Monday, July 09, 2007

infrom.exe on my USB


infrom.exe

I have found the infrom.exe on my USB. This virus has spreaded through my USB memories and my digital camera.

This virus could easily be deleted with updated virus scanners, and it is sometimes reported to be adware, or virus.

Troj/ShipUp-A is a Trojan for the Windows platform. When first run Troj/ShipUp-A copies itself to \ccPrxy.exe.

The following registry entry is created to run ccPrxy.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccPrxy.exe - ccPrxy.exe

The following registry entry is set:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
9f

Registry entries are created under:
HKLM\SOFTWARE\Microsoft\ShipUp\


The form of infections can be seen as a list of hidden files.

09/04/2004 05:58 AM 21,504 infrom.exe
07/08/2007 10:33 PM 96 AUTORUN.INF
07/08/2007 10:33 PM ms.config
07/08/2007 10:33 PM rm


H:\>dir /s/a ms.config
Directorio de H:\ms.config
07/08/2007 10:33 PM 23,552 ldup.exe
1 archivos 23,552 bytes

H:\>dir /s/a rm
Directorio de H:\rm
07/08/2007 10:33 PM 25,088 sy.exe
1 archivos 25,088 bytes



C:\WINDOWS\ldjs.txt is a logfile that shows all the infections carried out so far.

Sample of contents
2007-05-27 07:43:26
H:\ Space:256M,FreeSpace:9M
Copy File ldup.exe OK!
Copy File sy.exe OK!

file C:\Windows\ldlist.txt (hidden)
ms.config\ldup.exe
rm\sy.exe


There it can be seen the file names and the infection timestamp.

The contents of the AUTORUN.INF file is:
[AutoRun]
open=infrom.exe
shellexecute=infrom.exe
shell\Auto\command=infrom.exe
shell=Auto



Clean Up

In order to get rid of it first, those files have to be deleted from the media. This is just to avoid this to keep on spreading. Next, the root of infections,
  1. delete the entry form HKLM\software\windows\system32\ccprx.exe This name could change, as from other blogs I have seen it registered with different names.
  2. Delete c:\winodws\infrom.dat, c:\windows\ldjs.txt, c:\windows\ldlist.txt, c:\windows\c:\windows\ldup.exe and c:\windows\sy.exe, all of them hidden files.
  3. From the Windows task Manager locate the ccprxy.exe and kill it
    Remove the HKLM\Software\Microsoft\Windows\Run\ccprxy.exe entry
    attrib -h -s C:\Windows\System32\ccprxy.exe
    Remove the C:\Windows\System32\ccprxy.exe file
    Reboot the computer.

    I:\>rd /s/q ms.config
    I:\>rd /s/q rm
    I:\>attrib -h -s infrom.exe
    I:\>attrib -h -s AUTORUN.INF
    I:\>del infrom.exe