+ Post New Thread
Results 1 to 2 of 2
Windows Thread, ctfmon.exe and the fake recycled bin in Technical; Sorry for posting here, i did in the securiy forum first but the security forum posts dont show on the ...
  1. #1
    ChrisP's Avatar
    Join Date
    Apr 2007
    Location
    norfolk
    Posts
    150
    Thank Post
    4
    Thanked 8 Times in 8 Posts
    Rep Power
    17

    ctfmon.exe and the fake recycled bin

    Sorry for posting here, i did in the securiy forum first but the security forum posts dont show on the front-page.... ergo: no help!

    __________________________________________________ ____


    Hi, i'm having a nightmare solving this one.

    Basically a fake recycle bin called RECYCLED keeps showing up in shares and the root of drives with compamised PC's running an evil instance of CTFMON.exe.

    Staff are reporting it at home and it keeps cropping up on my network, sophos says it's healed the file but it keeps coming back, Different AV programs identify it under different names.

    Is there a way of preventing it in the first place? creative workarounds?

    Anyone else having problems with this...





    ---[ SNIP : from McAfee website ]-------------------------------------

    Characteristics -


    This trojan purports to be a legitimate file ctfmon.exe by its name and icon. It copies itself in a fake Recycle Bin folder that it creates. It also tries to configure the system to execute the trojan when a remote machine tries to access a drive on infected machine via network share.

    On execution this malware adds the following files and folders on each drive
    Code:
    %Drive%:\autorun.inf 
    %Drive%:\Recycled\desktop.ini 
    %Drive%:\Recycled\INFO2 
    %Drive%:\Recycled\Recycled\ctfmon.exe
    Where %Drive% represents the Drive Letters.

    The contents of desktop.ini file are:
    Code:
    [.ShellClassInfo]
    CLSID={645FF040-5081-101B-9F08-00AA002F954E}
    This causes windows to think that this folder contains recycle bin data. Desktop.ini is created as a hidden system file.


    The contents of the autorun.inf file are:
    Code:
    [autorun]
    shellexecute=Recycled\Recycled\ctfmon.exe
    shell\Open(&O)\command=Recycled\Recycled\ctfmon.exe
    shell=Open(&0)
    Now if the folder in which this autorun.inf resides is shared and set for autoplay, then any remote computer accessing this share will end up executing the trojan file and getting infected too in a similar manner. This autorun.inf file also overrides the "open" command of the context menu (displayed on right click) to run the trojan when a user right-clicks and selects open.

  2. #2

    Join Date
    Nov 2006
    Posts
    547
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: ctfmon.exe and the fake recycled bin

    First of all you need to isolate the infected machines.

    if its already on the servers, unplug them from the network.

    if anitvirus software is failing to fix the problem, is it failing to update from the sophos website? and are the clients updating properly. I know when we had sophos here before we switched to Nod32 it didnt always dish out the updates from the server to the clients; had to keep a close eye on that little nasty.
    Have you tried runing any trojan remover software such as s&d or adawere too see if they have any luck.

    Im sure i once came across this once and i found it hidden in the "documents and setting" area possibly under application data. best do a search for ctfmon.exe and delete it if you find it there.

    as for the infected machines, just send out an image, no point in messing about with them.

    for now with staff having the same problem at home, i would test all there data sticks on a isolated machine. If they use there laptops on the network, i would disable the teaching staff laptops in AD so they cant logon till you have a look at them all.

    cant think of any thing else.

SHARE:
+ Post New Thread

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •