ubpr01.exe

T

Turiko

Banned
Joined
May 15, 2008
Messages
2,677
Reaction score
0
Location
Roodepoort, JHB
Picked up upbr01.exe on my desktop today. Naturally by a totally unexpected means-

I had a customer's laptop in for repair. So I decided to make sure that his memory stick duo was OK, so I inserted it into card reader and BAM!!! my PC gets infected with this piece of **** and said memory card is quickly seen to be full of pr0n....:( and suddenly my machine attempts to attack other PC's on the LAN.

Took me the whole of my sunny afternoon to get rid of this piece of work. Used System Restore and HijackThis to eliminate this piece of work and it's dropped DLL's

Moral of the story? Beware of memory sticks...:mad: if in doubt, view under Linux or with a Live CD.
 
Turiko said:
Moral of the story? Beware of memory sticks...:mad: if in doubt, view under Linux or with a Live CD.
Click to expand...

Or you could get a Mac....?

Or you could disable Autorun and have your AV scanner
scan the stick first before running any apps.

A good HIPS (eg Comodo FP ver 3) would also prevent the .exe from running
automatically.

Just musing. I always disable Autorun.
 
You are so wrong man..... Fscking Mac? you have got to be kidding me :mad:

Macs don't earn me money - PC's do. I have yet to meet a customer who has a Mac... last Mac I saw was back in 1998

Autorun didn't cause the virus to transfer.. it is already disabled. I clicked the folder so it is my own fault...
 
Scan your PC with your AV,

Troj/Agent-HFI is a Trojan for the Windows platform.

When first run Troj/Agent-HFI copies itself to <System>\ubpr01.exe and creates the following files:

<Root>\42356d3.bat
<Root>\tmp2.reg
<System>\750623\750623.dll

The file 750623.dll is also detected as Troj/Agent-HFI, the rest of the files are not malicious on its own and could be deleted.

The following registry entry is created to run ubpr01.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
wblogon
<System>\ubpr01.exe

Troj/Agent-HFI changes settings for Microsoft Internet Explorer by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\

Source: SOHPOS
Click to expand...
 
mh348 said:
Scan your PC with your AV,
Click to expand...

AV doesn't pick it up.

Actually HijackThis was the tool that worked. There are many conflicting reports about this thing. And for informational purposes, the information Sophos has in incomplete.

I am making a study of this thing and will post results later.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X