, diskettes, memory cards, etc.

If you really want to find out about this you can contact an
anti virus
company (Doesn't need to be Trend Micro) and ship them your
hard disk.


Regards,


Paolo.


novovidahotmail.com wrote:
> VAR in Honolulu has a previously squeaky clean XP
system now infected with sonmething strange:
> Symptom list:
> 1) All desktop icons disappeared
> 2) When recreated by hand, some days later they all
were rendered un-runnable because they had all been renamed
with an additional .lnk suffix.
> 3) On every boot, after the XP splash screen, but
before User Login (2 profiles), there is a 4" x 5"
screen with an Exit and an OK button. The screen shows a
black background which overlays the XP blue login screen; it
looks like a VB screen. The name in the top bar changes on
every boot, such as c:windowssystem32mup.sys, or
i20mgr.sys, etc. This full file name is preceded by usually
8 small box characters. Inside the white body of the screen
there are a few special characters: [} and a character that
looks like an inverse equal sign, standing vertically.
> 4) CTRL-ALT-DEL at this point shows you flashes of blue
underneath
> 5) The Outlook .PST file is missing
> 6) My antivirus and all other SYSTRAY items are gone
> 7) IE6 or IE7 won't connect to home page, instead
Internet Properties opwns on the General Tab
> 8)Trend Micro PC-Cillin 2006 sees nothing, same with
their Housecall and WinSIC, or SYSCLEAN utilities.
> 9) MS RootkitRevealer finds nothing.
> 
> Infection route: while it could have been web browsing,
or email, I really think it came from an odd incident when a
client came in with CAD files to print on a thumb drive.
Trend says thumbdrives don't infect PCs, though I've looked
at the U3.com software available for a SanDisk Cruzer (and
several other makes)and it seems like there's a CPU in it,
because you can scan a new PC for viruses using Avast from
the thumb drive.
> 
> 
> 
> AT one point they sent me a tool to fix the
associations with applications, so that now Start Programs
run most apps. 
> 
> However, I've lost my email. This case has been open at
Trend for more than a month, and now they are telling me it
is not a virus and don't worry.
> 
> Not only that, when I call Trend Tech support, they
hang up on me repeatedly, or put my call back in the queue,
or promise to work the next day with me, and then don't.
They want me to go away, but I think this is a serious
threat.
> 
> CAN a thumbdrive infect a system?
> Has anyone seen anything like this, or know how to
respond to it and recover my email (besides backup)?
> 
> Thanks for any leads.
> 
> That can't be correct, is it?
> 
>
------------------------------------------------------------
---------------
>
------------------------------------------------------------
---------------
> 
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org


iD8DBQFFf9RjqAaEpZvj+VMRApInAJ94rp8BCdLdTvQNVC5KS4Ro5P8BBgCg
iTfZ
H+T47silMGuwdHy6zKjHTcM=
=A3Mv
-----END PGP SIGNATURE-----

------------------------------------------------------------
---------------
------------------------------------------------------------
---------------


------------------------------------------------------------
---------------
------------------------------------------------------------
---------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I just tried with two different thumb drives on Win98 se and
a WinXP sp2
(both with autorun enabled), nothing happened.

Not even double-clicking on the thumb drive icon did
anything but
opening the folder and if I right-click it the menu doesn't
show the run
option.

It must be your thumb drives are better than mine, do you
mind to share
brand and model?

Regards,

Paolo.

