Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

New version of NEW FOLDER.EXE

Created: 22 Jan 2010 • Updated: 26 Jul 2010 | 2 comments

 We have an issue with a new version of NEW FOLDER.EXE. This was infected by a flash drive but I can’t stop spreading it. It brings the CPU process level to up makes copies of its self .the PC is not totally frozen but very slow SEP did not succeed in getting the virus.reg edit, task manager, folder options all are work ok but slow.

I submitted a sample from C:\WINDOWS \SYSTEM32 with the tracking ID #14576572 but it too didn’t have a successful response. The closing mail said that our automation was unable to identify any malicious content in this submission. The file will be stored for further human analysis.
Need urgent help………………..

Comments 2 CommentsJump to latest comment

Mick2009's picture

Hi KRyan,

If you have ADC in use with your SEP, you can block that file's MD5 by policy: How to use Application and Device Control to limit the spread of a threat.

If you have a support contact with Symantec, I recommend that you open a case with them and ask for a manual analysis of that suspicious file---- it will receive attention more quickly that way than in its present queue.

Thanks and best regards,


With thanks and best regards,


KRyan's picture
Antivirus Version Last Update Result
a-squared 2010.01.25 Trojan.Agent!IK
AhnLab-V3 2010.01.23 -
AntiVir 2010.01.25 TR/
Antiy-AVL 2010.01.22 -
Authentium 2010.01.24 -
Avast 4.8.1351.0 2010.01.25 -
AVG 2010.01.25 -
BitDefender 7.2 2010.01.25 -
CAT-QuickHeal 10.00 2010.01.25 Trojan.Agent.ATV
ClamAV 0.94.1 2010.01.25 -
Comodo 3704 2010.01.25 Heur.Suspicious
DrWeb 2010.01.25 -
eSafe 2010.01.24 Win32.TRAgent.Aaa
eTrust-Vet 35.2.7258 2010.01.25 Win32/SillyAutorun.CKX
F-Prot 2010.01.25 -
F-Secure 9.0.15370.0 2010.01.25 -
Fortinet 2010.01.25 -
GData 19 2010.01.25 -
Ikarus T3. 2010.01.25 Trojan.Agent
Jiangmin 13.0.900 2010.01.24 TrojanDownloader.VB.qkn
K7AntiVirus 7.10.952 2010.01.22 Trojan.Win32.Malware.1
Kaspersky 2010.01.25 -
McAfee 5871 2010.01.24 -
McAfee+Artemis 5871 2010.01.24 Artemis!FECCDA5BE738
McAfee-GW-Edition 6.8.5 2010.01.25
Microsoft 1.5405 2010.01.25 -
NOD32 4803 2010.01.25 -
Norman 6.04.03 2010.01.25 W32/Obfuscated.H!genr
nProtect 2009.1.8.0 2010.01.25 -
Panda 2010.01.24 Suspicious file
PCTools 2010.01.25 -
Prevx 3.0 2010.01.25 -
Rising 2010.01.25 -
Sophos 4.50.0 2010.01.25 Mal/Generic-A
Sunbelt 3.2.1858.2 2010.01.24 -
Symantec 20091.2.0.41 2010.01.25 -
TheHacker 2010.01.25 -
TrendMicro 2010.01.25 PAK_Generic.001
VBA32 2010.01.23 -
ViRobot 2010.1.25.2154 2010.01.25 -
VirusBuster 2010.01.25 -
Additional information
File size: 73728 bytes
MD5...: feccda5be738da7867a944a1bc4e9553
SHA1..: d3562aa37c2509b73e0d3d38d629443e69d9d30a
SHA256: 07bde09102ef9240fee8d981754b0ab7febe11cd9be3fc3c3ba784f802e5c889
ssdeep: 768:Hv8s3i6E5nXfUWPYfIc/Qi3qEBQpKGt0DlNvsnUp93qEBjUWPYfIc/QAnXZs
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x121c
timedatestamp.....: 0x4a979ae9 (Fri Aug 28 08:52:57 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8780 0x9000 4.85 43006d9c6920c39385061aa35dcdfa1d
.data 0xa000 0xaf8 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0xb000 0x7000 0x7000 4.44 6939f0bb7d844553a0964f31b3b15066

( 1 imports )
> MSVBVM60.DLL: _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaLenBstr, _adj_fdiv_m64, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, -, __vbaStrToAnsi, _CIatan, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

( 0 exports )

RDS...: NSRL Reference Data Set
pdfid.: -
publisher....: n/a
copyright....: n/a
product......: winexploer
description..: n/a
original name: NewFolder.exe
internal name: NewFolder
file version.: 1.00
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
trid..: Win32 Executable Microsoft Visual Basic 6 (91.5%)
Win32 Dynamic Link Library (generic) (5.5%)
Generic Win/DOS Executable (1.4%)
DOS Executable Generic (1.4%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

Thanks Mike,

The file can be deleted by giving the rights.this is the report that i got from virustotal when i submitted the same file that i submitted to you.from my side the problem is solved i guess.after terminating the file proses.but help others who are in trouble....

Thanks and regards