The next day I was less in a hurry and looked at this a bit closer. File Manager shows a new program in every directory of my Ipod with the same name as the directory and about 45 (or 83)k in size. In Explorer with hidden known extensions and the icon being the folder icon, you think it is a folder rather than an application. Of course it's actually a virus and every time a user tries to open that 'folder' the virus starts another instance. In task manager there is nothing odd to see, all well known process names here, but wait, why are there two services.exes and two lsass.exes? There should always be only a single one of those. Let's enable the username column and yes these processes are running under the currently logged on user account, they should always run as 'NT AUTHORITY\SYSTEM'. The treeview in Process Explorer makes the virus much easier to spot, they are not in the services.exe branch and their full file path isn't .../system32/ Very well hidden these guys I have to say, if you don't know a bit abouth the NT system processes, you won't spot them.
Lets kill these suckers. In task manager it doesn't work because it doesn't let you kill things like services.exe because it thinks it's a system process (they just do a name comparison). After a killed the first virus process in Process Explorer the box shuts down right away. I guess they other process monitor each other. After the reboot they are all back, so lets use Autoruns.exe to remove these programs from the autostart places in the registry. Even though this worked some time, newer versions or the virus know about autoruns.exe and msconfig.exe and reboot when your try to start them. They have a blacklist of program they consider dangerous to them and reboot as soon as any of these are starting. The list includes cmd.exe and regedit.exe, taskkill.exe which explains why my machine rebooted all the time when I first encountered this virus. Deleting the virus files doesn't work because they are in use. I wrote a small script to kill all viruses via WMI but as soon as it starts using cscript.exe, reboot.
Using a third party registry editor such as RegWorks may work but I didn't have one at the time, it's also a painful process to manually find all the places in the registry that have to do with startup applications. Other software such as Word or IE work fine, after all they want to keep the PC running and do their thing, and only reboot when someone is after them.
One idea I had was to use pskill.exe remotely from another machine to kill the viruses. This failed in most cases because the admin user had no password and pskill doesn't support empty passwords, also many machines had the SP2 firewall enabled and pskill or psexec don't work through it.
The solution that worked in the end is to write down the process Ids of all the viruses and create a batchfile with multiple pskill entries:
pskill 308 pskill 1196 pskill 1720 pskill 3072 pskill 3728 pskill 4056 pskill 552 pskill 1692 pskill 2208 pskill 2288 pskill 2296 pskill 2320This kills them so fast that they can't initiate a reboot. Sometimes notepad.exe was in their blacklist (but never taskmgr.exe to get the process Ids). In these cases I wrote the batch file on another machine and then executed it from my USB drive.
There is a tool called DtaskManager which allows you to select multiple processes and kill them together, but it didn't work for me very well. In any case you need to know which processes are actually viruses to get their process Ids.
Finally I wrote a command (single line) to kill all user processes except explorer:
for /F "usebackq tokens=2 delims= " %%i IN (`tasklist /FI ^"USERNAME eq %USERNAME%^" /FI ^"Imagename ne explorer.exe^" /FI ^"Imagename ne tasklist.exe^" /FO LIST ^| find ^"PID^"`) DO c:\bin\pskill.exe %%iMake sure you have pskill.exe on the machine and copy the line into the Start-Run dialog, It first runs tasklist to get a list of all processes except explorer.exe and tasklist.exe and then pipes the list into find to get all the Process Ids, for each entry in that list it calls pskill.exe. After this you have a kill all the viruses and anything else for that matter but can now run autoruns.exe to clean the registry. You should also run a Virus scan to remove all the virus files or search for *.exe files with a size of 45 or 83k.
Some more points
- The command above doesn't work all the time (not sure why) but the manually created batch always worked.
- Some AntiVirus software didn't detect this virus, some were disabled. It seems the virus tries to disable any AntiVirus software.
- I never looked into what it actually does but sometimes the process used 100% CPU and pinged remote computers, other times it didn't do anything.
- I found this on at least a dozen machines in at least four different versions, some of them were SysInternals aware, but you can just rename the executables pslist and pskill. If you don't use 4NT as your command line, you need to rename cmd.exe before you can use it.
- Another approach is to change the registry remotely from another machine, this should work because it never executes anything on the machine itself. I just never had a network were remote access worked.
- At the moment I can still manage to get rid of there processes but I'm sure it will get even harder in the future.