Tuesday, April 22, 2008

A bad virus is going around, spread by CAMERA MEMORY CARDS, a first symptom is:

Show hidden files and folders Doesn’t Work, and seems to be NO SOLUTION !
See pictures at: http://www.flickr.com/photos/edhiker/2426426388/

Edhiker's backups had also become infected by this rapidly self replicating virus. Just inserting an infected flash drive in a computer system may infect all attached drives(format C: no work here), and then hides its tracks. Put one of those cards in another computer... you get the message. Took a day of hard work to solve it.
It's called Trojan-PSW.Win32.OnlineGames .... see www.viruslist.com/en/analysis?pubid=204791985 and http://www.rising-global.com/Published/InformationCenter/DailyVirusReport/2007-09-04/20070904103244.htm

This virus makes copies of itself on all drives, including Flash / Removable Drives in order to propagate itself. - Checks if an update is available after install and upon reboot of the computer www.bluetack.co.uk/forums/index.php?showtopic=18228 . If a newer version is available, downloads and installs it from 1A123.com, in Beijing. If you are using flash drives or CDs which you don't know are safe, hold the shift key down while inserting them, this disables autorun.

More - "High risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer."

Lessons: *** Treat all USB media and CAMERA MEMORY CARDS as if they could be infected - Don't loan them ***
Run anti-virus at all times - Treat all new software as if it's infected, one of my malware items was called "Comcast toolbar" http://www.topix.com/forum/city/everett-wa/TM7UV18VAQI2J2HN2

Some of the TROJAN-VIRUS-PSW-ONLINE-GAMES file names (aka PWS-LegMir.gen.k ) for me were: (added XXXX's)
BQK.XXXXBAT may be on all drives - SHOWED UP on 4/21/08 after got "clean" system
ZZ.XXXXEXE see http://www.flickr.com/photos/edhiker/2409559906/ (lost its target)
1A123.XXXXcom (domain name)
Most files except autorun were about 115KB long.

In my case the virus went unnoticed until it was in all restore points, then got worse. The desktop shortcuts were missing one morning - my twelve hour fix it day. If I had not made a record of the error at http://www.flickr.com/photos/edhiker/2409559906/ the solution may have been lost forever.

Scans by AVG, ESET NOD32 Antivirus, Housecall, Kaspersky Online Scanner, and PCPitstop did not clear the virus. My feeling is that the good live AV programs will prevent infestation, but will not clear them if allowed to get established.
The final and more brutal solution is outlined at: http://www.geekstogo.com/forum/TROJAN-VIRUS-PSW-ONLINE-GAMES-Infection-PC-Help-t188801.html
Even after the above solution, I had to delete about 10 Registry values "bqk.bat"

Bolow are, in my opinion, the best AV products.
Free 30-Day Trial of NOD32 Antivirus http://www.eset.com/download/index.php
AVG Free 30 day trial at http://www.grisoft.com/ww.home-and-office-security
AVG Anti-Virus Free Edition 8.0 http://free.grisoft.com/ww.download-avg-anti-virus-free-edition seems to be a new item, see site for what is missing
Kaspersky trial at http://www.kaspersky.com/trials

Avoiding Spyware and Virus Infected Files via P2P Sites (The general usage is to download music files to be played on iPods) .... and about Keygen Virus

How to avoid infecting your storage device - and system (don't double click, but shift)... MORE , MORE

Related reading #1 #2 #3

Fighting viruses in Vista http://www.extremetech.com/article2/0,1697,2159348,00.asp

Some reading - Changing threats, changing solutions: http://www.viruslist.com/en/analysis?pubid=204791996