Author Topic: virusheat (Read 568 times)

Mustaine · « **on:** March 26, 2008, 09:23:55 PM »

http://www.symantec.com/security_response/writeup.jsp?docid=2008-021111-1926-99

anyone here ever deal with this nasty bugger??

best friends wife calls me, says "can you come over I think we have a virus" (he works nights)

This thing actually is rebooting the PC in safe mode if I open the C drive

got about 1/2 way clean, and had to give up for the night.

the messed up part is how or where they got it. My buddie has learned his "porn" lesson, and I even checked his history, he's clear. The wife doesn't even know how to find "naughty" sites... than only leaves the kids. I have them on firefox with noscript, adblock, and running AVG behind. After the last worm I killed IE except the administrator, with a really strong password (12 chars, letters, numbers, symbols, caps) and actually blocked wwe.com miniclips.com, and barbie.com with the hosts file.

where did 9 and 11 year old kids with a limited account and firefox get this fudging thing!??

I have to say I can't check all of their sites, but just damn, thats wrong for amazinhunks that make this stuff to target kids sites. even their daughter isn't allowed to barbie.com. my own Goddaughter can't go to her favorite toy's site as the background is a mess of stuff. I diddlying hate the internet sometimes.

Getback · « **Reply #1 on:** March 26, 2008, 09:49:03 PM »

Sick!

llama · « **Reply #2 on:** March 26, 2008, 11:28:27 PM »

Quote from: Mustaine on March 26, 2008, 09:23:55 PM

the messed up part is how or where they got it. My buddie has learned his "porn" lesson, and I even checked his history, he's clear. The wife doesn't even know how to find "naughty" sites... than only leaves the kids. I have them on firefox with noscript, adblock, and running AVG behind. After the last worm I killed IE except the administrator, with a really strong password (12 chars, letters, numbers, symbols, caps) and actually blocked wwe.com miniclips.com, and barbie.com with the hosts file.

Yet another example of AVG letting a computer get owned by a virus.

Sorry to hear about your pal's virus troubles. Every once in a while I encounter a system that's too messed up for saving too.

After you clean up or reinstall windows on that machine, you might consider setting up a VMWare Virtual Appliance for the kids. Using the FREE VMWare server product, you could have a Linux environment with Firefox and all the plug ins, all working within a virtual environment within Windows. Check out http://www.vmware.com/appliances/ for a list of free appliances.

Using VMware's "Snapshot" feature, you can even roll the virtual machine back to pretty much any point in time, such as when it was working properly.

If the kids were forced to do their browsing on it, you would be 99.99999% certain that web nasties couldn't affect the whole rest of the computer. Heck, with Firefox and Linux, you could be pretty sure nasties wouldn't affect the browsing environment either...

-Llama

Skuzzy · « **Reply #3 on:** March 27, 2008, 06:45:30 AM »

Quote from: Mustaine on March 26, 2008, 09:23:55 PM

<snip>where did 9 and 11 year old kids with a limited account and firefox get this fudging thing!?? <snip>

Myspace, Youtube, any chat programs, email, P2P programs. Those are some of the more common ones.

Mustaine · « **Reply #4 on:** March 27, 2008, 01:17:10 PM »

I might try that Llama, if I can get the wife and kids to understand how to access it easily.

Yeah Skuzzy, you wouldn't believe 9 and 11 year old kids what they see on youtube :eek

they don't have an email account, but they do have a few kids chat programs that are on some of the more popular kids web sites. It just disgusts me they go after those sites the most.

I forgot about Myspace, "Mom" says they are not allowed to go there, they don't have profiles, but I'll bet they sneak on there, that may be another I have to perma-ban. it's like miniclips, they aren't supposed to go there, but sure enough they got there in a round about way.

humble · « **Reply #5 on:** March 27, 2008, 03:21:01 PM »

1st,

This isnt an AVG specific type of a problem since its a malware issue and not really a virus. As a general rule this is an executed file....

This is where a sandbox type utility comes in handy, especially for kids....the problem is in preventing a user initiated infection here I think. This is a downloaded executable that requires some type of user activation. This where some type of layered protection and enhanced user level restrictions apply...

Normally this one is loaded via a trojan masquerading as an audio or video codec that the user has to actually execute to play a video or audio file. This goes back to fundemental user education or limitation. Either the user has to know that you never download an unknown codec ever or the ability has to be restricted in the security settings.

humble · « **Reply #6 on:** March 27, 2008, 05:37:25 PM »

Virtual appliances are certainly the future. We were running a 100 seat citrix network back in the late 90's. It gave my contract workforce a worldwide virtual desktop capability while greatly enhancing intellectual property protection within the corporate enviornment. Most machines already have some flavor of virtual machine capability installed. Any form of "sandbox" is a virtual appliance but the true capabilities of a VA go far beyond that. Basically you can now run a full blown linux OS inside windows. Another good example is the MAC OS (tiger?) that will run windows as a VA of some flavor....

I've fooled with 3-4 flavors of Ubuntu as well as redhat and Fedora VA's but dont feel at all comfortable recommending one since I really dont fully understand them. All of them seem to work fine but since I have my computer set to boot in 4 different OS flavors I dont normally run linux as a VA. I think a good sandbox app is preferable for a strictly browsing enviornment but a VA can do much more (I think). I'm not upto speed on Acronis 11.0 yet but it appears to be more of a built in VA then a true "sandbox" and might be a good alternative as well....

