Categories
Security Web

Suspected Trojan or Virus qxty9be.cmd

Suspected Trojan is messing up my PC at this very moment[more]

I attached my portable drive to a computer that didn't have antivirus
today. The computer was working fine (at least as it seems) but I found
a certain "autorun.inf" and "qxty9be.cmd" in that diks afterwards.

I scanned the disk and Symantec didn't see anything! However in my
attempt to learn more about it (thinking I could run the .cmd file
inside a Virtual Machine) I copied it to my local disk.

After copying I couldn't see the file (it was hidden but weirdly
enough I saw it when it was on my portable drive). So I went to Tools
> Folder Options > View > Show hidden files/folders.

That's when Auto Protect came up. It detected something! but
Auto-Protect Results froze. Stupid me tried to Scan the folder again
and Manual Scan froze again.

I didn't know copy/pasting without running could cause some unexpected behavior.

I had the same behavior on another PC earlier and it ended up to
have booting problems. If it was indeed the cause then it did something
really serious.

I couldn't find any resource about it in Google except one but no resolution whatsoever. And was posted yesterday or something.

Symantec Auto Protect results and Manual Scan window is still hanging
at this point actually. So it feels like this is a goodbye letter as I
expect something bad to happen once I restart this. (similar to what
happened earlier).

So this is just a warning and wish me luck (I have backups for sure but still things are never gonna be the same again…

UPDATE

Just restarted but unlike the other machine, this one survived. Thanks to the following

1) ZoneAlarm (the OSFirewall feature i think) – it prompted whether to allow the *.cmd to run or not (of course I denied it)

2) Spybot Search & Destroy – scanned and detected the Trojan as Win32.Ruju.a but only God (and the creator) knows what else it does

3) Acronis True Image backup – did a backup even during the time that Symantec was freezing (it might end up as corrupted backup but it's trivial to backup so did it anyway). Plus my previous backup gave me the confidence that worse comes to worse I have one

4) Symantec for auto protect. Not for protecting me but at least detecting the problem despite freezing. The trojan still managed to get thru. I'm certain of this cause clicking on my other drives was running the *.cmd file and Spybot affirms that the trojan made it's way. I also did a manual scan on the portable drive before this erupted and it didn't detect it. What's wrong Symantec (i have v10)

Hope that would be the last of it. Gotta get back to work

UPDATE 2

* This worm is generally transmitted via AutoRun features so it's always best to turn off that feature. GroupPolicy Editor (Start > Run > gpedit.msc> User Configuration > Administrative Templates > System > Turn Off Autoplay should be set to Enabled)

* Furthermore, here's more detailed information about the issue: http://www.threatexpert.com/report.aspx?md5=e24a0458c2ef5333b06be67c7ea47b95

Will keep updating this as necessary. Let's make the world a safer place…