Saturday, July 14, 2007

NOD32 failed to detect Flash.10.exe

Recently, Flash.10.exe is spreading through thumbdrive. It affects regedit, msconfig, cmd and removes folder options and generates Flash.10.exe and JambanMu.com under windows\system32 and some files inside Document and Settings and Program Files. NOD32 detected the autorun.inf that came with the malware inside thumbdrive but failed to detect the Flash.10.exe file. NOD32 only detected the files(regedit, cmd, msconfig, dxdiag, ping, JambaMu.com, MSN.msn, ...)as infected after the infection was made. NOD32 gave warning and deleted the infected files and ask the submission of infected files for analysis, it only has the option to close the warning dialogue. However damage already done and Flash.10.exe is still there, not detected as a threat. The Flash.10.exe executed even you explore the thumbdrive instead of directly open the thumbdrive. Flash.10.exe process that running in the background cannot be terminated inside Task Manager because it didn't appeared inside Task Manager, it only visible when using other process monitor like Process Explorer. Have to delete the malware manually and used HijackThis to clear the the rest of the malware. Folder options, regedit, cmd and msconfig have to be recovered.

*Solution has been moved to new post - Flash.10.exe Removal Guide


UPDATE (16th July):
I tried to infect my thumbdrive with this malware, this time it came with Flash.10.Setup.exe, scanner.exe, Flash Jokes.exe and autorun.inf in the thumbdrive. NOD32 detected all the files at this time.
At another infected pc, Flash.10.exe and Macromedia.10.exe that running in the background can be seen in Task Manager after infection. Different from the case above.

6 comments:

Anonymous said...

can you please send copy of the virus to me? for research purpose. this is my email prototype.x0@gmail.com

thank you!

SIGMAX said...

I don't have it now, I will get it again.

Anonymous said...

ive using nod32 n now been infected. how to clean? got from those stupid cc

SIGMAX said...

Solution added, kindly try it.

Anonymous said...

I have just been infected, and could remove all files, the only problem is recovering regedit, cmd.com, ping.com and dxdiag.com.

How do I recover these files, can I simply copy them from another computer?

SIGMAX said...

cmd.com, ping.com and dxdiag.com should be deleted. To enable regedit, see the solution above.