We are facing a virus problem on our network, but I'm unable to identify it, so we can't properly deal with it.
The symptoms are that the virus duplicates a word document (.doc) generating a new archive with the same name, but with an exe extension, and, after that, the virus hides the original file.
So, when the user clicks over the file, it propagates itself.
Symantec AV seems to be able to block it: every time that the virus tries to generate the exe, symantec blocks it, but at this point, the original file was already converted to hidden, so the user thinks that the file has been deleted.
Symantec identifies it as a simple trojan horse. I already started a full scan, but it didn't found nothing.
I'm trying to know the virus name in order to fight it.
Does anyone has any kind of information?
TIA,
Bob
If one AV program won't do the job grab a couple of others and scan with them. There is not, and undoubtedly never will be, any one product that will detect and remove all viruses/malware.
When faced with a tricky virus I prefer to scan the drive from another running OS. Either add that drive as a second drive in another machine or use a boot CD with AV software on it. There are any number of viruses that can't be cleaned out of a running OS.
Have seen such behavior before in Virut and some other viruses that where classified as Generic PWS.g by McAfee VirusScan.
If you can get a "clean" sample of the file, you can upload it to a website that specializes in scanning virus samples. A google should yield a list of sites that do this.
I'd try getting a liveboot CD for Linux and access the file that way, as Linux doesn't execute Windows executables (as long as it's not running WINE) and OpenOffice shouldn't support any oddball macros in Office documents. Even if it did, the payload should be adequately confused by Linux conventions to render it immune.
Then I'd get the file, upload it to the website, and that should give you some idea of what you're dealing with.
This isn't like the good old days where a virus was a virus was a virus. Today each vendor names viruses with their own conventions, and any slight change is suddenly a new virus (we catch 18 billion viruses compared to our competitor! We don't mention that 17.9 billion of them just have a different typo!)
If you're not familiar with Linux, you may be able to find someone with some experience with it to assist. Linux has been a real gift for troubleshooting issues like this for us; it's like having a heavy environmental cleansuit for handling malware that would cripple a Windows workstation if there's an "accident" while trying to analyze the situation.
A Macintosh onsite may also be able to handle the document in a way that will allow you to upload it to an online scanner as well, as long as you don't have an integrated Windows emulator/virtualizer installed that runs a virtualized Windows session by clicking on an executable, and if your document is using some form of macro and you have Office installed I don't know if it'll try running certain macros or not. Again, though, it should be confused by the platform differences anyway...unless you have WINE or a virtualizer integrated so that you accidentally infect your virtualized environment.
Win32:AutoIt-CI
Thats probably the name of the virus, its based on some assumptions, but thats probably it
For this kind of thing I like to run HijackThis (http://free.antivirus.com/hijackthis/) on the PC. This gives you a logfile that gives hints as to common settings that may have been changed. I.e might point to where the PC is getting infected from.
The logfiles can be analysed online here (don't accept this analysis as 100% accurate):
http://www.hijackthis.de/
Many forums also look at HijackThis logs and give good advice.
A boot CD with a couple very good utils is Secured2k (available below)
http://community.mcafee.com/thread/6923
This boot CD contains a Registry Editor and a tool called "Autoruns" from Sysinternal.
Autoruns shows you all possible startup locations in Windows. I find this useful when a virus added its path to the registry key that loads "Explorer.exe".