Koozali.org: home of the SME Server

Obsolete Releases => SME Server 8.x => Topic started by: Allan Pritchard on March 25, 2014, 09:31:22 AM

Title: New Folder Virus
Post by: Allan Pritchard on March 25, 2014, 09:31:22 AM

Hi All

I hope someone can give me some assistance. I'm very green to Linux

Yesterday we developed an issue where every time we entered a folder via windows it would create a file within the folder with the same name and an .exe extension. We believe this is the "New Folder" virus but it only happens on the ibays used as our server. If you go into a folder on your local machine then everything is fine and no file is created.

On the ibay files directory (mapped by windows) there was an "autorun.inf" file. When I edited this with Notepad++ it was infected and captured by Avast anti virus. I have deleted the .inf file but the problem persists.

Every new folder.exe is created with a date 30/5/2009

The strange thing is
-if I delete the files that are created as folder.exe then the problem doesn't persist to subfolders.
-if I use windows search to find *.exe every folder interrogate creates a folder.exe file

I thought the best way would to delete all executable files created on 30/5/09 however
i cannot fathom how to work out the syntax of the find command to delete files too that criteria

I have tried

find -type f -name "*.exe" -newermt 2009-05-30 ! -newermt 2009-05-31 -delete

but all I get is

invalid predicate `-newermt'

Some research indicates that the SME "find" command doesn't support the -newermt command but
how would I do this ?? is there I different options syntax ?

Can anyone help or let me know if I'm way off track fixing this and give me some guidance

Cheers

Allan

Title: Re: New Folder Virus
Post by: mmccarn on March 25, 2014, 02:24:21 PM

Workstation Cleanup
=============
My first guess would be that you have an infected workstation.

Many antivirus programs have an option to enable or disable scanning of network files and folders.

Check your workstation antivirus for this option and make sure it is enabled.

You could change the password on the ibay, then update the password one workstation at a time -- testing for virus creation at each workstation - to identify the infected station.

ibay cleanup
========
I think this would work to cleanup your ibays from the server:

Code: [Select]

cd /home/e-smith/files/ibays
find . -type d -exec echo rm "{}" \; |awk -F/ '{print $0 "/" $NF ".exe"}' > cleanup.sh
Then look at cleanup.sh to make sure it looks safe, and run it. This tries to remove every instance of <folder>/<folder.exe> - so you'll get errors for the folders that don't contain the infection.

Title: Re: New Folder Virus
Post by: heuzef on March 26, 2014, 07:22:35 PM

Hello, it should not be easy to live with  :-(

I can only recommend for the future : deploy a backup solution (like BackupPC for example http://wiki.contribs.org/BackupPC/fr (http://wiki.contribs.org/BackupPC/fr)).

I believe this is the most effective and fastest way to fight against worms virus condition. Of you being very responsive on your antivirus alerts of course.

Good luck!

Title: Re: New Folder Virus
Post by: janet on March 26, 2014, 11:05:06 PM

Allan Pritchard

FYI also see
http://forums.contribs.org/index.php/topic,50701.0.html
&
http://forums.contribs.org/index.php/topic,49785.0.html
for troubleshooting techniques

Title: Re: New Folder Virus
Post by: Allan Pritchard on March 27, 2014, 10:34:08 AM

Hi all
Thanks for your replies.

We are pretty certain we know how the virus entered the ibay. Someone ran a program that was infected while it was located on the ibay. The user has said their PC caught the virus but it seem to still install itself in the ibay. from what i understand of the newfolder virus is it self installs on USB drives and infects from there. The autorun.inf is usually hidden and read-only however linux ignored this so it was easy to find and delete. I assume the ibay acted as the USB drive as it is a mapped drive in windows.

Deleting the autorun.inf has stopped the virus replicating at the base folder of the ibay (when mapping it via windows) however we still have 1000's of .exe files riddled throughout the server, It seems that if a folder has one of these it will replicate itself to any subfolder you navigate too. If you remove them the problem goes away.

