Monday, October 18, 2010

Fighting the "Shortcut Virus".

There's nothing that can make me feel more suicidal than hearing the first thing that come out from my colleague's mouth when they see me stepping into the office; beaming with smiles because that day I've managed to get in earlier than usual;

"The shared directory is no longer accessible. I think it's a virus"

*sighs and walks heavily*

There goes the thought that I had earlier on about how it's going to be a great day for me.

So I stuffed all of my "stuff" in the locker...I was once told by my boss that I would probably be the only "girl" in my company that is so technical, I need to carry two extra bags consisting of - laptop,network cable, tester, my test pen, external hard disk, thumb drives, CD installers and what not, just to satisfy my technical side.... and dragged my flat feet straight to the server room - Only to found out that I left my server room's key in my handbag and had to walk all the 100m back to my cubicle but at the same time trying to look as if I was actually running around trying to fix the problem.

On my way back to the server room, I bumped into a door,my leg hit the edge of the table and shoulder a wall. Man! Talk about poor estimation of space and opening.

Bruises aside, I finally got into the server room and started doing some troubleshooting.

*

"Shortcut Virus". It hides all the original folders and files in the directory and creates false shortcut of them, hence the name. Man! The genius behind this virus must have been so bored with his life living in the basement of his parent's house. I use the word "his" because, come on, you know woman can never screw up things and make it as haywire as this. :)

Back to the "shortcut virus". Unfortunately, the Anti-Virus software for my company is fucked up. Can't even detect the existence of it, even it is constantly running at the background and "pretend" to be apart of Windows system process.

So what a system-admin-that-thinks-she-is-awesome-but-actually-has-limited-knowledge-on-virus-fighting-regime's to do? Go online and google for it of course!! I spent few hours trying to find the best solution for my server that is currently running on Windows Server 2000 (haha yeah I know, it's damn old but we are in the middle of migrating it, so spare me the lectures) that is also our AD and Web Server. So this is a critical server for our daily operation.

p/s: Beggars can't be choosers you know. I have to work within my means. Combining everything in one server could be seen as poor, but damn, when it comes to OPEX budgeting, WE ARE POOR! so beat it!

After a couples of trial and error attempts, I resorted to the SUPERHERO scheme. Track it down, and put it out manually myself! *shred shirts and wears out-tie underpants*

So if any of you suffer the same predicament as I did, use the following steps as guideline in getting rid of the "Shortcut Virus".

1. Unhidden your hidden stuff!

As mentioned earlier, this virus hides all your stuff in the directory. So first, in order to make sure that all the data is still there, you need to "see" it.
  • Go to the folder options under the View Tab, check on the Show Hidden Files radiobutton, and uncheck the Hide protected operating system files (Recommended) checkbox. This will enable you to see all the files available under the current active window panel.
  • Do not try to unhide it by using the option under the Folder Properties individually because it is a hassle, and also most of it will be disabled.
2. Identifying the Virus Files and Ammunition.

Let me tell ya, this virus was solely created just to piss the hell out of you and messing with your head.
  • It thrives on autorun.inf file available in your folder.
  • It usually created 2 *.exe files under some random name that doesn't make any sense to you. In my case it was, taasmex.exe.
  • Then there's, thumb.db. This file is usually automatically created by Windows when you are viewing the picture using the thumbnail options. But the thing is, original file under Windows is named THUMBS.DB. With an "S".
3. Killing the background process.
  • If you are lucky enough, a mere task killing process can be invoked via Task Manager. But most of the time it didn't happened that way.
  • If it is difficult for you to kill the bugger, then download HijackThis. A product from Trend Micro that would enable you to force-kill a running process.
  • After you have downloaded it, install it on your server/pc, trace the process and kill it.
  • Delete all the files mentioned above. I suggest that you Shift-Delete it rather than move it to the thrash bin. You never know that you might "accidentally" restore it back.
4. Delete all the shortcuts made by the virus and change the attribute of the directory or folders to unhidden all the hidden folders and files.
  • Go to Start Menu - Run , type cmd. This will call the command prompt window.
  • cd to the location of your infected directory. Let say its in E:\ then type this.
C:\> E:\
E:\> attrib -s -h /s /d *.

5. This command will make your folder to appear again before your very eyes.


If all the above mentioned steps do not work for you, then please email me so that I can bang my head on the table and try to hang myself on the ceiling fan.

Good Luck!



3 comments:

Flawed Genius said...

Ms Snots,

I used my notebook PC a lot but I am hopeless when it comes to all this IT stuff. So far have not come across such a 'virus'.

SNOTS said...

fg: u r so lucky then. the problem with managing a network, it is almost impossible to get all your co-workers to be ethical. like scanning their thumbdrive before using it and all that.

but it's interesting to learn how to counter attack these buggers.It is quite a challenge if i may say so!

Anonymous said...

One of the computer in my network got this virus!! But your tut was not successful because the virus has disabled RUN; Regedit, CommandPrompt, Taskmanager!!!

Finally as last resort, I tried to run HijackThis, I had to bang my head, when found the virus don't allow HijackThis to run.