Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

New version of NEW FOLDER.EXE

Created: 22 Jan 2010 • Updated: 26 Jul 2010 | 2 comments

 We have an issue with a new version of NEW FOLDER.EXE. This was infected by a flash drive but I can’t stop spreading it. It brings the CPU process level to up 100%.it makes copies of its self .the PC is not totally frozen but very slow SEP did not succeed in getting the virus.reg edit, task manager, folder options all are work ok but slow.

I submitted a sample from C:\WINDOWS \SYSTEM32 with the tracking ID #14576572 but it too didn’t have a successful response. The closing mail said that our automation was unable to identify any malicious content in this submission. The file will be stored for further human analysis.
Need urgent help………………..

Comments 2 CommentsJump to latest comment

Mick2009's picture

Hi KRyan,

If you have ADC in use with your SEP, you can block that file's MD5 by policy: How to use Application and Device Control to limit the spread of a threat.

If you have a support contact with Symantec, I recommend that you open a case with them and ask for a manual analysis of that suspicious file---- it will receive attention more quickly that way than in its present queue.

Thanks and best regards,

Mick

With thanks and best regards,

Mick

KRyan's picture
Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.01.25 Trojan.Agent!IK
AhnLab-V3 5.0.0.2 2010.01.23 -
AntiVir 7.9.1.150 2010.01.25 TR/Agent.73728.aaa
Antiy-AVL 2.0.3.7 2010.01.22 -
Authentium 5.2.0.5 2010.01.24 -
Avast 4.8.1351.0 2010.01.25 -
AVG 9.0.0.730 2010.01.25 -
BitDefender 7.2 2010.01.25 -
CAT-QuickHeal 10.00 2010.01.25 Trojan.Agent.ATV
ClamAV 0.94.1 2010.01.25 -
Comodo 3704 2010.01.25 Heur.Suspicious
DrWeb 5.0.1.12222 2010.01.25 -
eSafe 7.0.17.0 2010.01.24 Win32.TRAgent.Aaa
eTrust-Vet 35.2.7258 2010.01.25 Win32/SillyAutorun.CKX
F-Prot 4.5.1.85 2010.01.25 -
F-Secure 9.0.15370.0 2010.01.25 -
Fortinet 4.0.14.0 2010.01.25 -
GData 19 2010.01.25 -
Ikarus T3.1.1.80.0 2010.01.25 Trojan.Agent
Jiangmin 13.0.900 2010.01.24 TrojanDownloader.VB.qkn
K7AntiVirus 7.10.952 2010.01.22 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2010.01.25 -
McAfee 5871 2010.01.24 -
McAfee+Artemis 5871 2010.01.24 Artemis!FECCDA5BE738
McAfee-GW-Edition 6.8.5 2010.01.25 Trojan.Agent.73728.aaa
Microsoft 1.5405 2010.01.25 -
NOD32 4803 2010.01.25 -
Norman 6.04.03 2010.01.25 W32/Obfuscated.H!genr
nProtect 2009.1.8.0 2010.01.25 -
Panda 10.0.2.2 2010.01.24 Suspicious file
PCTools 7.0.3.5 2010.01.25 -
Prevx 3.0 2010.01.25 -
Rising 22.32.00.04 2010.01.25 -
Sophos 4.50.0 2010.01.25 Mal/Generic-A
Sunbelt 3.2.1858.2 2010.01.24 -
Symantec 20091.2.0.41 2010.01.25 -
TheHacker 6.5.0.9.162 2010.01.25 -
TrendMicro 9.120.0.1004 2010.01.25 PAK_Generic.001
VBA32 3.12.12.1 2010.01.23 -
ViRobot 2010.1.25.2154 2010.01.25 -
VirusBuster 5.0.21.0 2010.01.25 -
Additional information
File size: 73728 bytes
MD5...: feccda5be738da7867a944a1bc4e9553
SHA1..: d3562aa37c2509b73e0d3d38d629443e69d9d30a
SHA256: 07bde09102ef9240fee8d981754b0ab7febe11cd9be3fc3c3ba784f802e5c889
ssdeep: 768:Hv8s3i6E5nXfUWPYfIc/Qi3qEBQpKGt0DlNvsnUp93qEBjUWPYfIc/QAnXZs
3i6S:J3i6EBXlLOUpNt0QnUp9NLMXy3i6E
 
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x121c
timedatestamp.....: 0x4a979ae9 (Fri Aug 28 08:52:57 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8780 0x9000 4.85 43006d9c6920c39385061aa35dcdfa1d
.data 0xa000 0xaf8 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0xb000 0x7000 0x7000 4.44 6939f0bb7d844553a0964f31b3b15066

( 1 imports )
> MSVBVM60.DLL: _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaLenBstr, _adj_fdiv_m64, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, -, __vbaStrToAnsi, _CIatan, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

( 0 exports )
 

RDS...: NSRL Reference Data Set
-
pdfid.: -
sigcheck:
publisher....: n/a
copyright....: n/a
product......: winexploer
description..: n/a
original name: NewFolder.exe
internal name: NewFolder
file version.: 1.00
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
 
trid..: Win32 Executable Microsoft Visual Basic 6 (91.5%)
Win32 Dynamic Link Library (generic) (5.5%)
Generic Win/DOS Executable (1.4%)
DOS Executable Generic (1.4%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

 
Thanks Mike,

The file can be deleted by giving the rights.this is the report that i got from virustotal when i submitted the same file that i submitted to you.from my side the problem is solved i guess.after terminating the file proses.but help others who are in trouble....

Thanks and regards

KRyan