Yesterday we discovered we could not import our P2 footage into CS3 after copying the "contents" folder from our P2 cards. After 6 hours we figured out that a virus had made a FAKE "contents" folder on all our P2 cards. :Drogar-Smoke(DBG):


Basically one of our laptops was infected with a very vicious Trojan virus that infected all our P2 cards and was able to install itself from the P2 cards every time we tried to copy a fake "contents" folder.

Here is how it worked.

The virus infects a computer from some place and then installs itself on any external media Hard Drive or in our case all our P2 card.
Now it gets fun. Once in the P2 card the virus makes a FAKE copy of the "contents" folder with a copy of the virus in it and changes the real "contents" folders properties to "not visible". (Obviously if this was some other media IE: HD or USB drive it would copy some other file. I’m sure this is not only for P2 cards)

So, now when I went to copy my "contents" folder with my P2 footage all I saw was the FAKE folder with the invisible virus. Not knowing I copied the folder to my Hard Drive.
Once I opened CS3 I noticed that I obviously could not import any of the footage and the "contents" folder since it was only 19.9Mgb as opposed to the normal 16G.

Only after I changed the folder options to "show hidden files" did I see BOTH "contents" files and realize one was fake.

We scanned the P2 cards and laptop with AVAST anti virus and found everything infected with a Trojan virus. The fake "contents" folder had the virus and a self install program.

The shocking part is even after we FORMATED the card in the HVX the fake "contents" file was still there! Only AVAST was able to delete the fake "contents" file of the infected P2 cards.

We don’t know where this virus came from but it has done tremendous amounts of damage.

Beware that this is out there and simple putting your P2 card in a infected laptop will cause it to get infected. Nether Norton anti virus or Spybot saw the virus.

To the benefit of all the Apple people out there our G5 saw both "contents" folders and the virus did not effect it. Also Panasonic softwear was still able to "ingest" all the footage.

Fun day at the office....................:thumbup:

Kris

Well I suppose the P2 is only a hard drive as far as the computer is concerned.

Interesting that formatting on the camera wouldn't get rid of it though.

Well I suppose the P2 is only a hard drive as far as the computer is concerned.

Interesting that formatting on the camera wouldn't get rid of it though.

Even when we tried to delete or format on the laptop it still would not go away. Only way to get rid of it is to use the anti virus software.

This is definitely the mother of all viruses....

Manged to infect the contents of 5 hours of expensive Beijing footage. Trying to figure out how to recover the footage without the virus.

Looks like I have to use FCP on a Mac to try to export out some clean Quick time copies since the Mac does not seem to be effected.

This sucks.....

Sucks indeed. That's scary stuff. It seems like a tailor made virus for P2 cards. Why the hell would some one write something like that. Like we don't have enough issues already.

This just adds to one of the things I cannot stress enough: Always always always copy protect cards when the leave the cameras.

Formatting from the camera does not fix the issue? that's pretty interesting.

Filth - It doesn't sound like a tailor made virus for P2. Simply a nasty virus that attacks and replicates itself through removable media.

Sucks indeed. That's scary stuff. It seems like a tailor made virus for P2 cards. Why the hell would some one write something like that. Like we don't have enough issues already.

I didn't think Sony would stoop that low...:D

I didn't think Sony would stoop that low...:D

LOL! bastards. I don't much about computer viruses but I know I never want one. I have been lucky with my macs.

Hi,

Any chance you could put that Fake Contents folder on an FTP site for a download?

Thansk,

Jan

Glad I'm on a MAC :beer:

Sounds like it will do the same to a sony SxS card or SD card. Did the virus have any effect on your camera or reset the settings? This could be devastating to a large production.

What was the name of the Trojan and what details did AVAST provide about it?

MiniDV tape companies strike back!

Mac all the way!

Dan

I want Blu-ray and my fw400 on my next Mac Portable! :)

There's some big virus going around thats infecting a bunch of systems. I read about it on google. All 4 of my PC's got infected with it at different times (surprise! my Mac is ok). Like you said it infects any media connected to the system and spreads when it sees other drives.

Have you tried importing with P2CMS? Thats how you should do it anyway.

