Topic: quite a nasty virus (Read 4447 times)

Clear_Runway · « **on:** May 28, 2010, 01:33:25 PM »

allright, if any of you have been keeping up with the shoutbox then you probably all know about ~~anti~~spyware soft, the fake antivirus which somehow got installed on my moms computer(I blame EI, but whatever) in summary, it took me a good hour for me to get rid of it, by virtue of the fact that it vetoed the starting of any process not named "iexplore.exe", and IE was disabled so that the only sites it could access were the site of the ~~anti~~virus (which was for some reason hosted in Australia and not Nigeria or Russia or somewhere like that) and some random porn site, presumably thrown in to convince the user that the machine was actually infected.

anyway, I figured out that if I press ctrl-shift-esc to bring up the task manager before the viral process initialized(which took several seconds) I could locate the process, end it, and delete it (I later lifted a copy from the recycle bin before wiping it out entirely)safe mode didnt work because the process never started in safe mode (duh) which meant I couldnt locate it. (i could have gotten rid of it as a startup process in the control panel, but I would have no way to know which was which)

anyway, this thing is evil

ivan · « **Reply #1 on:** May 28, 2010, 02:13:28 PM »

It is very evil. The version I had to deal with could not be deleted even when I managed to get taskman running -- as soon as I stopped the process, it popped up again, like a whack-a-mole. None of the antivirus sites had anything useful to offer. The thing bores deep.

Luckily, System Restore was running on the machine, and also luckily this virus didn't turn off System Restore (some do), so I was able to restore the registry to a checkpoint from a few days prior.

Clear_Runway · « **Reply #2 on:** May 28, 2010, 02:24:34 PM »

your version probably had two processes running simultaneously, restaring each other if either stopped. is there any other way for such a thing to happen?

Vespertine · « **Reply #3 on:** May 28, 2010, 02:33:40 PM »

I'm curious why you blame IE rather than the person who was surfing the web (i.e. your mother).

Demosthenes · « **Reply #4 on:** May 28, 2010, 02:41:20 PM »

Because, V, I've encountered this one in the wild myself, just through fairly innocuous web surfing. Fortunately I run Linux and not Windows, otherwise I'm sure I'd have been infected even by a simple drive-by like that.

My guess is that it was in a frame that was on a page that had either been hacked (and had some corner of it replaced with a buttload of really nasty code targeting IE) or something along those lines.

At any rate, while yes, the end user tends to be the weakest link in most cases, they're trying to navigate a hurricane of viruses, trojans, and malware in a leaky rowboat. Past a certain point, it isn't even the user's fault if they sink sometimes.

Novice · « **Reply #5 on:** May 28, 2010, 02:47:21 PM »

Back when my fams had ME and no anti-virus (except SpyBot, that is) I was lucky enough to keep the restore disc which brought us back to factory-configuration.

I did that all the damn time.

That was the only option in several cases of bad viruses. Of course, that was a long time ago. No real experience with the new ones out there. I'm sure the same method would work, but if I got one on this machine I'd be SOL.

ivan · « **Reply #6 on:** May 28, 2010, 02:52:39 PM »

Quote from: Clear_Runway on May 28, 2010, 02:24:34 PM

your version probably had two processes running simultaneously, restaring each other if either stopped. is there any other way for such a thing to happen?

There were 3 unfamiliar processes running, and each would respawn if killed.

As I mentioned, I was very fortunate that this strain didn't mess with System Restore. Many strains do. But if System Restore is running, and is unaffected by the virus, restoring to the last known good checkpoint is a swift and effective way of removing the infection. Just keep in mind that the virus is still on your system, because when you rollback you create a checkpoint at that time. After you restore, make sure you have eliminated the infection. Roll back to an earlier checkpoint if needed. When you're sure you are out of the woods, you should erase the checkpoints containing the virus. The way to do that is to stop and restart System Restore.

Personally, I'm a big fan of disk formatting as a removal tool. I did battle with rootkits on my Win2K server years back -- yes, I was wide open on the net for a day or so, and they found me -- and only a complete format and OS reinstall finally worked. That was a nightmare.

Ever since then, I've been leery of installing a lot of apps on my own PCs, just in case I get one of these fuckers. Not that the apps are at fault -- it's just a pain to have to reinstall a bunch of apps after some pissant script kiddie figures out another way to ruin your week.

Clear_Runway · « **Reply #7 on:** May 28, 2010, 02:56:07 PM »

it couldn't have been anything but a drive-by, and IE is notorious for that. nobody using that computer ever downloads anything.

ivan · « **Reply #8 on:** May 28, 2010, 03:08:15 PM »

Heh, reminded me of this thing I wrote for TehGeekery years ago:

A Geek's Guide to Pets.

