Use caution in opening the attached folder --- the original infector is in there, named bank_statement.zip. This is a malformed self-executing zip file, don't click on it!
My customer clicked on the bank_statement.zip e-mail attachment which started circulating 9/30. It seems likely that it's dropped another Trojan or two as well. This is an exceptionally nasty, stealthed package --- GMER and other rootkit tools find lots of kernel hook activity, but HiJackThis looks pretty clean, all the major virus scanners find nothing with current updates. [Avast! did block my download attempt, so the scanners are starting to catch up...]
See http://www.virustotal.com/analisis/0...c1bc72bf0601a8, and http://www.threatexpert.com/report.a...6-6fae34194ede for scans of the original infector.
In normal mode on an XP SP2 system, double-clicking on _any_ application starts it running as a background process, with no open window. The cursor passes under the Start Menu button, so it can't be opened or right-clicked. Right-click Properties don't work on anything else, either. It also boots without prompting for a logon. Anything launched from the Run line doesn't open a window either, e.g. services.msc.
In Safe Mode, applications can run and open windows normally, logon prompt is normal, etc. HiJackThis and GMER found an obvious infected file: utm3mzgz.sys in Win\System32\drivers, which I renamed from a boot disk, and I've disabled System Restore from the Registry. Unfortunately, I can only run GMER, HiJackThis, ComboFix, AVZ, Avast! etc. from Safe Mode (I do _not_ want to connect this box to the network again for current updates, either!), and they don't seem to be finding much. The normal mode inability to open applications persists.
Ответить с цитированием
