Jump to content

Recommended Posts

Posted

Hello. Recently at my organization, a thumb drive virus has been circulating. It seems to infect the computer and then propagate to any thumb drives that come in contact with the computer. Thumb drives are a major part of how we operate, so getting rid of them is not really an option. This virus is an exe file called ksbdsh.exe. A quick Google search turns up nothing. AVG finds the file and labels it as generic.KLX. A search turns up nothing for this either. Along with the file, comes an autorun, which seems to start the file. Has anyone heard of this, and are their any ways to stop it?

Thanks,

Brennan

Posted

Autorun is disabled by Group Policy so I dont really know how it is running. I suppose the first thing I would like to isolate, is what the program actually does. How is the best way to find that out? It wouldnt let me open the autorun in windows, but in Ubuntu, here is the text.

;RTRpeVQQbhgPnCCBznTYMgB

[AutoRun]

;UxsdldeCrVyYr

open=ksbdsh.exe

;JjHUEAbbYCyYJbRtEQfGyjCEYZpRBcaDyeSijoXEqMNWhxBDBPzb

shell\open\Command=ksbdsh.exe

;hDfVzVYXWGgZ

shell\open\Default=1

;54647C36FDF8E7B46BCD143933C4D35ED48ACBAF2236E20D467A3098

;TuXNvexSDFITJrAOBbMoYrlFkFKCMZHjEyUnNeQniarDPYlOFFaNKzTjJEESEQYjeDsaVRczE

shell\explore\Command=ksbdsh.exe

;EUYBAdcfvJTwmkbmiauJqbkVzYHpILCJilcFlMlyAsqrPhFsXnlRoiQUkXHllOGSnHcJpABQKWw

From what I can tell, that is just telling the file to run, correct? Is there a way that in a VM I could run the file, and monitor somehow what actually happens? Is there a program that will help me to do that?

Brennan

Posted

If you test it on a windows box, use Processmonitor or something similar.

Personally I would fire up a spare windows machine and disconnect it from the network, turn off AV and infect the bugger to see what it does.

I am surprised I couldn't find very many hits on the exe.

Posted

There are variations on the term 'auto run disabled' in Windows. Disabling autorun used to apply to CD drive only unless other wise specified, you probably want to check and see what the domain policies are actually doing rather than trusting what they say.

Posted

If its the same one as this, looks to be an old one: http://vgrep.viruspool.net/virus.cms?id=3876345

from 2008. Sounds more like a worm. If its infecting them when they plug them in, chances are its propagating from yoru domain controller, which would be even worse.

Upload it to VirusTotal, and get a better description of the virus/malware name from other vendors, then do some research on what exactly it is. While you are at it, check your domain controllers for infection, it may be spreading through your network and attaching to thumbdrives after the fact to further propagate itself. Conficker does something similar.

http://www.scmagazineuk.com/greater-manche...article/162904/

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...