I must remember to use "there embrowsed before me" more often.

Novice · « **Reply #9 on:** May 28, 2010, 03:20:32 PM »

CoolWWWSearch!!!!

THAT'S the bitch that was always the hardest to get rid of. I remember it now. I don't remember finding the fonts file though (how did you end up finding it)?

I do remember SpyBot was able to find CoolWWWSearch later on in it's life on my Dad's newer XP machine, still a terrible thing that took some safemodeing to get rid of.

Demosthenes · « **Reply #10 on:** May 28, 2010, 03:35:06 PM »

It'd be nice if this kind of thing happened more often with assholes like these...

ivan · « **Reply #11 on:** May 28, 2010, 03:52:34 PM »

Quote from: Novice on May 28, 2010, 03:20:32 PM

(how did you end up finding it)?

I used the SpyBot tools to disable everything that ran on startup, then activated them one at a time until the virus re-emerged. Turned out to be some innocent-looking process called TrueTypeFonts or something, which executed the file fonts.hta in the Fonts directory. The thing about the Fonts directory is that you can't use Windows Explorer to see its contents, because it only shows Font files. I was able to see it and delete it using the command prompt.

Even though it was baffling at first, this was actually an easy problem to fix. It depended on the autorun process, and once that is found and removed, the problem is gone even if you don't delete the script. By today's standards CoolWWWSearch is almost benign.

The rootkit I mentioned earlier was not fixable by any means, and its payload was much more malicious. I don't think I ever mentioned this, because it's very, very embarrassing, but when I first installed that Win2K server, I had problems configuring the firewall and making it work with my ISP. I was trying to make it work as a Web server and an FTP host, and at some point in frustration I opened everything up. I planned to secure it systematically a little bit at a time, but I was learning as I went and it ran pretty much wide open for a few days. One day I came home from work and saw an unfamiliar little window on the desktop. My server had been turned into a zombie, and was waging a DoS attack on someone. I believe I literally tore the cat-5 cable out of the plug when I yanked it. I spent hours cleaning stuff up, and when I thought I had it, went back on line. It took maybe 10 minutes for the DoS window to reappear. There was a backdoor I couldn't find. Format/reinstall was the only option.

Enough to make a grown man cry.

Clear_Runway · « **Reply #12 on:** May 28, 2010, 03:59:02 PM »

Quote from: ivan on May 28, 2010, 03:52:34 PM

By today's standards CoolWWWSearch is almost benign.

that is fucking scary.

Demosthenes · « **Reply #13 on:** May 28, 2010, 04:00:51 PM »

I know it's been said many times before and sounds cliché, but it's shit like this that has led me to where I am now.

Windows is really only good for games, and that's about it. When it comes to doing actual work, securing client data and transactions, keeping a network safe for business -- whether that's your own personal business as an individual or professional business as a company -- it simply isn't secure, stable, or reliable enough to do the job.

I came to the conclusion a couple of years ago that I couldn't in good conscience recommend Windows-based solutions to clients professionally anymore except in very specific cases, because to do so with the experience I've had in the industry would be disingenuous at best.

Maybe down the road Microsoft will come up with a workstation or server OS that's ready for the enterprise, but I doubt it will be any time soon. They have a long way to go.

ivan · « **Reply #14 on:** May 28, 2010, 04:04:06 PM »

Quote from: Demosthenes on May 28, 2010, 03:35:06 PM

It'd be nice if this kind of thing happened more often with assholes like these...

Here is my fantasy:

People like me, who have lost their sanity in dealing with malware, systematically go berserk and do stuff that gets us hard time. Hundreds and thousands of us, all over the country. In prison, we pump iron and make shivs. Then, one day, these bastards are caught and sentenced and there they are, in the exercise yard.

Demosthenes · « **Reply #15 on:** May 28, 2010, 04:15:02 PM »

I can get on board with that. More Windows sysadmins need to be in prisons, I think.

xolik · « **Reply #16 on:** May 28, 2010, 04:32:22 PM »

Quote from: Demosthenes on May 28, 2010, 04:15:02 PM

I can get on board with that. More Windows sysadmins need to be in prisons, I think.

I'd get better treatment, that's for sure. Three hots and a ~~cock~~ cot!

BizB · « **Reply #17 on:** May 28, 2010, 08:26:15 PM »

~~cock lol~~

News:

Recent Forum Posts

Shout Box

Author Topic: quite a nasty virus (Read 4447 times)