newfolder.exe containment procedure

Greetings all, this is what I have used to contain this bug, so far so good,
but what is it upto in the background? We have CA AV and have submitted
sample to them the defs will be out in a few hours. Here is my fix:

Virus info

How to Identify:
File Size equals 208Kb, uses a folder Icon the same name as parent folder,
but is an executable:
NB: Turn on view of system files and hidden files, also show file extension
types.
Removal instructions (Some of the info below was from AGV forum)
Description of what it does:
I you enter a directory it creates an exe of that directory, eg
Enter the directory c:\Program Files\ and it will create Program Files.exe

Properties of Program Files.exe:
Version:
Comments - Butterfly.
File version - 1.00
Internal name - My Things
Language - English(United states)
Legal Trademarks - 2007
Orignal file name - My Things.exe
Product Name - butterfly

Ensure you set the PC to show hidden and system files and file extensions.
Where it is located:
Registery:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
That is the entry that starts the bug.

Physical location if windows XP:
c:\WINDOWS\Help\sched.exe or schedl.exe

If Windows 2000: C:\WINNT\Help\sched.exe or schedl.exe

How to stop it:
0) Turn off system restore
1) Open Task Manager goto Processes sort by Image Name. Find the sched.exe
and kill it.
2) Delete the entry from the registery
3) Delete the sched.exe file
4) Need to find all the infected *.exe and delete them. If you run them, it
will reinstall itself.
5) Search for *.exe from 01 May 2007 to present, look for hidden files with
a maximum size of 209Kb and make a detailed list of them.
6) Check the properties. If they match delete them! Empty the recycle bin
(Safety net incase any valid files are deleted).
7) Restart machine and check 1) to 3).
8) If the user is using Offline files and folders and has no reason to be
using them, clear the offline folder cache by using Shift + left CTRL +
Deltete then disable offline files and folders.
9) Reboot and re-check 1, 2 and 3
10) The user may have browsed to network shares and used a memory stick, mp3
player or cellphone to view or store data. Run from step 5 to search and
delete the dormant virus files.

You can add the following basic script to the beginning (must be beginning)
of a logon batch file to kill the virus on a XP workstation. (Can also be
added as a startup script via a GPO).

rem ****************************************************
rem Butterfly virus containment 06-06-07 mtd (thanks uct for the basics!)
rem ****************************************************
echo This batch will kill the schedl.exe
echo process and remove it from startup
echo ---------------------------------------
rem ---------------------------------------
taskkill /F /IM schedl.exe /T
REG DELETE
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v schedl
/f

del /ah c:\WINDOWS\Help\schedl.exe
cls
echo Completed "schedl.exe" removal

Explorer stays very slow after the reboot!

This is a temporary fix until the AV vendors recognise this as a virus and
provide a fix with a system clean. We are unsure as to what else this bug
gets upto. It is possible that your antispam box will hammered with
x@yourdomain.x!

This is a great information you have here sir
please visit this website

http://www.microsoft.com/security/portal/default.aspx

mpcfb@microsoft.com

Thanks,
--
Milo
MSPSS


"Mark" wrote:

