Can you name this spyware/virus?

InCreator · Wed 30/08/2006 16:49:52

Right. I have a folder where I put my downloads.
Now, by pure accident, I found out that this folder has a subfolder that I knew nothing about.

Why? Because it's invisible!
It's not hidden by windows default. And I can see all hidden folders. But this one... it doesn't exist and still does.
I can access it though, but only by giving windows explorer full path to this folder.
I mean, by typing it into address bar.

the name of the folder is simply "_"
The "undersling character" or how it's called in english...

What's really weird is that this folder is full of stuff I have no idea about.

Just take a look:

There is lot's of stuff inside. Nice names, but every RAR archive is 750KB in size and has something called SETUP.EXE packed inside. I haven't excecuted it, so I have no idea what kind of setup is this.

These things come in all by themselves, and I have no idea what downloads them.
Some kind of trojan downloader most likely. Since I'm on broadband, it has all the time it needs to fill my HD with this junk.

Last time I checked, there was 1690 MB(!!!) worth of archives. All cutely named. All the same thing.
I can erase them, but they keep coming back.

I can't erase the folder, since I can't see the folder. Not from outside.
Anyone has any clues what this might be? I know that Trend Micro Internet Security 2006 has no problems with poltergeist like this and neither does Spybot: Search and Destroy. Neither does Ewido Security suite....
Ad-aware, Pestpatrol... nope, everything feels okay for them. Even NOD32 antivirus did not notice anything spectacular.

So, I'm looking for a ghost trojan downloader.
The one no most-known antivirus programs could detect.
And which has (IMO) power to restrict windows from accessing a folder, probably from NTFS.

Heck, I can't even figure out how to google info on this!!!

EDIT:

Thinking about it again, I think that it's not a downloader. All files have same "last modified" time, and my connection just can't download 160 MB of stuff within same minute. So the virus should be simply duplicating itself with different names.

ManicMatt · Wed 30/08/2006 18:00:08

Hmm thats a toughie, I'm looking into it.

Can you delete the folder from DOS?

EagerMind · Wed 30/08/2006 18:03:47

I'm no expert, but from what little you've described, it sounds like you might have a rootkit on your system. I'd guess that there's actually another hidden folder somewhere else containing the program that's downloading to this folder that you've found.

Two things I'd try:
1) Open a command prompt and change to the parent directory containing '_'. Once there, type "del _", which will delete everything in the directory. Then type "rmdir _" which will delete the directory itself. Then you can see if it comes back.

2) Download Rootkit Revealer and see if it turns up anything. The output might be a little technical, but it's supposed to be able to find all the rootkits that are out there. If you're having problems deciphering the results, you can post your results to see if anyone else can make sense of it.

EDIT: Just out of curiosity, how did you end up finding this?

ManicMatt · Wed 30/08/2006 18:05:55

Failing what they said, I found this which sounds a bit like your problem. (read the whole thing)

http://help.lockergnome.com/security/Big-Problem-Virus-Trojans-Spyware-ftopict9098.html

Maybe you should try that particular program they mentioned that found it.

InCreator · Wed 30/08/2006 19:29:17

Well, telling about problems do help. Weird enough, I found out (mostly by luck) what's the thing I'm dealing with.

It's called

W32/Dropper.BEW
and Trendmicro identifies (though fails to desinfect) it as TROJAN_DROPPER.BEW

I found ANOTHER "_" folder, from another area on my hard disk.
Well, nothing too surprising here, except that this one was 17 GB LARGE!!!!

And I keep erasing stuff from hard disk and wondering why the hell do I always lack free space...
Also wondering why is my hard disk so slow...

Dropper.bew just loves folders named "Downloads". Because other "_" folder was also a subfolder of "Downloads".

Tip of the day: Don't name anything "Downloads"!

Well, I think I'll get this virus under control, found some tools to remove it and scan has lasted 2 hours already, with increasing numbers of infections. 1769+ infections and I'm at the letter "L" yet....

I still think that I need a corner for my repeating interesting virus problems - maybe I should start my own webpage...

Anyway, just for fun, if you have any directories named "downloads", try adding "\_\" to address bar and check out if you happen to have same mystery folder / surprise gift of eraseable data...

QuoteJust out of curiosity, how did you end up finding this?

I defragmented hard disk and where it said "optimizing -filename-", some weird file which I had no idea about - was in works. There ya go.

ManicMatt · Wed 30/08/2006 19:41:36

Right, so erm... did we help??

Alynn · Wed 30/08/2006 19:46:32

I call him... "Paul".

Isn't Paul cute everyone?

InCreator · Wed 30/08/2006 20:05:12

QuoteRight, so erm... did we help??

In odd way, yes.

* First I read the posts at this lockergnome site.
* Then decided to search around in this lockergnome forum for something similar.
* Similar cases crossed with word "dropper"
* search for trojan dropper led me here:

http://help.lockergnome.com/security/RAZOR-EXE-Tiberian-Sun-game-ftopict8558.html

* The last post says "Run the file (renamed to RAZOR._EXE) through VirusTotal."
* Virustotal? Well, I had something to "run through VirusTotal"! Wasn't difficult to guess what this VirusTotal thing might be...

Well, and it was simple from this point!

ManicMatt · Wed 30/08/2006 20:52:04

ooh, so my trying to help consequently led you to the solution!

Now I feel I helped, and get a feeling of satisfaction in knowing this!

monkey0506 · Wed 30/08/2006 21:20:47

I recently got a virus myself...but it was my own fault...because...well...frankly I was looking for a keygen and I got very impatient and didn't run a virus scan on what I was absolutely sure was a virus....lol.....

Anyway...aside from what I was doing....it was a very interesting virus. It installed itself into the Windows system folders and the startup folder, then while it was running created several mini-programs in the Temporary Internet and WINDOWS\Temp folders each containing some version of a Trojan virus, which were run at seemingly random intervals, but blocked by Norton AntiVirus.

Norton did not, however, ever find the program creating all these programs. I had to start the computer in safe mode and compare the programs that were running until I found that I still had no idea which program it was, so I just looked for anything that was CREATED on that day, and unless it was for Firefox or Rakion (a game I play), I deleted it.....lol...

After reactivating Windows and doing a system restore, the virus appears to be gone....lol...

LimpingFish · Wed 30/08/2006 22:21:18

Surely a decent firewall will stop hidden executables from accessing the internet? $:-\$

I have ZoneAlarm and whenever an .exe or process tries to access the net, I get a dialog asking me if I want to allow it or not.

If it's something you know to be malware, then you can set ZoneAlarm to always block it, thus negating the need to track it down manually.

Spybot (teatimer running)/ Ad Aware / ZoneAlarm. I haven't had any problems with this setup.

I also don't frequent Warez sites or torrents