Endpoint Protection

 View Only
  • 1.  RECYCLER virus

    Posted Dec 08, 2011 09:39 AM

    Really annoying, but if you try to unhide files and still don't see them, you can use both 7-zip or 7-zip portable programs to go on your flash drive or other removable media and delete a folder called RECYCLER and autorun.inf (it is ok to remove these files, but the delete is temporary). I used the avast! anti-virus and I can scan the whole computer, even the RAM. Still, it is still there. I had troubles with my flash drive, the computer not recognizing it. I just rebooted and it is ok. Also, when you get the autorun pop-up, you can see an open folder picture instead of the normal removable drive picture. This will show if you have it. It also shows up in windows explorer. Still can't completely delete it.



  • 2.  RE: RECYCLER virus

    Posted Dec 08, 2011 11:30 AM

    You might want to give the Norton Power Eraser a shot at removing this threat. The tool is designed to remove threats that hide from traditional AV.

    http://security.symantec.com/nbrt/npe.aspx?lcid=1033&origin=default

     

    If possible submit a sample to Symantec or ThreatExpert for analysis.

    http://www.symantec.com/business/security_response/submitsamples.jsp

    http://www.threatexpert.com/submit.aspx



  • 3.  RE: RECYCLER virus

    Posted Dec 26, 2011 03:40 PM

    Hi try disabling the autorun by follwing the below mentioned article

    http://www.symantec.com/docs/TECH104447   

     also try the atrrib command onthe perndrive in cmd pormpt

    attrib -r -h -s -a "Drive location :\*.*" \s \d

    if it is a single pen drive try the below step that worked for me

    Connected the pen drive copy the content to a folder in desktop and format the pendrive and then copy the contents back to the pen drive

     

     



  • 4.  RE: RECYCLER virus

    Trusted Advisor
    Posted Dec 27, 2011 05:39 AM

    Hello,

    I see no reason stressing on the Recycler Folder and Autorun.inf. However, what is important here is the content within the Recycler Folder and the code in the Autorun.inf file.

    Understand what is the Recycler folder: 

    http://support.microsoft.com/kb/171694

     

    The RECYCLER folder is the recycle bin. The recycle bin on your desktop is simply a shortcut to all the RECYCLER folders in your computer. If you have a C:\ D:\ and E:\, your recycle bin shows the contents of C:\RECYCLER D:\RECYCLER and E:\RECYCLER. Having these RECYCLER folders on each drive saves the OS from having to copy a deleted file or folder from any other drive to the C:\ drive. 
     
    Removing Recycler folder
     
    Recycler is a read only folder. To view the folder, go to Tools -> Folder Options -> View tab and uncheck the option of Hide Protected operating System Files. Right click on the folder, go to Properties and unselect the option of Read Only. Now it can be deleted.
     
    Recycler Virus
     
    There has been identified a virus with the same name that is Recycler.exe which should not be confused with the Recycler folder.
     
    Understand what is AutoRun.inf
     
    An autorun.inf file is a text file that can be used by the AutoRun and AutoPlay components of Microsoft Windows Operating systems. For the file to be discovered and used by these components, it must be located in the root directory of a volume. As Windows has a case-insensitive view of filenames, the autorun.inf file can be stored as AutoRun.inf or Autorun.INF or any other case combination.
     
    So, The code written inside the Autorun.inf sometimes could be used for triggering another virus file which may be hidden in the machine / network / removable drive.
     
    and that is the major reason we suggest all to Disable the AutoRun Functionality.
     
     
    Hope that helps!!


  • 5.  RE: RECYCLER virus

    Posted Dec 27, 2011 06:15 AM


  • 6.  RE: RECYCLER virus

    Posted Dec 28, 2011 10:35 PM

    Hi,

     

    Do you mean recycler.scr?

     

    You can try view hidden files using below command:

    c:\>dir /a:h /s d >check.txt

     

    Also SEP should detect this threat, if it's a new variation do submit the sample to Symantec.