Nevermind, I've emailed this report to virus@avg.com...
I guess this thread can be deleted now unless of course someone thinks it's worth discussing


***************************


Computer/software setup:
-------------------------------

Operating System: Windows 7 SP1 (x64)
AVG Program Version: AVG Anti-Virus Free Edition 2013 (version 2013.0.2805)
AVG Virus Database Version: 2637/5988 (26 December 2012, 08:45)

Virus files/traces:
---------------------

"runctf" shortcut in "Startup" start menu folder with the below target line:

C:\Windows\System32\rundll32.exe C:\Users\Windows\wgsdgsdgdsgsd.dll,H1N1

"wgsdgsdgdsgsd.dll" file in user home (%userprofile%) folder, activated in the above shortcut with the conspicuously named flag "H1N1".

No Windows registry instances of "wgsdgsdgdsgsd" or "runctf" were found with RegEdit32.

Virus symptoms:
--------------------

Full-screen message with legal jargon alleging illegal computer use, threatening with legal action / imprisonment and claiming the ability to disable access to data on hard drives.
Webcam light sensor is activated.
Geolocation data (e.g. IP address, domain name, country) is displayed on screen and the language of the message is set accordingly.
A payment form with a specified amount of money is displayed.
A timer countdown for payment is started.
It's not possible to break out of this full-screen message using Alt+Tab or any other mouse/keyboard shortcut (only the power-button works).

Occurrances:
---------------

During every normal Windows startup, the "runctf" shortcut launches the DLL file containing the virus/trojan which activates the above described fullscreen message.

Bypass/remedies:
---------------------

Logging onto Windows in Safe Mode deactivates the Startup shortcut.
Removing the shortcut and the DLL file in Safe Mode makes it possible to again log on to Windows normally.

File Attachment:
--------------------

Both the startup shortcut and the DLL file activated by it are included in the below attached Virus.rar file...

Additional information:
---------------------------

This seems to be a rather new virus/trojan. Googling the dll name and the shortcut name gives a limited number of hits, primarily German ones. From what little I've been able to understand from those German forum posts, there seems to be a few hints that this virus/trojan uses a Java code exploit. This may well be the case, because I haven't run or installed anything remotely suspicious on my computer for the last few months at the very least. This leaves as the main suspect all those Internet banners and popups, which sometime indeed can activate Java and other web browser extensions.

OK antiviralguy, No probs.. No AV product is capable of providing you with 100% protection although AVG are always working 24/7. This is the standard forum Announcement post link How To Handle Infection Suspicion? which actually covers this type of issue.

---

AVG Forums Volunteer ModeratorAVG Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan

---

How-To Articles | FAQ | Free Support

RUNCTF Virus..

I got infected with this also. Because of your posting I was able to drop into msconfig and disabled the shortcut in the Startup menu. But I could not find the .dll file with all the w's d's g's and s' so I went back into the startup menu and the dll file had changed it's name to "I think" wpt0.dll

I was able to find this dll and delete it

Thank you for your help.

PS For me the symptom was " My desktop icons were all hidden behind the desktop screen and could not be accesses "

David

Hey guys just thought I'd share the experience I literally JUST had.

This same virus got my sixth form laptop, a week earlier another got my personal laptop so I've had previous experience when deleting it.

So a quick rundown on how I managed to fix it; I ran safe mode with command prompt, typed "explorer" and entered, went onto "Computer" from the start menu, went through my local drive to "Users" and onto my account name, as soon as the files loaded up after clicking my account name the dsgsgsgdgs(blahblah) file was there, I deleted that but when I went onto normal mode something still tried to open that file, so back to safe mode, I went onto "all programs" then to "Startup", this runctf.dll file was there so I deleted that.

BLAM it's fixed. Sorry for throwing it all there I just wanted to get it out of my head :P

Did you send the virus as well ?..

When you sent the report to AVG virus team, did you also zip up the infected file in a passworded zip file so that they could add it to AVG. It better if they got it as then they can figure out what they really are dealing with.

A quick update...

* AVG added the virus to their virus database just a few days after my email.

* Some more "digging" on the Internet confirmed that the virus spreads through a Java code exploit. See this article for details: http://thehackernews.com/2012/11/latest-java-vulnerability-exploitation.html

* While AVG now can protect your computer against this specific version of the virus, in order to stop annoying repeated infection alerts and the very real possibility of future undetected infections of new versions of the virus, you need to update (or even better: disable) your Java!

* Good news: They've busted these bas***ds! But apparently not before they managed to extort millions out of frightened PC users. See this article for details: http://www.theglobeandmail.com/technology/tech-news/europol-busts-million-dollar-fraud-that-faked-being-europol/article8613668/

Hello antiviralguy,

We are happy to see that your issue is resolved.

Thank you for posting back.

---

AVG Team
How-To articles | FAQ | Free Support
We Protect Us

Computer not working? Laptop slowing down?
Let our AVG TechBuddy expert remotely fix it for you.
Find out more (US & Canada)