"Fireball" Virus?

[Borg 386]

Hi, Just want to ask if anyone has heard of a virus that forces the CPU to 100% until it fries? I'm just asking because a couple tech guys at 2 diff places have written me inquiring about this. A Google search doesn't yield anything. This is one of the letters I received with a description: "I have dealt with two separate PCs over the last two days that suddenly started blue screening after the same student had been on them. Just the prior day he was telling me about this "Fireball" virus he has on a thumb drive that instantly infects a PC when you plug it in. He says it works by forcing the CPU to 100% and keeps taxing it until it fries. Then we have the two computers they each took a dumb after he had his hands on them, with the very symptoms he describes this virus does. I found that if you reset the mobo to factory settings you can then reformat the drive and reload Windows." I wrote back that I think it's funny that the student plugged his FD in knowing it had a virus, and it only did that on his PC's...perhaps he was testing something new out? Any thoughts on this would be appreciated Thank you

 

[wallyinnc]

Hi Borg

Never heard of it and it seems improbable. Most computers have shut-down mechanisms that will turn everything off when the CPU temperature reaches a certain level. And it seems that the problem was not with the CPU being "fried", but the OS became corrupt, since it worked after reformat and reload.

All in all I think, it is strange. They might have a virus, but I doubt it is affecting the hardware.

 

[Borg 386]

Yeah wallyinnc, that's what I thought, most PC's have safety protocols in place to prevent that, although maybe a virus could overwrite those.

Actually a scary thought that someone has developed something like that.

Like I said, I think it's strange that the student knew he had it on his FD, still plugged it in and it affected both the PC's he used. Hope he isn't "testing" something new.

 

[Corrine]

I have dealt with two separate PCs over the last two days that suddenly started blue screening after the same student had been on them.

I would suggest that the school tighten their security, ensuring autorun is disabled and, if they continue allowing students to use thumb drives on school computers, requiring a scan prior first.

 

[wallyinnc]

That looked like it would have been on purpose. some people are sick...

But he also could have just messed up with the CPU voltages and gotten similar results, if he had access to the computer.

 

[joel406]

I have seen infected PCs that run 100% CPU 100% of the time making it impossible to open anyting but the CPUs never went thermal.

I always just reformat and reinstalled.

Problem solved.

 

[wallyinnc]

I also think that the CPU is well dimensioned to run at 100% all the time, provided it has cooling / heat dissipation. But maybe a virus could act like the Overclock programs and mess up with voltages and clock speeds, then getting it overheated?

 

[polarbear]

I have seen infected PCs that run 100% CPU 100% of the time making it impossible to open anyting but the CPUs never went thermal.

I always just reformat and reinstalled.

Problem solved.

Must say that I have seen my share of those... GL

 

[Corrine]

Are you sure it wasn't Whistler rather than Fireball?
Whistler Bootkit – a new powerful Windows bootkit » Blog Archive | NoVirusThanks Research Blog

 

[Borg 386]

Well Corrine, "Fireball" is what the student called it. But like I said, it does make me suspicious that the only machines affected were the ones he used.

 

[codyw]

I am interested to know what company's virus protection was on the machines that experienced the "Fireball" attack. For example, on mine, I have Kaspersky Internet Security 2010 and for as long as I have had it, it has only caught 4 keylogger attacks. Norton is popular on the market too...I would be shocked if any of these products mentioned wouldn't catch a nasty virus such as the Fireball.

 

[Borg 386]

I couldn't tell you codyw

I do know that recently at school we had a worm/virus spreading via the FD's and they run McAfee, like I do. Even though I kept seeing "slightly suspicious behavior", scans with McAfee revealed nothing (I opted for it when I got the PC since it came with it anyway and was less of a resource hog then Norton).

I finally d/l ed and installed Microsoft Security Essentials despite warnings about running multiple AV's. It caught the worm & the virus, something McAfee didn't.

MSE runs quite well in the background & uses very few resources, I haven't seen any degradation if performance since I started running it.

I did want to add to Corrine's comment, it could be what you are saying. AV companies all have different names for the same virus.

Happy Memorial day all...Go your way in safety.

 

[Jaxryley]

Are you sure it wasn't Whistler rather than Fireball?
Whistler Bootkit – a new powerful Windows bootkit » Blog Archive | NoVirusThanks Research Blog

Cannot remove trojan (Crypt.vub) from system - Malwarebytes Forum

It could relate to a microjoin exploit which drops just about everything except the kitchen sink.

These exploits can change what they drop/download on a daily basis and one sample I ran actually downloaded three different rogue AV's one day plus many other exploits and keeps the cpu at 100% the entire time it's running, or at least that's what I've seen when running in a VM.

8b5aad.exe is well known now but not many were hitting it when first found.
Virustotal. MD5: c277574f5b78252874496b61c276cef1 Packed.Mystic!gen4 FakeAlert-WwSec.d Packed:W32/MysticCompressor.gen!A

 

[codyw]

I used McAfee through my internet provider on my Win7 machine and it let 2 trojans in without my knowledge. It never even told me they were on my system until I did a "Custom Scan". The other thing I didn't like is, when it found them, it never sent a report to McAfee to let them know of its findings. Most virus programs should do that when a suspicious file(s) are found. I tried to manually send them to McAfee from the SecurityCenter but it said that they were too big in size. I use Kaspersky Internet Security 2010 now and it "seems" to be working like it should. The most it has caught was 4 keyloggers. I think I have become more of a Kaspersky fan than a McAfee fan!

 

[Borg 386]

Yeah Cody, I'm wishing I would have opted for Norton, although from what I've read, that's only marginally better.

I had the same thing, I tried to report some suspicious files and McAfee said there was a problem & try again later...for 4 days in a row.

Why in the world would you have to do a "Custom Scan" to detect suspicious files? Isn't the idea of a AV running in the background supposed to be to catch a file like that in ANY mode?

I really don't trust McAfee anymore, not that I did before, but in light of what happened in the past, I trust it even less now. When MSE caught the worm & the virus, I sent a letter to McAfee asking them why their software wasn't catching a virus & worm that has been out for 4 months. I never did hear anything back.

I am glad that MSE is running on my sys.

 

[Borg 386]

Thank you for the input everyone, researching it farther based on the input, I think that Whistler is probably the culprit.

Great, another thing to watch out for.

 

[kucing13]

virus maximum capability only reach within the software. It's hard to believe if there's any virus that can destroy your hardware which will then make AV's useless

 

[Borg 386]

well kucing13, if it's out there, wouldn't be a shock to me, nothing surprises me anymore...crazy world ain't it?

 

[kucing13]

indeed and who makes it that way. crazy people of course

 

[Krispy1]

i doubt theres virus that can fry ur cpu. even at stock ghz and voltages chips can easily clock higher as in what happens when u overclock. so a virus that makes cpu 100% although its gonna make a os near inoperable its not gonna fry the cpu.