Funny, how two of my systems got infected were by the women of the house here looking at fat pictures of Jessica Simpson. Thats what they get. =)

is there a test i can perform RIGHT NOW with my p2 cards that would tell me if they are infected


what are the signs?

Sounds like it will do the same to a sony SxS card or SD card. Did the virus have any effect on your camera or reset the settings? This could be devastating to a large production.

What was the name of the Trojan and what details did AVAST provide about it?

I used the camera today and it seems unaffected. That's good.

I would say "devastating" is the correct adjective for this situation. So far 5 infected Hard Drives with 8 hours of infected footage and several hundred pictures that are also now bad.....

I will try to get more info on the virus once we fix the other laptop. Right now I am busy trying to salvage footage.

FYI: I'm not an expert, but I'm pretty sure this virus will effect any sort of media IE: Hard Drives, Sony SD cards, USB drives ext. This is not a P2 specific thing.


This is fun..

Just change your Windows settings to "show hidden files" If you see TWO contents folders on a P2 card you have a problem. And if there is TWO "contents" folders then the "hidden" one is the real folder and the "visible" one is the virus.

I think Mac will automatically see both "contents" folders. Mac also seems unaffected, but I don't know if it can pass the virus to an other media source like a external HD.

Guys hate to tell you, but Macs get virus too. Especially now that mac opened up the flood gate (windows on a mac). Sucks, but don't think we are untouchable anymore....
:)


4 weeks ago a friend of mine got a virus on his PowerPC Quad and it erased his whole drive. Yea that really sucked for him and time machine didn't recover anything.... :crybaby:

Had to reshoot two projects and start almost all over. Luckily he media managed about half way thru the project, but didn't get every thing...





newsbykko

Post your problem here and I'm sure one of these guys will know what to do.

http://forums.macosxhints.com/index.php

Guys hate to tell you, but Macs get virus too. Especially now that mac opened up the flood gate (windows on a mac). Sucks, but don't think we are untouchable anymore....
:)


4 weeks ago a friend of mine got a virus on his PowerPC Quad and it erased his whole drive. Yea that really sucked for him and time machine didn't recover anything.... :crybaby:

Had to reshoot two projects and start almost all over. Luckily he media managed about half way thru the project, but didn't get every thing...
newsbykko

Post your problem here and I'm sure one of these guys will know what to do.

http://forums.macosxhints.com/index.php

He must have been the only one that got it otherwise we would all have known about it. Mac communities would be all over it. The last known virus for the Mac was some weird trojan in iWork, not even considered a virus, nor anything as harmful as you're describing. His "virus" sounds more like user or hardware error.

can the virus infect if i just view the files on p2 card through p2 reader? or does it only cause problem when downloading the footage into the computer

Another selling point for Mac OS/FCP.

Herzog- So long as you keep your P2 Cards copy protected (slide the tab on the card so its orange) nothing can write to your P2 cards, keeping any kind of nasty bug that is on the computer from harming your cards. What happens to the footage you copy over is a different story, but the Card would remain virus free.

Download some free Anti Virus solutions to test out your system: avast! is a great free anti virus, Malwarebyte's Anti-Malware program is one of the most effective, and of course spybot search and destroy, as well as adaware.

No one program is going to catch all malicous programs, you need to run a combination of programs to be asured of the best protection.

To: Newsbykko and all,
Thank you for posting this information. I found it kind of strange that when I imported my P2 Content folder and that little notepad file yesterday 2 content folders were now on my Windows Vista laptop. The thing is..., I think it's always been that way when I drag and drop. I will drop the files in my McAfee tonight when I get home from work to see if I find anytihg in those folders. Because one of the folders was empty. So I just ignored it and imported into premier from the folder that actually had the footage.

If you have the name of this virus or any other information on it please post updates. Thanks again for the info.

Hey Jimmy Moss,
If it is for windows, do you have any more info on that P2CMS? (what is that?) Because I read Barry's workflow on how to import P2 Footage properly into mac, but I would like to import the proper way into windows as well every now and then when I work on windows instead of just drag and drop which I hear is not too safe to do.

To: Jan Crittenden,
If I find anything I'll put it up for download, thanks.

Thanks all for the info,

Luis

HVX200A, 2 Mac Systems w/FCP, Windows Vista w/Premier, After Effects, Photoshop, 3ds Max
www.LRCPRODUCTIONS.us (http://www.LRCPRODUCTIONS.us)

To: Newsbykko and all,
Thank you for posting this information. I found it kind of strange that when I imported my P2 Content folder and that little notepad file yesterday 2 content folders were now on my Windows Vista laptop. The thing is..., I think it's always been that way when I drag and drop. I will drop the files in my McAfee tonight when I get home from work to see if I find anytihg in those folders. Because one of the folders was empty. So I just ignored it and imported into premier from the folder that actually had the footage.

If you have the name of this virus or any other information on it please post updates. Thanks again for the info.

Hey Jimmy Moss,
If it is for windows, do you have any more info on that P2CMS? (what is that?) Because I read Barry's workflow on how to import P2 Footage properly into mac, but I would like to import the proper way into windows as well every now and then when I work on windows instead of just drag and drop which I hear is not too safe to do.

To: Jan Crittenden,
If I find anything I'll put it up for download, thanks.

Thanks all for the info,

Luis

HVX200A, 2 Mac Systems w/FCP, Windows Vista w/Premier, After Effects, Photoshop, 3ds Max
www.LRCPRODUCTIONS.us (http://www.LRCPRODUCTIONS.us)

I had Norton & Spybot installed and neither saw the virus, so I'm not sure MacAfee will see it eather. We downloaded Avast for free and it saw it and removed it.
We actually only discovered this virus becusue CS3 could not import P2 footage so we tried my friends PC whice already had Avast and it saw the virus and the fake "contents" folder.

If your P2 cards have TWO "contents" folders and one is set as "hidden" I would suspect you may have a problem. There should only be ONE "contents" folder and ONE "last clip" text file on P2 cards. Anything else is suspicious.

Kris

can the virus infect if i just view the files on p2 card through p2 reader? or does it only cause problem when downloading the footage into the computer

I'm not sure. I know the virus also went into our Hard Drives, made fake copies of certain files and infected them. Unfortunately I'm not a computer tech or expert. I only know what I have seen so far of this virus.

I have had computer viruses before, but nothing as vicious as this.

If there was ever a reason to beat a computer programmer/hacker with a Panasonic Toughbook this would definitely qualify.........

Kris

Hi,

Still hoping that a "fake" contents folder can be posted to something like www.yousendit.com. Please zip it so it is doubly protected. Would like to have the factory to work on this.

Please,

Jan

Open your Avast and pull up your threat / infection history and give us some data about how it defined the virus or trojan, what name did it have for it and there should be a number that can be referenced through Avast to track / define the actual virus / trojan.

Thanks!

Herzog- So long as you keep your P2 Cards copy protected (slide the tab on the card so its orange) nothing can write to your P2 cards, keeping any kind of nasty bug that is on the computer from harming your cards. What happens to the footage you copy over is a different story, but the Card would remain virus free.

Download some free Anti Virus solutions to test out your system: avast! is a great free anti virus, Malwarebyte's Anti-Malware program is one of the most effective, and of course spybot search and destroy, as well as adaware.

No one program is going to catch all malicous programs, you need to run a combination of programs to be asured of the best protection.

Can more than one anti virus program be run concurrently? Or do you have to spend some time loading, running and unloading different av apps?

Wow, just terrible to hear all this. I'm glad I always write-protect my cards. Still, it's scary.

Does anyone know if nod32 or AVG Anti-Virus can detect and squash it? Also, still waiting to hear exactly which virus it is.

And thanks, Jan, for Panasonic taking a very proactive step regarding this issue.

If I had to guess...and its just that a very wild guess:

It sounds alot like the way the MS Anti Virus 2009 malaware replicates. This nasty little piece of work will actually remove any ability to reach any of your hard drives, task manager, or registry and poses as a Microsoft product generating false threats to get you to purchase the full version of their software.

One of the ways it was replicating was by creating a fake autoexec.bat and boot.ini file in every drive partition and removable drive that would run everytime you tried to open that drive. Quite an annoying and difficult piece of software to get rid of (usually a format would be quicker and more efficient than trying to remove it) They also update it constantly and thus programs such as Norton, AVG, and other anti virii programs had problems fully removing it. The only program I know that could completely remove it was Malawarebyte's Anti Malaware, but even then it had to be fully updated.

