MntDrCore.exe is Worm!

[coolioWiZ]

I've heard that AVG can detect this. But unfortunately I don't have any AV software installed. I had to remove by hand.

http://www.sophos.com/security/analyses/w32sillyfdcaj.html

It's a suprise that no other major AV suppliers have this worm listed on their sites. None have manual removal instructions.

 

[Anusha]

Does anyone know what this virus actually DOES????

I tested it in the virtual PC without any antivirus, but I can't seem to find anything abnormal that has happened :S (after that I tested several viruses, and the only virus that affected the virtual pc was the ctfmon.exe because it added to startup FOLDER. I could easily remove it though.

 

[Anusha]

I've heard that AVG can detect this. But unfortunately I don't have any AV software installed. I had to remove by hand.

http://www.sophos.com/security/analyses/w32sillyfdcaj.html

It's a suprise that no other major AV suppliers have this worm listed on their sites. None have manual removal instructions.

BTW, are you not using any antivirus software in Windows?

 

[coolioWiZ]

Does anyone know what this virus actually DOES????

I tested it in the virtual PC without any antivirus, but I can't seem to find anything abnormal that has happened :S (after that I tested several viruses, and the only virus that affected the virtual pc was the ctfmon.exe because it added to startup FOLDER. I could easily remove it though.

AFAIK it just copies itself to any usb flash drive inserted to an infected computer and now if you open the usb drive in a clean computer, it will be infected. It just seems to like being present in as many computers it can. It didn't give any abnormal results to me. But it did prevent me from viewing hidden system files such as it's autorun.inf

Might be due to this as per Sophos:

W32/SillyFDC-AJ also sets the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
UncheckedValue
0

Also it runs on startup as "isass.exe" (not lsass.exe).

 

[coolioWiZ]

BTW, are you not using any antivirus software in Windows?

I'm used to remove virus manually.
Normally symantec gives manual removal instructions for major threats on their site. I was suprised that there was no entry for this. (might be due to this worm is "low threat")
I was lost untill I found the sophos entry. It worked.

Since I don't have any AV (actually you don't need one if you can manage you system) I've disabled autorun for removable drives (is it disabled by default in XP service pack 2 ). Also my usb flash drives have custom made autoruns with icons of my choice. So if a virus/worm overwrites my flash drive autorun.inf then I'll not see my icon displayed when plugged to my comp, instead the default removable drive icon will be displayed. So I can guess something fishy has happened. That simple thing seems enough for me to keep usb propagating viruses away from my comp.

 

[Anusha]

After running the exe, I could still view the hidden files and hidden OS protected system files (super hidden files). Guess I wasn't infected. That means, limited user account in Vista (maybe XP too) does a good job at preventing malicious activities.

 

[Anusha]

I'm used to remove virus manually.
Normally symantec gives manual removal instructions for major threats on their site. I was suprised that there was no entry for this. (might be due to this worm is "low threat")
I was lost untill I found the sophos entry. It worked.

Since I don't have any AV (actually you don't need one if you can manage you system) I've disabled autorun for removable drives (is it disabled by default in XP service pack 2 ). Also my usb flash drives have custom made autoruns with icons of my choice. So if a virus/worm overwrites my flash drive autorun.inf then I'll not see my icon displayed when plugged to my comp, instead the default removable drive icon will be displayed. So I can guess something fishy has happened. That simple thing seems enough for me to keep usb propagating viruses away from my comp.

Right now I'm not using a virus guard either.

But I'm running myself as a limited user. I have installed all the software I need to install (while I had NOD32 installed) and there is no need for any new softwares. Besides, I download almost all my software from private torrent sites, which are very strict on malicious software.

Vista doesn't execute the autorun.inf automatically. It has its own auto play window and it asks whether I want to execute what's in the autorun.inf or whether perform generic activities like explore the drive, view photos, play music etc. So there is no need to turn off autorun in Vista

However, I might install BitDefender (but not with realtime protection) once they release the final version of BitDefender Total Security 11 (which is the 2nd full native 64bit virus guard I have come across )

 

[coolioWiZ]

After running the exe, I could still view the hidden files and hidden OS protected system files (super hidden files). Guess I wasn't infected. That means, limited user account in Vista (maybe XP too) does a good job at preventing malicious activities.

If you have the isass.exe in your startup list then you are infected. It seems your comp is not infected

Maybe using a limited account could help. (Can you install programs with the vista limited account)

Even we create a user account in linux and use it instead of root, sadly on windows most (including me) don't follow that safety step. I'm used to an account with admin priveledges in windows, If I go limited I'll dearly miss the ability to terminate processes at will and install programs as I want.

 

[coolioWiZ]

Vista doesn't execute the autorun.inf automatically. It has its own auto play window and it asks whether I want to execute what's in the autorun.inf or whether perform generic activities like explore the drive, view photos, play music etc. So there is no need to turn off autorun in Vista

That's a cool feature, you are making me desire vista
In xp the autorun menu will popup if you don't disable autorun and ask for choice, but I think it doesn't bypass the autorun.inf contents.