Thanks to mmccarn for the script, one issue I have been racking my brains over for the last two days is the script creates a command sequence that fails if the folders in the ibay have spaces in the naming which the scrip treats as a return

Creation of the script

find . -type d -exec echo rm "{}" \; |awk -F/ '{print $0 "/" $NF ".exe"}' > cleanup.sh

The script created is as follows (for a small test folder)

rm ./rm ..exe
rm ./Woodbury pool and shed demolition/Woodbury pool and shed demolition.exe
rm ./Woodbury pool and shed demolition/off camera/off camera.exe
rm ./Woodbury pool and shed demolition/photos for docs/photos for docs.exe
rm ./Photographs from Red Camera/Photographs from Red Camera.exe
rm ./Photographs from Red Camera/110___01/110___01.exe
rm ./Photographs from Red Camera/111___02/111___02.exe
rm ./Photographs from Red Camera/109___11/109___11.exe
rm ./Beachville DRA's 15-12-11/Beachville DRA's 15-12-11.exe
rm ./original drawings/original drawings.exe
rm ./bluespur/bluespur.exe
rm ./scans/scans.exe
rm ./New Folder (5)/New Folder (5).exe

The result is

[root@sammy Trash]# sh cleanup.sh
rm: cannot remove `./rm': No such file or directory
rm: cannot remove `..exe': No such file or directory
rm: cannot remove `./Woodbury': No such file or directory
rm: cannot remove `pool': No such file or directory
rm: cannot remove `and': No such file or directory
rm: cannot remove `shed': No such file or directory
rm: cannot remove `demolition/Woodbury': No such file or directory
rm: cannot remove `pool': No such file or directory
rm: cannot remove `and': No such file or directory
rm: cannot remove `shed': No such file or directory
rm: cannot remove `demolition.exe': No such file or directory
rm: cannot remove `./Woodbury': No such file or directory
rm: cannot remove `pool': No such file or directory
rm: cannot remove `and': No such file or directory
rm: cannot remove `shed': No such file or directory
rm: cannot remove `demolition/off': No such file or directory
rm: cannot remove `camera/off': No such file or directory
rm: cannot remove `camera.exe': No such file or directory
rm: cannot remove `./Woodbury': No such file or directory
rm: cannot remove `pool': No such file or directory
rm: cannot remove `and': No such file or directory
rm: cannot remove `shed': No such file or directory
rm: cannot remove `demolition/photos': No such file or directory
rm: cannot remove `for': No such file or directory
rm: cannot remove `docs/photos': No such file or directory
rm: cannot remove `for': No such file or directory
rm: cannot remove `docs.exe': No such file or directory
rm: cannot remove `./Photographs': No such file or directory
rm: cannot remove `from': No such file or directory
rm: cannot remove `Red': No such file or directory
rm: cannot remove `Camera/Photographs': No such file or directory
rm: cannot remove `from': No such file or directory
rm: cannot remove `Red': No such file or directory
rm: cannot remove `Camera.exe': No such file or directory
rm: cannot remove `./Photographs': No such file or directory
rm: cannot remove `from': No such file or directory
rm: cannot remove `Red': No such file or directory
rm: cannot remove `Camera/110___01/110___01.exe': No such file or directory
rm: cannot remove `./Photographs': No such file or directory
rm: cannot remove `from': No such file or directory
rm: cannot remove `Red': No such file or directory
rm: cannot remove `Camera/111___02/111___02.exe': No such file or directory
rm: cannot remove `./Photographs': No such file or directory
rm: cannot remove `from': No such file or directory
rm: cannot remove `Red': No such file or directory
rm: cannot remove `Camera/109___11/109___11.exe': No such file or directory
rm: cannot remove `./Beachville': No such file or directory
rm: cannot remove `DRAs 15-12-11/Beachville DRAs': No such file or directory
rm: cannot remove `15-12-11.exe': No such file or directory
rm: cannot remove `./original': No such file or directory
rm: cannot remove `drawings/original': No such file or directory
rm: cannot remove `drawings.exe': No such file or directory
rm: cannot remove `./bluespur/bluespur.exe': No such file or directory
rm: cannot remove `./scans/scans.exe': No such file or directory
cleanup.sh: line 13: syntax error near unexpected token `('
cleanup.sh: line 13: `rm ./New Folder (5)/New Folder (5).exe'


