You are here

Trojan.Downloader-46966 overwrites my apps

4 posts / 0 new
Last post
Rodrigo Lerma
Offline
Last seen: 16 years 2 months ago
Joined: 2008-10-01 13:37
Trojan.Downloader-46966 overwrites my apps

Hello and first, thank you very much for making our beloved and favorite apps portable. I enjoy a lot carrying them and work on the go.

Right now, the only issue that have is the next. I'm a college student and as such many times I have to work on the public computers. Obviously infections are easily spread, shame to accept, by USB drives.

I have no problem making at home as I always assume that my device is infected so most of the time I catch the sneak and null it. In fact, this isn't the problem I'm reporting. (ClamWin makes wonders usually)

The problem is that this particular virus overwrites the portable app launcher, rendering it as a virus launcher instead (ironic). I don't think it's the malicious author's intention; you can easily see how the launcher was overwritten as the icon changes to that of a folder (so the unsuspecting user "opens" it and in the process loads the virus).

I've found that it work in a really simple way. It creates an .exe of the same name as the folder it contains. So, let's say, I have "H:\Folder" the virus creates "H:\Folder\Folder.exe"; "H:\ClamWinPortable\ClamWinPortable.exe" is overwritten for a virus in this case. Okay, I can install my app in a folder whose name doesn't match, but the problem is that it does that too to the subfolders. "H:\FirefoxPortable\App\firefox\firefox.exe" turns into a virus in this case!

Is it possible to avoid this trouble, like by using custom folder names? I hate so much to clean and then reinstall my programs, it steals valuable time from me whenever it happens.

Thanks in advance.

José Pedro Arvela
Offline
Last seen: 5 years 11 months ago
Joined: 2007-07-10 07:29
Lets see...

Hi Rodrigo!

There is a solution, and it is very simple. If you got to [Portable App]/Other/Source you'll see a [App Name]Portable.ini with the app's name instead of it.

Copy that file to the top of the install (where is the [App Name]Portable.exe) and open it with a text editor.

Search for the entry:

[App Name]Executable=[app].exe

For example, on Firefox it would be:

FirefoxExecutable=firefox.exe

This points to the file you want to launch portably. So rename the file to another name so the virus doesn't screw you, and modify the entry to point to it instead. So the launcher will launch it.

Hope to have helped!

Blue is everything.

Rodrigo Lerma
Offline
Last seen: 16 years 2 months ago
Joined: 2008-10-01 13:37
Thank you so much!

This will save me from a lot of headaches Biggrin

djnavas
Offline
Last seen: 9 months 3 weeks ago
Joined: 2008-01-30 17:27
This trojan is reincident

I have suffered from the same trojan. It copies to C:\ a file autorun.ini where it resides. It writes to the windows registry, it copies to the root directory a file with the name "c.com", "e.com", etc. And it hides inside c:\windows\system32\ as a dll. Some renames as advk0.dll or copies the names of others dll's and adds a number. To desinfect completely, you will need to open a comand windows and using 'attrib *.*' discover which are hidden with attributs R (read), S (sistem) and H (hidden) and remove it and after that, delete the file. Those files are autorun.ini, the *.com and the *.dll with the before mentioned names. Locate it and delete it. Later, check the registry with regedit and search the *.com and delete those keys. After, pass your anti virus. I recommend the portable anti virus. Restart your machine and make another pass of the anti virus.

Those are the steps I was forced to take to get rid of this beast.

A warning: This trojan damage the folder structure and also damage the software. If the changes are extensive, probably is better to reinstall everithing. Also, be careful to not delete ntdetect.com, which is required to the machinte to gain access to your hard disk.

Hope this help

Denis J Navas

Log in or register to post comments