Summary
=======
I have succumbed to the figaro.sys aka beep.sys aka braviax.exe trojan/virus.
How: surfing using internet explorer looking for an application to change ringtones.
Possible (speculative) source sites:
thepoon.rinnovate.com/cgi-bin/viewpost.cgi?p=20050916040436
www.esnips.com/doc/8167f6de-5b19-4b2d-990d-0331f31abe07/3GP_Converter031
Symptoms: All of a sudden, the computer beeps, and shutsdown. When restarted there is a warning in the system tray about an infection. dvd drive doesn't appear to be working. it recognizes blank dvd. it won't recognize blank cd. it won't recognize an audio cd. it won't recognize dvd with stuff already burned on it. (Late Entry:) on second thought, maybe my dvd-drive is faulty. With the assistance of some more intelligent souls, we have discovered that the autorun feature settings for the dvd-drive have been modified, but this shouldn't affect the dvd-drive's ability to read.
Viral Files found:
figaro.sys
beep.sys (2 copies)
rkpg.exe (2 copies)
delself.bat
braviax.exe
34rdft.bat
ld12.exe
~TM6.tmp
1.tmp
Remedy: Discard the computer and buy a "Mac".
fffffffffffffffffffffffffffffffffffffffffffff
Some info about this virantix.c trojan:
www.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99&tabid=2
other notes:
beep.sys is overwritten
browser used = internet explorer
dvd drive doesn't appear to be working.
it recognizes blank dvd.
it won't recognize blank cd.
it won't recognize dvd with stuff already burned on it.
virus-like file:
----------------
found:
C:\WINDOWS\system32\dllcache\figaro.sys ... Found the FakeAlert-C.dr trojan !!!
The file has been deleted. (this op done by antivirus software; manual removal not possible)
found:
C:\WINDOWS\system32\dllcache\beep.sys ... Found the FakeAlert-C.dr trojan !!!
The file has been deleted. (this op done by antivirus software; manual removal not possible)
found:
C:\WINDOWS\SYSTEM32\drivers\beep.sys ... Found the FakeAlert-C.dr trojan !!!
C:\WINDOWS\system32\drivers beep.sys size approx 33 kb original file created file modified Thursday, March 19, 2009 approx 11:26 p.m.
action taken:
original archive copy of beep.sys size 4,224 bytes (modified Friday, August 17, 2001, 1:47:38 PM) extracted (from BEEP.SY_ modified Wednesday, August 04, 2004, 5:00:00 AM) and copied back to
C:\WINDOWS\system32\drivers --- note: i changed its properties to "Read Only".
found:
C:\ rkpg.exe size approx 125 kb file created Thursday, March 19, 2009, 7:47:11 PM
(** see also: myDoc_delself.bat.jpg and delself.bat below)
found:
\My Documents\ delself.bat size approx 176 bytes file created Thursday, March 19, 2009, 7:47:12 PM
(note: this file wants to delete itself and rkpg.exe ** see myDoc_delself.bat.jpg and rkpg.exe above)
found:
C:\WINDOWS\system32\ braviax.exe size approx 11 kb file created Thusday, March 19, 2009, 7:47:12 PM
notes: your registry is altered/re-programmed to run braviax.exe when your computer boots up:
example: registry categroy HKCU/Run: path C:\WINDOWS\system32\braviax.exe
example: registry category HKLM/Run: path C:\WINDOWS\system32\braviax.exe
braviax.exe is probably the program which appears as a "red x" in your tray, warning you that you have been infected by spyware and to click its message to have windows download and install a remedy.
found:
C:\WINDOWS\ 34rdft.bat size approx 208 bytes file created Thursday, March 19, 2009, 7:47:13 PM
notes: this batch file wants to delete itself & delete 1.tmp (* see also: 1.tmp below and Windows_34rdft.bat.jpg)
found:
C:\WINDOWS\ld12.exe size approx 26 kb file created Thursday, March 19, 2009, 7:47:12 PM
found:
C:\Documents and Settings\7777777\Local Settings\Temp\ ~TM6.tmp size approx 36 kb file modified Thursday, March 19, 2009, 7:47:?? PM
found:
C:\Documents and Settings\7777777\Local Settings\Temp\ rkpg.exe size approx 47 kb file modified Thursday, March 19, 2009, 7:47:?? PM
found:
C:\Documents and Settings\7777777\Local Settings\Temp\ 1.tmp size approx 27 kb file modified Thursday, March 19, 2009, 7:47:?? PM note: most likely the same/related file is ld12.3xe (see above)(* see 34rdft.bat above and Windows_34rdft.bat.jpg)
Posts
1 comment:
shad up already!
Post a Comment