I can't work how to create the script to add in double quotes to ignore spaces and non-alpha characters so the result would be for example

rm ."/Photographs from Red Camera/Photographs from Red Camera.exe"

can anyone point me in the right direction. I can of course create the script and use a text editor such as notepad++ to add in the quotes with find and replace commands but I'd like to expand my knowledge if possible

Regards
Allan


 

Title: Re: New Folder Virus
Post by: heuzef on March 27, 2014, 10:56:18 AM

Hello :)

Use Backslash for special character :

Code: [Select]

rm -rv ./*.exe
rm -rv ./Woodbury\ pool\ and\ shed\ demolition/Woodbury\ pool\ and\ shed\ demolition.exe
rm -rv ./Woodbury\ pool\ and\ shed\ demolition/off\ camera/off\ camera.exe
rm -rv ./Woodbury\ pool\ and\ shed\ demolition/photos\ for\ docs/photos\ for\ docs.exe
rm -rv ./Photographs\ from\ Red\ Camera/Photographs\ from\ Red\ Camera.exe
rm -rv ./Photographs\ from\ Red\ Camera/110___01/110___01.exe
rm -rv ./Photographs\ from\ Red\ Camera/111___02/111___02.exe
rm -rv ./Photographs\ from\ Red\ Camera/109___11/109___11.exe
rm -rv ./Beachville\ DRA\'s\ 15-12-11/Beachville\ DRA\'s\ 15-12-11.exe
rm -rv ./original\ drawings/original\ drawings.exe
rm -rv ./bluespur/bluespur.exe
rm -rv ./scans/scans.exe
rm -rv ./New\ Folder\ \(5\)/New\ Folder\ \(5\).exe


Title: Re: New Folder Virus
Post by: Allan Pritchard on March 30, 2014, 05:58:08 AM

Thanks Heuzef

I've tried to research in "awk" but I can't work out how to add \ as a special character in the script.
Can you give me a clue how I would do this?

Cheers
Allan

Title: Re: New Folder Virus
Post by: azche24 on March 30, 2014, 03:13:22 PM

The symptoms are the same as brontok worm my daughter caught when downloading some tool. Very aggressive. No chance to remove this in the live filesystem. Shutdown your network, find the infected workstation, delete the whole file system (don't forget the profile directories) and restore from backup. Do not try to clean the live file system! If it is a real worm, this won"t work. Every time you touch the files, the worm changes the file names and copies itself.

Title: Re: New Folder Virus
Post by: mmccarn on March 30, 2014, 03:30:36 PM

This will create 'cleanup.sh' with quotes around the filename (and will always scan only /home/e-smith/files/ibays, no matter where you run it from):

Code: [Select]

find /home/e-smith/files/ibays/ -type d -exec echo "{}" \; |awk -F/ '{print "rm \"" $0 "/" $NF ".exe" "\""}'  >cleanup.sh

- I've moved the 'rm' command into the awk output
- I've added \" (in quotes) before and after the filename to be deleted, in order to output a single quote

Here's another version that will only add to cleanup.sh if there is an exe file that has the same name as the folder it's contained in:

Code: [Select]

find /home/e-smith/files/ibays/ -type f -name "*.exe" -exec echo "{}" \; \
|awk -F/ ' {if ($(NF-1) ".exe" == $NF) print "rm \"" $0 "\""  }'   >cleanup.sh