 

[Anusha]

If you have the isass.exe in your startup list then you are infected. It seems your comp is not infected

Maybe using a limited account could help. (Can you install programs with the vista limited account)

Even we create a user account in linux and use it instead of root, sadly on windows most (including me) don't follow that safety step. I'm used to an account with admin priveledges in windows, If I go limited I'll dearly miss the ability to terminate processes at will and install programs as I want.

Yes, you can install software with limited user account. But this is where we have to trust the provider of the software. It asks for the admin password when you install softwares. If the setups are downloaded from the original sofware manufacturer or private bittorrent communities, I think it is safe to run them as admin.

Amazingly it didn't ask for the admin level privileges while running the virus (I tested three more viruses too, and none of them asked). Hence they couldn't do any harm. I think the UAC of Vista is more than just a privilege extender.

 

[Anusha]

That's a cool feature, you are making me desire vista
In xp the autorun menu will popup if you don't disable autorun and ask for choice, but I think it doesn't bypass the autorun.inf contents.

Yes, there are small small things normal people don't notice in Vista. They always want to see the big changes, which might not even matter to most. (eg: Windows Media Center )

 

[coolioWiZ]

Right now I'm not using a virus guard either.

However, I might install BitDefender (but not with realtime protection) once they release the final version of BitDefender Total Security 11 (which is the 2nd full native 64bit virus guard I have come across )

My case, I have ZoneAlarm as the firewall, also PeerGuardian to block incoming IPs, It's a good supplement for utorrent's ip banning feature (in case of torrents) Also there is the router firewall. So even if a virus/worm bypass ZoneAlarm it might not be able to take the router firewall.

The only program which is allowed port forwarding is utorrent. But I can't get why irc works on opera even irc protocol use a different set of ports than http.

 

[Anusha]

My case, I have ZoneAlarm as the firewall, also PeerGuardian to block incoming IPs, It's a good supplement for utorrent's ip banning feature (in case of torrents) Also there is the router firewall. So even if a virus/worm bypass ZoneAlarm it might not be able to take the router firewall.

The only program which is allowed port forwarding is utorrent. But I can't get why irc works on opera even irc protocol use a different set of ports than http.

What does PeerGuardian do? Torrent-damage has blocked certain Sir Lankan IPs and I can't log in at times. Can I use this software to overcome it?

BTW, I'm using the plain Windows Firewall with Windows Defender. Maybe not the strongest of software out there, but they should do a very good job coupled with UAC and their native support for each other. I wished OneCare was a better product. It doesn't detect these viruses.

 

[coolioWiZ]

Yes, there are small small things normal people don't notice in Vista. They always want to see the big changes, which might not even matter to most. (eg: Windows Media Center )

Windows Media Center !!
That's not what an OS should do.

I've seen that the Steve Jobs guy was speaking about bringing computers to the living room (aka replace your TVs,DVD players,MP3 players maybe your phone) That might be good if you have a reducto mentality. Only one piece of hardware does it all. But I'll like a computer to be a computer not a TV cum DVD player setup mega system suitable only for the International Space Station, where you are serious about conserving space for much valuble things.

 

[dcs008]

ADO KES6 eken allanawa sure....

 

[isharackp]

thanx for the in4..

 

[Anusha]

ADO KES6 eken allanawa sure....

Aiyo, aparaade

 

[coolioWiZ]

What does PeerGuardian do? Torrent-damage has blocked certain Sir Lankan IPs and I can't log in at times. Can I use this software to overcome it?

http://phoenixlabs.org/pg2/

Peer Guardian is used to block incoming IPs and Ports, This is useful in case of hash fails in torrents (I use public trackers ). You can ban IPs responsible for hash fails. Even utorrent bans IPs it's only for that specific torrent. They will return for another torrent and utorrent starts the process all again. (6 hashfails--- ban). That's the primary use I have from PeerGuardian.

I don't think it could help to overcome the SriLankan IP ban by Torrent-Damage, coz the IPs are banned by the tracker. I'd like to see true anon bittorrent, but that might not work with private trackers

 

[coolioWiZ]

Besides, I download almost all my software from private torrent sites, which are very strict on malicious software.

Do you really seed !

 

[coolioWiZ]

Yes, you can install software with limited user account. But this is where we have to trust the provider of the software. It asks for the admin password when you install softwares. If the setups are downloaded from the original sofware manufacturer or private bittorrent communities, I think it is safe to run them as admin.

Amazingly it didn't ask for the admin level privileges while running the virus (I tested three more viruses too, and none of them asked). Hence they couldn't do any harm. I think the UAC of Vista is more than just a privilege extender.

That's great, using the admin password instead of logging as admin. But I see this as a feature copied from linux.

I agree that this is a step in the correct direction, If I decide to install vista (now I may do sooner) I think I'll be comfortable with the limited account if it alows admin priveledges at the prompt for password . That's a big change from using the XP admin priveledged account for everyday tasks.