Brennan U. Posted February 2, 2010 Share Posted February 2, 2010 Hello. Recently at my organization, a thumb drive virus has been circulating. It seems to infect the computer and then propagate to any thumb drives that come in contact with the computer. Thumb drives are a major part of how we operate, so getting rid of them is not really an option. This virus is an exe file called ksbdsh.exe. A quick Google search turns up nothing. AVG finds the file and labels it as generic.KLX. A search turns up nothing for this either. Along with the file, comes an autorun, which seems to start the file. Has anyone heard of this, and are their any ways to stop it? Thanks, Brennan Quote Link to comment Share on other sites More sharing options...
Sparda Posted February 2, 2010 Share Posted February 2, 2010 are their any ways to stop it? Disable autorun on all computer. Quote Link to comment Share on other sites More sharing options...
Brennan U. Posted February 2, 2010 Author Share Posted February 2, 2010 Autorun is disabled by Group Policy so I dont really know how it is running. I suppose the first thing I would like to isolate, is what the program actually does. How is the best way to find that out? It wouldnt let me open the autorun in windows, but in Ubuntu, here is the text. ;RTRpeVQQbhgPnCCBznTYMgB [AutoRun] ;UxsdldeCrVyYr open=ksbdsh.exe ;JjHUEAbbYCyYJbRtEQfGyjCEYZpRBcaDyeSijoXEqMNWhxBDBPzb shell\open\Command=ksbdsh.exe ;hDfVzVYXWGgZ shell\open\Default=1 ;54647C36FDF8E7B46BCD143933C4D35ED48ACBAF2236E20D467A3098 ;TuXNvexSDFITJrAOBbMoYrlFkFKCMZHjEyUnNeQniarDPYlOFFaNKzTjJEESEQYjeDsaVRczE shell\explore\Command=ksbdsh.exe ;EUYBAdcfvJTwmkbmiauJqbkVzYHpILCJilcFlMlyAsqrPhFsXnlRoiQUkXHllOGSnHcJpABQKWw From what I can tell, that is just telling the file to run, correct? Is there a way that in a VM I could run the file, and monitor somehow what actually happens? Is there a program that will help me to do that? Brennan Quote Link to comment Share on other sites More sharing options...
Charles Posted February 2, 2010 Share Posted February 2, 2010 If you test it on a windows box, use Processmonitor or something similar. Personally I would fire up a spare windows machine and disconnect it from the network, turn off AV and infect the bugger to see what it does. I am surprised I couldn't find very many hits on the exe. Quote Link to comment Share on other sites More sharing options...
Sparda Posted February 2, 2010 Share Posted February 2, 2010 There are variations on the term 'auto run disabled' in Windows. Disabling autorun used to apply to CD drive only unless other wise specified, you probably want to check and see what the domain policies are actually doing rather than trusting what they say. Quote Link to comment Share on other sites More sharing options...
digip Posted February 2, 2010 Share Posted February 2, 2010 If its the same one as this, looks to be an old one: http://vgrep.viruspool.net/virus.cms?id=3876345 from 2008. Sounds more like a worm. If its infecting them when they plug them in, chances are its propagating from yoru domain controller, which would be even worse. Upload it to VirusTotal, and get a better description of the virus/malware name from other vendors, then do some research on what exactly it is. While you are at it, check your domain controllers for infection, it may be spreading through your network and attaching to thumbdrives after the fact to further propagate itself. Conficker does something similar. http://www.scmagazineuk.com/greater-manche...article/162904/ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.