Funny UST Scandal Virus

[me_ankitroy]

Friends,

Can any one tell how to remove this virus....................It doesnot goes even after Reinstalling Windows..........

[hullap]

http://4paisa.blogspot.com/2007/12/f...dal-virus.html

[mediator]

Yeah, this one is going popular I guess!
Neways, the fix is simple! The virus simply copies 3 files in ALL THE PARTITIONS and then when u reinstall windows, it simply auto executes from the files copied to different drives/partitions.

Fix : U need to get those files removed FROM ALL THE PARTITIONS.

Files : 'smss.exe', 'Funny UST scandal.avi.exe', 'autorun.inf' (in all the partitions) and then 'killer.exe', 'net.exe', 'net1.exe' AFAIK in c:\windows\system32

U can search for where the last 3 files exist.

Probably, u won't be able to delete those files as the explorer closes if u open task manager, run anti-infection-ware or try to access those files.

So, the best way is to get a knoppix cd, and delete these files manually and may be then do a reformat+reinstall as a last option!!

[zyberboy]

download kav 6 trial version and do a scan after update http://www.kaspersky.com/
i hav done the same in one of my friends computer,kav detects it.

[utsav]

There is a thread in tut section to remove this virus

just move here

[ajayritik]

Even my PC is got infected with this virus and it's giving lot of trouble to me. I'm going to check the resolution provided by Abhishek in the posts!

I never founded Funny UST Scandal Virus in my pc..!!!

@ajayritik btw How do u got that Funny UST Scandal Virus

[mediator]

Damn, I cud have emailed it to u. Cleaned mah PC, just a week ago!!

[ajayritik]

mediator can you email the process to me at my address. You can leave a PM of email address I will mail then you can send me a reply. Vaibhav I connected my friend's iPod to my PC which had that virus.

[mediator]

The process is the same! What I did was
1. Fired up knoppix 5.1 (Linux distro) and deleted the files I mentioned
2. Formatted the C: drive and installed a clean copy of windows on it.

This one is a nasty virus. But wth, I was about to reformat/reinstall anyways as the windows was working slow again these days.

[ajayritik]

mediator thanks for the info! I don't have the knoppix cd with me. Any other work around for it. Is it really necessary for me to format the C: I was thinking if i can do without reinstalling and formatting C: I found the virus in other drives also do you think I need to format other drives as well. I have lot of data in other drives. I hope I dont have to format the other drives. Where can I get the knoppix CD?

[utsav]

Either download it or get it frm me

[dOm1naTOr]

I think ive a copy of this funny UST SCandal virus on ma Phone W 700i which got copied into it due to autorun. Ive removed it from PC but its still there on ma phone. Nd i havnt plugged it again

[mediator]

Nah, u don't necessarily need knoppix CD. But having one can be more useful than u can think of. It can save u when ur Hardisk has gone nuts and refusing to boot or windows not showing its face. U can do word/presentations quickly, backup data and much more. Its a complete OS on a CD.

But even if u have recent DIGIT cds, then also Ubuntu can back up the data and help u delete those files.

But neways, u don't have to format!! U asked what I did, so I told. U only have to delete the files I mentioned and thats upto u whicheva way its convenient 4 u to delete em.

In 2nd post there is a link which doesn't mention all the files I did, bt mentions some additional files. U can delete all these files which I mentioned+the link one.

I think u shud give a try to windows 98 startup floppy if u don't have knoppix and then delete those nasty files.

But I wud really suggest knoppix to anyone who does thorough maintenence of his PC. Just check it out, its around 700 Mb download ( ISO file )and u have to burn it on a CD and then boot from CDROM.

[ajayritik]

mediator I have the latest kubuntu CD with me. Do you think that can help me in anyway? I'm trying to download the Knoppix. What is the exact procedure that I should follow if I have the Knoppix CD with me or if I have the kubuntu cd?

[dOm1naTOr]

Just use the live CD to boot into in nd u can clearly see those files in respective locations . U just delete those nd do a clean install of XP after formating the current one.
Me too once removed this funny thing using a LIVE windows disc nd a clean reinstall after a format of c.
It wont work if u dun format the current windows as the virs will get back from some system files[inside system 32 i think-nd the file name is different inside that].

[ajayritik]

What is Live CD?

[zyberboy]

^^ http://www.nu2.nu/pebuilder/

[praka123]

Quote:

Originally Posted by ajayritik

What is Live CD?

basically,livecd's are GNU/Linux CD's/DVD's which can boot from CD and run the Linux OS from CD instead of hdd.
http://en.wikipedia.org/wiki/LiveCD

even live usb's are there
http://en.wikipedia.org/wiki/Live_USB

now so called win live-cd's are there.but they cant come near Linux livecd's when it comes to immunity as win viruses cant do anything in Linux

[ajayritik]

Thanks for the info praka! I have Kubuntu CD with me do you think that will server the purpose? Can you suggest me how I can remove this virus using kubuntu software?

[mediator]

I dunno abt Kubuntu, bt I guess it shud do. If u r downloading Knoppix then let it download as well.
1. Download the ISO file
2. Burn that image to a CD
3. Boot from that CD
4. "Search and destroy" the mentioned files.
5. Boot with XP CD
6. Reformat C:, Install Xp!!

[ajayritik]

Right now I'm downloading Knoppix. But I wanted to know how
I could do the step 4 that you have mentioned. Do I have to use any application to search the files? Thanks!

[mediator]

Nope! I guess u r thinking linux is difficult. But neways, u don't need to search also. The files smss,UST scandal,autorun etc reside in the roots of the partitions like in c:\,d:\,e:\. I have mentioned about all.

[mediator]

I wonder y others didn't post this before!
Funny UST Scandal.avi Virus---Tutorial

[dOm1naTOr]

there are fixes for this file nd the hack just stops the service of this virus....nd u can manually delete them from within windows itself, but it will not be removed from windows system32 folder. So after that do a format nd clean install of XP wud do the job...
DO u want that fix?

[ajayritik]

Sure I want the fix can you provide it to me?

[dOm1naTOr]

http://www.mediafire.com/?1mhfm5wynha

[ajayritik]

I ran the Kubuntu Live Cd but I dont know how I can access the files or how can I delete them. there are things like /etc /bin. The interface is not like Windows Explorer or command prompt. How do I locate the file? Do we have any application in kubuntu which resembles like command prompt. I think I have to figure it out which folder or directory I have to access. Is there anythhing called mount thing necessary here? Can I get Knopixx from Digit CD?

[lywyre]

Some times, it takes time for our favourite AV company to find a cure for the damnest latest virus. In the mean time we will be suffering with our super secure Windows XP with Service Pack 2.

But most of the virus has some characteristics. First, they are files like any others and executables like many others. Two, they need to be run/triggered or they need any host to run like a parasite (like running under explorer.exe) or they may camouflage themselves as some other windows programs/services (svchost.exe, spoolsv.exe, smss.exe, csrss.exe). And most of them are have system attribute from being detected in the explorer. And yes, they disable/screw up folder options so that we don't see them any way. And lastly they all steal data and they all mass mail themselves to email ids they harvest from our systems.

Most of them can be removed by us manually. It would be time consuming, frustrating and irritating. But they can be removed. Most common places they reside are: %WINDIR%, %WINDIR%/system32, %TEMP%, My Documents, root of the drives. Some are triggered by opening the folder (Autorun.exe), custom script of the directory (desktop.ini) or by double clicking (like having the icon of an image file).

Most of us have forgot the lame, useless, complex (and what not) command line. Truth is, command line is more powerful, smart and effective than the gui. With combination of certain free tools, we can remove most virii/trojans using command line.

Tools required: ProcessExplorer and Autoruns from Sysinternals.com (now Microsoft) and cmd.
http://technet.microsoft.com/hi-in/s...lt(en-us).aspx

Run process explorer and endtask explorer.exe, and virii/trojans that run under it. Warning: donot end any task that run under 'Services', unless you know what your are doing. It is better to close any IE windows too. Need not worry about firefox/opera. Don't close ProcessExplorer yet. If your task manager is disabled you cannot start explorer again.

From the menu choose 'Run' and run 'Autoruns.exe' from where you have saved. This will list all the programs that run during startup. Note down the locations of malware and navigate to that location in the command window and delete the file. The file may be marked system, in that case, the attrib can be changed using the command '\>attrib -s -h -r filename.ext'. Delete all the autorun.inf files from the root directories. Now delete all the malware entries in Autoruns.exe. Now start the explorer again using "Run" in ProcessExplorer.

This can be effective against most malware that spread through portable storage devices and I use this method to remove Semo.exe, amvo.exe, d.com and some other malware that get into my system. Hope avast finds this soon.