Topic by cartertemm 2019-01-13 01:12:48

  • From: Missouri
  • Registered: 2015-07-04
  • Posts: 1,071
  • User Karma: 588

Hi,

    I've seen this thing reeking havoc on shared folders over the years. For a while we seemed to be in the clear, but no luck. Our old friend has apparently decided to make an all but subtle comeback, this time with a vengeance. For those who have no idea what I'm talking about, consider yourself lucky.
I'd managed to stay relatively clean, until about a month ago that is. I'm usually rather hesitant about running content from shared folders, but sometimes this is simply inevitable. I had apparently forgotten to check file size, run something, and found myself coding in vpython. Needless to say? I was pretty pissed.
I went ahead and spun up a quick tool that would try and remove the virus, as well as completely repair the effects. It works by recursively enumerating through files on the user's system, patching those that have been touched. It fixed everything with no issues and I went happily on my way. Turns out the damn virus kept on spreading though. Figured I'd throw this little thing on github in the hopes that it could help. At least if someone becomes infected all they'll have to do is run, so certainly a nice little thing to keep around.

The readme explains everything in more detail. I can't promise it'll work for you, but I've infected multiple machines for testing and was flawlessly able to get rid of it time after time, so at least worth a try I say.


additional tip: don't want files to be infected? Grenam ignores everything aside from those ending in exe. Just change the extension to .com. Windows is still able to run, behavior is exactly the same.


    Hopefully most don't know what this is, but those that do will know just how annoying it can get.
    Good luck. You can grab the program from the github repository

Feel free to
check me out on github
or
follow me on twitter

Quote Post 1

Thumbs up +5

Reply by Ethin 2019-01-13 04:34:03

  • Ethin
  • Generous angel
  • Offline
  • Registered: 2010-04-21
  • Posts: 8,192
  • User Karma: 1,099

You know, if I can manage to sandbox this damn virus (actually get a hold of it), I might analyze it. Hell, a group of us should get together to analyze it and figure out exactly how it works and what it does, how it spreads, and so on. I know that WDSI gives basic analysis at https://www.microsoft.com/en-us/wdsi/th … /Grenam.A, but I'd love to decompile it somehow and look at its code to figure out how to combat it.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.
My Github

Quote Post 2

Thumbs up

Reply by defender 2019-01-13 06:39:27

  • From: Southwestern United States
  • Registered: 2012-01-13
  • Posts: 6,402
  • User Karma: 1,647

Awesome, a very helpful project!

PREPARE
YOUR
ANUS!
https://freesound.org/people/SilverIllu … nds/546960

Quote Post 3

Thumbs up

Reply by Ghost 2019-01-13 07:34:52

  • Ghost
  • Applied piper
  • Offline
  • Registered: 2010-08-23
  • Posts: 3,011
  • User Karma: 186

hi,
That is odd. This is an old virus. I thought it would be out of fashion by now? Even if not, doesn't defender or any antivirus quarantine and delete it if it isn't being developed.

A learning experience is one of those things that say, "You know that thing you just did? Don't do that."

Quote Post 4

Thumbs up

Reply by Ethin 2019-01-13 09:43:58

  • Ethin
  • Generous angel
  • Offline
  • Registered: 2010-04-21
  • Posts: 8,192
  • User Karma: 1,099

@4, WD does, yeah, but not many have it enabled (for, uh, obvious reasons). Still, it can be hard to quaranteen a virus like this since its a reproducing virus that copies itself all over the place.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.
My Github

Quote Post 5

Thumbs up

Reply by Ghost 2019-01-13 13:51:35

  • Ghost
  • Applied piper
  • Offline
  • Registered: 2010-08-23
  • Posts: 3,011
  • User Karma: 186

Yeah I know. I once had an xp system without service packs infected with both virut and sality. When I was scanning with avast that time, when I repaired the file from sality, it would detect it again as virut lmao.

A learning experience is one of those things that say, "You know that thing you just did? Don't do that."

Quote Post 6

Thumbs up

Reply by Stealthy 2019-01-13 18:29:30

  • From: Ireland
  • Registered: 2018-04-26
  • Posts: 330
  • User Karma: 40

i'm just wondering, does some one in the folder infect it? or where did the infection start, i'm just curious

My main interest is tech.
Follow me on twitter if you would like, my username is @stealthy153

Quote Post 7

Thumbs up

Reply by Angel 2019-01-13 19:24:48

  • Angel
  • Gamer of heaven
  • Offline
  • From: Noone cares
  • Registered: 2016-09-22
  • Posts: 2,358
  • User Karma: 131

If it is the same paint virus, yeah, I had it for a long, long time and people were asking why I want to infect them, or give to them viruses.
smile

I am myself and noone is ever gonna change me, I am the trolling master!

Quote Post 8

Thumbs up

Reply by Ethin 2019-01-13 20:13:48

  • Ethin
  • Generous angel
  • Offline
  • Registered: 2010-04-21
  • Posts: 8,192
  • User Karma: 1,099

Yeah, no one really knows. Does anyone have a sample of the virus (obviously securely contained)? I want to see if ClamaV can see it. I may have a potential way of improving this little app if so.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.
My Github

Quote Post 9

Thumbs up