[TwinHeadedEagle]

MCShield is product made by AMF team from MyCity.rs and we are members of ASAP. MCShield is successor of USBnoRisk which was used in our community to clean infected USB(flash) devices. It will scan every removable device that is plugged in. Current version is 2.5.4.20 and it is constantly updated. Probably someone heard about this tool even it's not widely known (that is shame). Here is a short description:

During the past years, we've seen rapid increase in worms spreading via removable drives; either by using various features of the operating system or simply by tricking users into running the malware.

As the time went by, the number of users on our malware removal forum that came back infected after a day or two, kept increasing.

In most of the cases, the source of reinfection was an infected removable drive (a USB pen drive, digital camera, mobile phone...).

The users also realized that there's a weak point in their computer's security and kept asking questions and recommendations for a good "USB antivirus", but we just couldn't give them one - we considered them either worthless or overpriced.

Some time in the late 2009. an idea of a tool that could help was born.

The tool, MCShield, has been designed as a lightweight scanner that's smart enough to catch even new worms and work in fully automatic removal mode.

In my point of view, this tool is god of war in its class. It has world class heuristics, and it detected even Stuxnet, when we didn't know nothing about this malware. As I said it has heuristic that cannot be cheated (you can try ), it will rename (.vir) every suspicious file, so detection is 99.9%...

Here is the program's simple interface (rest is up to you to explore):

Capture.PNG (72.91 KiB) Viewed 1250 times

Example of it's work:

Code: Select all

>>> MCShield ::Anti-Malware Tool:: v 2.5.4.20 / DB: 2013.2.15.1 / NT6.1 <<<


2/17/2013 8:43:53 AM > Drive C: - scan started (no label ~368 GB, NTFS HDD )...



=> The drive is clean.


2/17/2013 8:43:53 AM > Drive D: - scan started (Local Disk ~1863 GB, NTFS HDD )...



=> The drive is clean.

Code: Select all

>>> MCShield ::Anti-Malware Tool:: v 2.5.4.20 / DB: 2013.2.10.2 / NT6.1 <<<


2/10/2013 5:00:32 PM > Drive E: - scan started (no label ~1913 MB, FAT32 flash drive )...


>>> E:\muzika.lnk.vir - Malware > Deleted. (; MD5: unknown)

>>> E:\RECYCLER\Desktop.ini - Malware > Deleted. (13.02.10. 17.00 Desktop.ini.887352; MD5: e783bdd20a976eaeaae1ff4624487420)

> E:\RECYCLER
> E:\RECYCLER\bcd8f464.exe (MD5: d41d8cd98f00b204e9800998ecf8427e)

>>> E:\RECYCLER - Malware (folder) > Deleted. (13.02.10. 17.00 RECYCLER.736928)


=> Malicious files   : 3/3 deleted.
=> Malicious folders : 1/1 deleted.

____________________________________________

::::: Scan duration: 4sec ::::::::::::::::::
____________________________________________

Code: Select all

>>> MCShield ::Anti-Malware Tool:: v 2.4.3.18 / DB: 2013.1.6.1 / NT6.1 <<<


1/9/2013 10:05:41 AM > Drive H: - scan started (no label ~1913 MB, FAT32 flash drive )...

>>> H:\autorun.inf > Suspicious > Renamed.

>>> H:\Copy of Shortcut to (1).lnk.vir - Malware > Deleted. (13.01.09. 10.05 Copy of Shortcut to (1).lnk.vir.931668; MD5: fbc2bca9d7446733afd9707a9b0eb498)

>>> H:\Copy of Shortcut to (2).lnk.vir - Malware > Deleted. (13.01.09. 10.05 Copy of Shortcut to (2).lnk.vir.517982; MD5: 6a95e7bc90610dd51c0ab2d4a7800f9f)

>>> H:\Copy of Shortcut to (3).lnk.vir - Malware > Deleted. (13.01.09. 10.05 Copy of Shortcut to (3).lnk.vir.641927; MD5: 08dfbee5c91542e4bab8e4f409aca8a3)

>>> H:\Copy of Shortcut to (4).lnk.vir - Malware > Deleted. (13.01.09. 10.05 Copy of Shortcut to (4).lnk.vir.4513; MD5: 2bfed963b272c3df4b920b126cf255a0)

> H:\RECYCLER
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\nJiMmhsS.exe (MD5: e52c9c6669e2495ce6fdc7eede014aac)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\Xqgimckc.cpl (MD5: a4ebc27bf0fd16cc830bb74ed647cdb8)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\lFEjTWqp.exe (MD5: e52c9c6669e2495ce6fdc7eede014aac)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\IeqqaBJm.cpl (MD5: 2e12e81e065cddbdbe0747c8739eeb8a)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\qCWtJQgf.exe (MD5: e52c9c6669e2495ce6fdc7eede014aac)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\JxmuTRrs.cpl (MD5: 237ecc256fb7f5b20cdd78a6bec39cc2)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\moTicwlV.exe (MD5: e52c9c6669e2495ce6fdc7eede014aac)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\KiuYiaiU.cpl (MD5: aad327e3d5cbfbf150471f2f17d092e9)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\kGilVjJo.exe (MD5: e52c9c6669e2495ce6fdc7eede014aac)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\BilfVovU.cpl (MD5: bbe82d1438c044a33605207c963ca9ab)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\BFuGvjqX.exe (MD5: e52c9c6669e2495ce6fdc7eede014aac)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\ySwPHvCi.cpl (MD5: 31b92a9f295e0040b700aa724cb019e3)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\VtrRxACv.exe (MD5: e52c9c6669e2495ce6fdc7eede014aac)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\xsBKNlgX.cpl (MD5: 1b20435332a1a4431edd990fab0aef0c)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\FfWQwogK.exe (MD5: e52c9c6669e2495ce6fdc7eede014aac)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\QewyfBYm.cpl (MD5: 7d78441d735232b9fa665b665f9c61e9)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\xjMhRFNj.exe (MD5: e52c9c6669e2495ce6fdc7eede014aac)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\nWXpgoQg.cpl (MD5: 8b6bbf279a4dca8714eac993410db60e)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\vSDRPOIc.exe (MD5: e52c9c6669e2495ce6fdc7eede014aac)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\rUHBRQei.cpl (MD5: 0c816cfadd048eafbe48ae98bee7b4cb)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\yjAlaQMe.exe (MD5: e52c9c6669e2495ce6fdc7eede014aac)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\COsIFdsC.cpl (MD5: df7ecc10473aa4581d92c73ebb5d2412)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\XxVKrrZa.exe (MD5: e52c9c6669e2495ce6fdc7eede014aac)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\rcUuyuKs.cpl (MD5: 160e1699a45fa0e9a1730c173e6148cf)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\ujXlVDAc.exe (MD5: e52c9c6669e2495ce6fdc7eede014aac)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\qHSYKZxf.cpl (MD5: 2814f368d33683bc7eb13048e0ea6ff0)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\yJFOedEM.exe (MD5: e52c9c6669e2495ce6fdc7eede014aac)
> H:\RECYCLER\S-2-7-63-7472481272-6301210577-450783687-7162\AKKBYiQB.cpl (MD5: c3473a22b9e6514d9cdd0989da65f6a3)

>>> H:\Recycler - Malware (folder) > Deleted. (13.01.09. 10.05 Recycler.130470)


=> Malicious files   : 32/32 deleted.
=> Malicious folders : 2/2 deleted.
=> Suspicious files  : 1/1 renamed.

____________________________________________

::::: Scan duration: 4s ::::::::::::::::::::
____________________________________________

That's short presentation, if you wish to know something I didn't mention just ask. But most of this program capabilities you can find on it's web page: http://amf.mycity.rs/mcshield/index.html

[TwinHeadedEagle]

New version available for download

Changelog

Code: Select all

v 2.6.3.21: 12th April 2013.

- updated all components to work with our new domain (www.mcshield.net);
- added detection for another variant of replicating worms;
- updated/improved detection/remediation of Win32.Gamarue;
- added Russian language (thanks to translator Covaliov Andrei Genadie).

Download: http://mcshield.net/downloads.html

[Xylitol]

GUI is based on malwarebytes ?

[TwinHeadedEagle]

Yes, on first look it looks like it is based on MBAM, but MCShield is made by different people :)

[wealllbe20]

seems like the @="@SYS:DoesNotExist" registry entry would suffice unless you expect your file specified in the autorun file to actually run.

I believe there is also a way to make desktop.ini run a file automatically as well...

[TwinHeadedEagle]

seems like the @="@SYS:DoesNotExist" registry entry would suffice unless you expect your file specified in the autorun file to actually run.

I believe there is also a way to make desktop.ini run a file automatically as well...

I didn't understand you fully, could you be more specific...

Thanks :)

[TwinHeadedEagle]

Version 2.7 ready for update

Code: Select all

 v 2.7.3.22: 8th July 2013.

- improved detection/remediation of all variants of  Win32.Gamarue;
- added heuristics for another family of worms (Dunihi.A and similar);
- added Turkish language (thanks to translator
Mahsum ªEN);
- several changes in the log formatting and
details

Download: http://www.mcshield.net/downloads.html

[TwinHeadedEagle]

Minor update ready for download

Code: Select all

 v 2.7.4.23: 15th July 2013.

- improved heuristics for better recognition of legitimate files.

[TwinHeadedEagle]

v 2.8 online :)
 
 

 
v 2.8.3.24: 26th October 2013.
 
- fixed a false detection of a specific folder on flash drives used on Win8.1;
- several other code adjustments for better compatibility with Win8.1;
- added Vietnamese language (thanks to translator Võ Hồng Xuân);
- added Blazilian Portuguese language (thanks to translator Dankar).

 
 
Download --> http://mcshield.net/downloads.html

[TwinHeadedEagle]

v3.0 is online :)

Code: Select all

v3.0.3.26 v3 final: 25th January 2014.

- completely redesigned user interface with additional features;
- new tab in Control Center: "Status" used to
- - view & change main functions;
- - view system information & main settings;
- new tab in Control Center: "Logs" for easy logfile access and manipulation;
- new tab in Control Center: "MCS Cloud" providing stats and latest news;
- new option "Add Scan with MCShield to drives' menu" in Control Center > General:
- - possibility to start on demand scans via right click menu;
- new option "Visual style" in Control Center > General:
- - possibility to select one of four visual styles;
- new option "Don't scan autorun.inf" in Control Center > Scanner:
- - possibility to completely disable AntiAutorun (processing of autorun files);
- additional heuristics (AntiRep4) for another family of replicating worms (CryptoLocker and similar);
- additional heuristics (AntiScript) for all types of vbscript based worms:
- - on the fly decryption, code format & contents analysis;
- - support for extremely large malicious files;
- improved detection (FME) of worms mimicking legitimate files;
- improved detection (AntiRep3) of several replicating worms;
- added Simplified Chinese language (thanks to translator Anan);
- added Swedish language;
- updated all languages for v3 (except Brasilian Portuguese);
- fixed an issue that caused the MD5 not to be shown for suspicious files in interactive mode;
- improved program initialization time by removing obsolete on-start routines;
- digitally signed all executable components:
- - improving compatibility and ease of use alongside other security software;
- - giving users the possibility to verify the origin and authenticity of the software;
- various other improvements (code stability, graphics, program logic...). 

Download --> http://www.mcshield.net/download.html