This virus sounds to be about as hard to remove, but the virus itself sounds alot less obstructive than MS AV 09, that one would create so many pop ups and warnings constantly it was almost impossible to do anything.

Everytime I try to import from my p2 card final cut keeps crashing on me. This is what the error says.... "The application Final Cut Pro quit unexpectedly. The problem may have been caused by the libMXF_SDK_r.3.2.0.132.dylib plug-in"

Has this happened to anyone and what is this "plug-in"?

Nevermind, I figured it out! there's a corrupt mxf file that's 32kb. All did was just drag it to the trash and now I can go back to importing!

Hi,

Still hoping that a "fake" contents folder can be posted to something like www.yousendit.com (http://www.yousendit.com). Please zip it so it is doubly protected. Would like to have the factory to work on this.

Please,

Jan

Jan

I'm sorry but with all the damage already done and risk to the other computers at work there was no way we where going to move the virus. There was a serious risk of us loosing all the footage I had shot for our last Documentary for the last 3 months...

We had Avast! delete all the fake folders as soon as it found them. I know it would have been useful but it just too risky for us. Sorry....

I know it was listed as a Trojan Virus.

Below is the only records I could find in Avast!

The second set of records shows the Fake "contents" file on my P2 card in the "G drive" I put a :crybaby: by the file to make it easier to find.

If any one has advice on how to find more info please tell me and I will post everything. Im not a computer tech and this is the first time using Avast!, so I'm unfamiliar with it.

Kris

02/17/2009 13:03
Scan of all local drives

File C:\System Volume Information\_restore{A748B974-5446-4535-ADD2-FEAE1F05A153}\RP54\A0006312.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\System Volume Information\_restore{A748B974-5446-4535-ADD2-FEAE1F05A153}\RP54\A0006314.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\System Volume Information\_restore{A748B974-5446-4535-ADD2-FEAE1F05A153}\RP54\A0006315.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\WINDOWS\system32\XP-C781AD7B.EXE is infected by Win32:Trojan-gen {Other}, Deleted
Number of searched folders: 9402
Number of tested files: 93407
Number of infected files: 4

*
* avast! Report
* This file is generated automatically
*
* Task 'Resident protection' used
* Started on Tuesday, February 17, 2009 2:04:20 PM
* VPS: 090205-1, 02/05/2009
*

F:\Recycled.exe [L] Win32:Trojan-gen {Other} (0)
File was successfully deleted...
F:\Bright_Shadow.exe [L] Win32:Trojan-gen {Other} (0)
File was successfully deleted...
F:\Apple Factory.exe [L] Win32:Trojan-gen {Other} (0)
File was successfully deleted...
F:\Apartment_Recietes.exe [L] Win32:Trojan-gen {Other} (0)
File was successfully deleted...
F:\1027d2147a5e207920.exe [L] Win32:Trojan-gen {Other} (0)
F:\6de08ba83628034ab0c3336af966.exe [L] Win32:Trojan-gen {Other} (0)
F:\RECYCLER\S-1-5-21-1715567821-343818398-1801674531-1004\Df19.exe [L] Win32:Trojan-gen {Other} (0)
File was successfully deleted...
G:\Recycled.exe [L] Win32:Trojan-gen {Other} (0):crybaby:
G:\CONTENTS.exe [L] Win32:Trojan-gen {Other} (0) :crybaby:
*
* avast! Report
* This file is generated automatically
*
* Task 'Resident protection' used
* Started on Tuesday, February 17, 2009 3:25:19 PM
* VPS: 090216-1, 02/16/2009
*


*
* Task stopped: Tuesday, February 17, 2009 5:03:41 PM
* Run-time was 1 hour(s), 38 minute(s), 22 second(s)
*

*
* avast! Report
* This file is generated automatically
*
* Task 'Resident protection' used
* Started on Tuesday, February 17, 2009 5:04:35 PM
* VPS: 090216-1, 02/16/2009
*

E:\Recycled.exe [L] Win32:Trojan-gen {Other} (0)
E:\Shanghai_2.exe [L] Win32:Trojan-gen {Other} (0)
E:\RECYCLER.exe [L] Win32:Trojan-gen {Other} (0)
E:\Pics.exe [L] Win32:Trojan-gen {Other} (0)
E:\P2CMS.exe [L] Win32:Trojan-gen {Other} (0)

*
* Task stopped: Wednesday, February 18, 2009 7:28:58 PM
* Run-time was 1 day(s), 2 hour(s), 24 minute(s), 23 second(s)
*

*
* avast! Report
* This file is generated automatically
*
* Task 'Resident protection' used
* Started on Wednesday, February 18, 2009 7:29:54 PM
* VPS: 090217-0, 02/17/2009
*


*
* Task stopped: Wednesday, February 18, 2009 7:53:35 PM
* Run-time was 23 minute(s), 41 second(s)
*

*
* avast! Report
* This file is generated automatically
*
* Task 'Resident protection' used
* Started on Wednesday, February 18, 2009 8:45:35 PM
* VPS: 090217-0, 02/17/2009
*

*
* avast! Report
* This file is generated automatically
*
* Task 'Resident protection' used
* Started on Thursday, February 19, 2009 8:29:44 PM
* VPS: 090218-0, 02/18/2009
*


*
* Task stopped: Friday, February 20, 2009 7:00:40 PM
* Run-time was 22 hour(s), 30 minute(s), 56 second(s)
*

*
* avast! Report
* This file is generated automatically
*
* Task 'Resident protection' used
* Started on Friday, February 20, 2009 9:28:40 PM
* VPS: 090219-0, 02/19/2009
*

I understand. So have you guys given any thought as to how the virus got on your P2 cards in the first place. It had to have come from a computer that they were in.

Best,

Jan

this sounds like an isolated incident. Do any of you guys make SD DV backups of your material? because you certainly should have been. I know it defeats the purpose of P2, but hey...this is exactly why

I understand. So have you guys given any thought as to how the virus got on your P2 cards in the first place. It had to have come from a computer that they were in.

Best,

Jan

Jan

I'm sure the P2 cards virus came from my big Lenovo T61p but not sure how that laptop got infected. I'm assuming the virus may have come from one of the computers at the Shanghai production company I was working with. This was probably a Chinese made Trojan that one of the "idiots" at the office accidentally downloaded to there office PC and then somehow got on my laptop trough the network cable I was using.
Even after notifying them the production company still does not want to check there system and I'm leaving on Thursday, so I guess we will never know.

All our laptops are now okay and we where able to recover everything except for some production pics from our big Beijing shoot (sucks) but I guess we got away with minimum damaged done.

Wish I had more info to give you since this was a very nasty virus that could have destroyed all our files.

Just to make it clear again: I don't know why but neither Norton or Spyboth ever saw this virus? Also it "seem like" even after formatting the P2 cards in the camera the virus was still there.

Regardless, at this point the virus is gone and I hope no one ever has to experience this thing. Maybe using the "Write Protect" switch on the P2 cards is a good idea and would have stopped the problem before it ever began.

Kris :dankk2:

this sounds like an isolated incident. Do any of you guys make SD DV backups of your material? because you certainly should have been. I know it defeats the purpose of P2, but hey...this is exactly why

Im not sure I understand your post? Are you suggesting we down-convert all our 1080 HD footage to SD DV quality for backup?
I don't see how this would be helpful unless we shot everything in DV. We need all our footage in full 1080 4:2:2. DV SD is useless to us.

I was told a while back to start using Date Tape backups whice we may start to do now since this little "incident". We just did not want to spend the money on the expensive Date tape deck and special tapes.

Kris

I sent a hard drive of footage to a large cable net a year ago, it came back with a virus, didn't effect any loss of footage. I scan every drive before I open files. What I found out later was that all the editors would take footage / drives home and use thier Internet laptops to view and cut then show up to work the next day and copy it over.

Most virus's / trojan's are made to copy onto new drives and files. Scan everythig.

What could be more devistating than losing footage is infecting a post house, then your pretty much done for life in the business.

FYI most post houses will not put anti virus software on thier editing computers because they "are NOT" connected to the Internet and it slows them down too much.

Times have changed.