> Greetings all, this is what I have used to contain this bug, so far so good,
> but what is it upto in the background? We have CA AV and have submitted
> sample to them the defs will be out in a few hours. Here is my fix:
>
> Virus info
>
> How to Identify:
> File Size equals 208Kb, uses a folder Icon the same name as parent folder,
> but is an executable:
> NB: Turn on view of system files and hidden files, also show file extension
> types.
> Removal instructions (Some of the info below was from AGV forum)
> Description of what it does:
> I you enter a directory it creates an exe of that directory, eg
> Enter the directory c:\Program Files\ and it will create Program Files.exe
>
> Properties of Program Files.exe:
> Version:
> Comments - Butterfly.
> File version - 1.00
> Internal name - My Things
> Language - English(United states)
> Legal Trademarks - 2007
> Orignal file name - My Things.exe
> Product Name - butterfly
>
> Ensure you set the PC to show hidden and system files and file extensions.
> Where it is located:
> Registery:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> That is the entry that starts the bug.
>
> Physical location if windows XP:
> c:\WINDOWS\Help\sched.exe or schedl.exe
>
> If Windows 2000: C:\WINNT\Help\sched.exe or schedl.exe
>
> How to stop it:
> 0) Turn off system restore
> 1) Open Task Manager goto Processes sort by Image Name. Find the sched.exe
> and kill it.
> 2) Delete the entry from the registery
> 3) Delete the sched.exe file
> 4) Need to find all the infected *.exe and delete them. If you run them, it
> will reinstall itself.
> 5) Search for *.exe from 01 May 2007 to present, look for hidden files with
> a maximum size of 209Kb and make a detailed list of them.
> 6) Check the properties. If they match delete them! Empty the recycle bin
> (Safety net incase any valid files are deleted).
> 7) Restart machine and check 1) to 3).
> 8) If the user is using Offline files and folders and has no reason to be
> using them, clear the offline folder cache by using Shift + left CTRL +
> Deltete then disable offline files and folders.
> 9) Reboot and re-check 1, 2 and 3
> 10) The user may have browsed to network shares and used a memory stick, mp3
> player or cellphone to view or store data. Run from step 5 to search and
> delete the dormant virus files.
>
> You can add the following basic script to the beginning (must be beginning)
> of a logon batch file to kill the virus on a XP workstation. (Can also be
> added as a startup script via a GPO).
>
> rem ****************************************************
> rem Butterfly virus containment 06-06-07 mtd (thanks uct for the basics!)
> rem ****************************************************
> echo This batch will kill the schedl.exe
> echo process and remove it from startup
> echo ---------------------------------------
> rem ---------------------------------------
> taskkill /F /IM schedl.exe /T
> REG DELETE
> "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v schedl
> /f
>
> del /ah c:\WINDOWS\Help\schedl.exe
> cls
> echo Completed "schedl.exe" removal
>
> Explorer stays very slow after the reboot!
>
> This is a temporary fix until the AV vendors recognise this as a virus and
> provide a fix with a system clean. We are unsure as to what else this bug
> gets upto. It is possible that your antispam box will hammered with
> x@yourdomain.x!
>

[rajeshd85]

Hi,

ThankQ for your solution. I am working as System Administrator in a MNC company in India. I am also suffering from newfolder.exe virus from last 3 weeks. I will try your procedure at our office and check it out whether it is working properly or not. Please you recevie any better updates about new folder.exe virus, please tell me. If you have any patches for newfolder.exe virus please tell me.

Thanks
Mark.

From: "rajeshd85" <rajeshd85.42kxbb@DoNotSpam.com>

| Hi,

| ThankQ for your solution. I am working as System Administrator in a MNC company in
| India. I am also suffering from newfolder.exe virus from last 3 weeks. I will try your
| procedure at our office and check it out whether it is working properly or not. Please
| you recevie any better updates about new folder.exe virus, please tell me. If you have
| any patches for newfolder.exe virus please tell me.

| Thanks
| Mark. -- rajeshd85


Another BS post thanx to techarena.in

To get proper support, please STOP using the techarena.in crap.

To access this Microsoft news group properly, and directly, please use the following News
URL...

news://msnews.microsoft.com/microsof...security.virus



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

rajeshd85 wrote:

> Hi,
>
> ThankQ for your solution. I am working as System Administrator in a MNC
> company in India. I am also suffering from newfolder.exe virus from last
> 3 weeks. I will try your procedure at our office and check it out
> whether it is working properly or not. Please you recevie any better
> updates about new folder.exe virus, please tell me. If you have any
> patches for newfolder.exe virus please tell me.
>
> Thanks
> Mark.

Gee, you think you could get a little more up to date on replying to posts,
especially from a leech site that runs a forum-to-Usenet gateway to pretend
they have a larger community than they really do or to provide a webnews-
for-boobs interface to Usenet. I doubt the original poster has been waiting
over *2 YEARS* for your reply. From now on, look at the datestamps BEFORE
you reply.

From: "VanguardLH" <V@nguard.LH>


| Gee, you think you could get a little more up to date on replying to posts,
| especially from a leech site that runs a forum-to-Usenet gateway to pretend
| they have a larger community than they really do or to provide a webnews-
| for-boobs interface to Usenet. I doubt the original poster has been waiting
| over *2 YEARS* for your reply. From now on, look at the datestamps BEFORE
| you reply.

techarena.in is a real PITA !
Not only do you get such crap as this one but they NEVER quote what they reply to!

Earlier this year I decided to no longer supply solutions to those posting via
techarena.in and only reply how to access to the intended news group directly.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp