McAfee > Theat Center > Virus Detail Page

Overview

This trojan masquerades as ctfmon.exe and copies itself  in a fake Recycle Bin folder that it creates. It also tries to configure the system to execute the trojan when a remote machine tries to access a drive on infected machine via network share.

Aliases

• TROJ_VB.BDN (Panda Antivirus)

• Trojan.Recycle (Doctor Web)

• Trojan.Win32.VB.aqt (Kaspersky)

Characteristics

This trojan purports to be a legitimate file ctfmon.exe by its name and icon. It copies itself  in a fake Recycle Bin folder that it creates. It also tries to configure the system to execute the trojan when a remote machine tries to access a drive on infected machine via network share.

On execution this malware adds the following files and folders on each drive

• %Drive%:\autorun.inf
• %Drive%:\Recycled\desktop.ini
• %Drive%:\Recycled\INFO2
• %Drive%:\Recycled\Recycled\ctfmon.exe

Where %Drive% represents the Drive Letters.

The contents of desktop.ini file are:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}

This causes windows to think that this folder contains recycle bin data. Desktop.ini is created as a hidden system file.

The contents of the autorun.inf file are:
[autorun]
shellexecute=Recycled\Recycled\ctfmon.exe
shell\Open(&O)\command=Recycled\Recycled\ctfmon.exe
shell=Open(&0)

Now if the folder in which this autorun.inf resides is shared and set for autoplay, then any remote computer accessing this share will end up executing the trojan file and getting infected too in a similar manner. This autorun.inf file also overrides the "open" command of the context menu (displayed on right click) to run the trojan when a user right-clicks and selects open.

Symptoms

• Presence of files and folders as described
• Presence of autorun.inf at the root of all drives with contents as discussed

Method of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This trojan masquerades as ctfmon.exe and copies itself  in a fake Recycle Bin folder that it creates. It also tries to configure the system to execute the trojan when a remote machine tries to access a drive on infected machine via network share.

Aliases

• TROJ_VB.BDN (Panda Antivirus)

• Trojan.Recycle (Doctor Web)

• Trojan.Win32.VB.aqt (Kaspersky)

Characteristics

Characteristics -

This trojan purports to be a legitimate file ctfmon.exe by its name and icon. It copies itself  in a fake Recycle Bin folder that it creates. It also tries to configure the system to execute the trojan when a remote machine tries to access a drive on infected machine via network share.

On execution this malware adds the following files and folders on each drive

• %Drive%:\autorun.inf
• %Drive%:\Recycled\desktop.ini
• %Drive%:\Recycled\INFO2
• %Drive%:\Recycled\Recycled\ctfmon.exe

Where %Drive% represents the Drive Letters.

The contents of desktop.ini file are:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}

This causes windows to think that this folder contains recycle bin data. Desktop.ini is created as a hidden system file.

The contents of the autorun.inf file are:
[autorun]
shellexecute=Recycled\Recycled\ctfmon.exe
shell\Open(&O)\command=Recycled\Recycled\ctfmon.exe
shell=Open(&0)

Now if the folder in which this autorun.inf resides is shared and set for autoplay, then any remote computer accessing this share will end up executing the trojan file and getting infected too in a similar manner. This autorun.inf file also overrides the "open" command of the context menu (displayed on right click) to run the trojan when a user right-clicks and selects open.

Symptoms

Symptoms -

• Presence of files and folders as described
• Presence of autorun.inf at the root of all drives with contents as discussed

Method of Infection

Method of Infection -

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A