ctfmon.exe and the fake recycled bin
Sorry for posting here, i did in the securiy forum first but the security forum posts dont show on the front-page.... ergo: no help!
Hi, i'm having a nightmare solving this one.
Basically a fake recycle bin called RECYCLED keeps showing up in shares and the root of drives with compamised PC's running an evil instance of CTFMON.exe.
Staff are reporting it at home and it keeps cropping up on my network, sophos says it's healed the file but it keeps coming back, Different AV programs identify it under different names. :evil:
Is there a way of preventing it in the first place? creative workarounds?
Anyone else having problems with this...
---[ SNIP : from McAfee website ]-------------------------------------
This trojan purports to be a legitimate file ctfmon.exe by its name and icon. It copies itself in a fake Recycle Bin folder that it creates. It also tries to configure the system to execute the trojan when a remote machine tries to access a drive on infected machine via network share.
On execution this malware adds the following files and folders on each drive
Where %Drive% represents the Drive Letters.
The contents of desktop.ini file are:
This causes windows to think that this folder contains recycle bin data. Desktop.ini is created as a hidden system file.
The contents of the autorun.inf file are:
Now if the folder in which this autorun.inf resides is shared and set for autoplay, then any remote computer accessing this share will end up executing the trojan file and getting infected too in a similar manner. This autorun.inf file also overrides the "open" command of the context menu (displayed on right click) to run the trojan when a user right-clicks and selects open.
Re: ctfmon.exe and the fake recycled bin
First of all you need to isolate the infected machines.
if its already on the servers, unplug them from the network.
if anitvirus software is failing to fix the problem, is it failing to update from the sophos website? and are the clients updating properly. I know when we had sophos here before we switched to Nod32 it didnt always dish out the updates from the server to the clients; had to keep a close eye on that little nasty.
Have you tried runing any trojan remover software such as s&d or adawere too see if they have any luck.
Im sure i once came across this once and i found it hidden in the "documents and setting" area possibly under application data. best do a search for ctfmon.exe and delete it if you find it there.
as for the infected machines, just send out an image, no point in messing about with them.
for now with staff having the same problem at home, i would test all there data sticks on a isolated machine. If they use there laptops on the network, i would disable the teaching staff laptops in AD so they cant logon till you have a look at them all.
cant think of any thing else.