Mike Peppard wrote:
> |Thumb drives can't infect a computer... ?
> |
> Make an autorun.inf file on the thumb drive and put the
following lines
> in it.
> |[autorun]
> open=Killme.bat
> ACTION = Autorun shouldn't be enabled for your own good
> 
> -Mike
> 
> |||
> Paolo Scarabelli wrote:
> Thumb drives usually cannot infect a computer just
inserting them (at
> least I never heard of that) but they can contain
infected files that
> you can open and run.
> 
> I don't think Trend Micro can do anything to help you
unless you provide
> them some infected files.
> 
> Try to check if any unusual process is running in the
background, check
> in the registry, configuration files and the startup
folder for every
> executable file run at startup.
> 
> The small boxes and other odd characters may be a
message in a language
> your computer windows doesn't support (probably East
Asian or Cyrillic).
> 
> It may also be possible that you executed a program
that completely
> messed up your system, installed programs, libraries or
drivers in a
> foreign language and deleted some of your files
including it-self.
> 
> Given the level of damage, if I were you, I would
format the hard disk
> and reinstall everything. It's the only way to be sure
your computer is
> clean. Of course, you may still have copies of the
virus in thumb
> drives, diskettes, memory cards, etc.
> 
> If you really want to find out about this you can
contact an anti virus
> company (Doesn't need to be Trend Micro) and ship them
your hard disk.
> 
> 
> Regards,
> 
> 
> Paolo.
> 
> 
> novovidahotmail.com wrote:
>  
>>>> VAR in Honolulu has a previously squeaky
clean XP system now infected
>>>> with sonmething strange:
>>>> Symptom list:
>>>> 1) All desktop icons disappeared
>>>> 2) When recreated by hand, some days later
they all were rendered
>>>> un-runnable because they had all been
renamed with an additional .lnk
>>>> suffix.
>>>> 3) On every boot, after the XP splash
screen, but before User Login
>>>> (2 profiles), there is a 4" x 5"
screen with an Exit and an OK
>>>> button. The screen shows a black background
which overlays the XP
>>>> blue login screen; it looks like a VB
screen. The name in the top bar
>>>> changes on every boot, such as
c:windowssystem32mup.sys, or
>>>> i20mgr.sys, etc. This full file name is
preceded by usually 8 small
>>>> box characters. Inside the white body of
the screen there are a few
>>>> special characters: [} and a character
that looks like an inverse
>>>> equal sign, standing vertically.
>>>> 4) CTRL-ALT-DEL at this point shows you
flashes of blue underneath
>>>> 5) The Outlook .PST file is missing
>>>> 6) My antivirus and all other SYSTRAY items
are gone
>>>> 7) IE6 or IE7 won't connect to home page,
instead Internet Properties
>>>> opwns on the General Tab
>>>> 8)Trend Micro PC-Cillin 2006 sees nothing,
same with their Housecall
>>>> and WinSIC, or SYSCLEAN utilities.
>>>> 9) MS RootkitRevealer finds nothing.
>>>>
>>>> Infection route: while it could have been
web browsing, or email, I
>>>> really think it came from an odd incident
when a client came in with
>>>> CAD files to print on a thumb drive. Trend
says thumbdrives don't
>>>> infect PCs, though I've looked at the
U3.com software available for a
>>>> SanDisk Cruzer (and several other makes)and
it seems like there's a
>>>> CPU in it, because you can scan a new PC
for viruses using Avast from
>>>> the thumb drive.
>>>>
>>>>
>>>>
>>>> AT one point they sent me a tool to fix the
associations with
>>>> applications, so that now Start Programs
run most apps.
>>>> However, I've lost my email. This case has
been open at Trend for
>>>> more than a month, and now they are telling
me it is not a virus and
>>>> don't worry.
>>>>
>>>> Not only that, when I call Trend Tech
support, they hang up on me
>>>> repeatedly, or put my call back in the
queue, or promise to work the
>>>> next day with me, and then don't. They want
me to go away, but I
>>>> think this is a serious threat.
>>>>
>>>> CAN a thumbdrive infect a system?
>>>> Has anyone seen anything like this, or know
how to respond to it and
>>>> recover my email (besides backup)?
>>>>
>>>> Thanks for any leads.
>>>>
>>>> That can't be correct, is it?
>>>>
>>>>
------------------------------------------------------------
---------------
>>>>
>>>>
------------------------------------------------------------
---------------
>>>>
>>>>
>>>>
>>>>
>>>>     
>>
-
------------------------------------------------------------
---------------
>>
-
------------------------------------------------------------
---------------
>>
>>
>>
>>

>
------------------------------------------------------------
---------------
>
------------------------------------------------------------
---------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org


iD8DBQFFggjsqAaEpZvj+VMRAsv9AKCUNNdQrqjZnuaxyu4efehSKKzO4wCf
bPhC
QTjeKzgG4KHzPq6p7TCeFn0=
=gLky
-----END PGP SIGNATURE-----

------------------------------------------------------------
---------------
------------------------------------------------------------
---------------

Dear Paolo Scarabelli,


PS> It must be your thumb drives are better than mine, do
you mind to share
PS> brand and model?
Any U3 will do.



-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6
F1C7


------------------------------------------------------------
---------------
------------------------------------------------------------
---------------