I think any recommendation on a specific VA would be appreciated by all....certainly me.

humble · « **Reply #7 on:** March 27, 2008, 07:57:59 PM »

OK...

I'm logged in via a VA browser I found via the link llama so kindly provided. Now this is not a full OS with browser support imbedded. This is a "stand alone" web browser running via the "VA player" downloadable on the site. It certainly works just fine but is a small box centered on my screen giving me a much smaller windowed app. I'm sure I can alter the dimensions somwhow. The "parent" VA player appears to take up about 60-70% of my desktop centered with a roughly 2 in strip on either side vertically and apparently a similiar margin underneath. I'll have to check to see if this is adjustable or not. Certainly was easy to fire up and worked in the "idiot" configuration with zero problems or adjustments on my end.

Not something that I could get my wife/kids to use compared to d=sandboxie which is reasonably indistinquishable from a normal browser. I'll post again on this over the weekend once i've fooled with it a bit....

Ok actually took aobut 2-3 minutes to figure all the basics out. 4 diff resolutions an seems to have all the basic linux drives in the OS so it recognizes all periferals. I think that sandboxie or similiar is a more "turn key" app but this has integrated email support etc so it might be better as an OS. Sandboxie is pretty powerful but also confusing since it allows you to send stuff to the real machine. My understanding is that in a VA OS you have an actual seperate virtual machine (my ubuntu is 8 gig) that is similiar to a citrix VM...so your work is really there on the VM OS...not being "moved" to your "real" machine. I'll need to play with this a bit since its not a real OS per se....no clue what its got loaded up beyond the browser/email.

I do think that a VA linux OS is actually a good idea for alot of general uses. I may just replace my "real" version with a virtual one....

Mustaine · « **Reply #8 on:** March 27, 2008, 08:24:29 PM »

MAN what an ugly POS to kill.... finally got it with this:

Malwarebytes' Anti-Malware 1.09
Database version: 552

Scan type: Quick Scan
Objects scanned: 41652
Time elapsed: 16 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c4ee31f3-4768-11d2-be5c-00a0c9a83da1} (Rogue.WinFixer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e94eb13e-d78f-0857-7734-5e67a49ffff1} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{db9fba9d-ab1b-4cc6-9745-f3b549d64e40} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7d7bd0c4-4913-4933-b870-7388a7bffb82} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fca3958a-8d38-4d14-8b81-ccd7f68a8a01} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dhlp (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\E404.e404mgr (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{7d7bd0c4-4913-4933-b870-7388a7bffb82} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\user32.dll (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Common Files\WinSecureAv (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\Helper (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinSecureAv (Rogue.WinSecureAv) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\tdidrv32.sys (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\WinSecureAv\bm.exe (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\WinSecureAv\ugac.exe (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Program Files\Helper\1206331442.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Helper\1206331855.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinSecureAv\Contact Customer Support.lnk (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinSecureAv\Uninstall WinSecureAv.lnk (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinSecureAv\WinSecureAv.lnk (Rogue.WinSecureAv) -> Quarantined and deleted successfully.

dude

so far 2 spybot's 1 adaware, 2 avg and an online norton scan reveal nothing left.

I had to do 13 manual reg edits too.

I rock!

Skuzzy · « **Reply #9 on:** March 28, 2008, 07:10:00 AM »

Quote from: Mustaine on March 27, 2008, 01:17:10 PM

I might try that Llama, if I can get the wife and kids to understand how to access it easily.

Yeah Skuzzy, you wouldn't believe 9 and 11 year old kids what they see on youtube :eek

they don't have an email account, but they do have a few kids chat programs that are on some of the more popular kids web sites. It just disgusts me they go after those sites the most.

I forgot about Myspace, "Mom" says they are not allowed to go there, they don't have profiles, but I'll bet they sneak on there, that may be another I have to perma-ban. it's like miniclips, they aren't supposed to go there, but sure enough they got there in a round about way.

Facebook is another one.

I cringe everytime I see a youtube link on the forums. That place is a virus looking for a place to happen.

RTHolmes · « **Reply #10 on:** March 28, 2008, 08:33:18 AM »

Quote from: Mustaine on March 26, 2008, 09:23:55 PM

I boinking hate the internet sometimes.

pls dont blame "the internet", your problems are caused by Microsoft's shoddy OS.

Eagler · « **Reply #11 on:** March 28, 2008, 09:05:02 AM »

Quote from: RTHolmes on March 28, 2008, 08:33:18 AM

pls dont blame "the internet", your problems are caused by Microsoft's shoddy OS.

LOL
please code a better replacement asap

that said, it is up to the user to protect himself - nowadays that means you have to be very careful on what you "click"
if you don't "click", it ain't gonna stick..
that said, kids shouldn't be babysat with the intratard on the families pc .. unless you are friends with fdisk

MrRiplEy[H] · « **Reply #12 on:** March 28, 2008, 11:21:06 AM »

Linux is a great and safe alternative to windows for browsing. Too bad gaming is so undeveloped on it.

Vulcan · « **Reply #13 on:** March 28, 2008, 04:29:19 PM »

Quote from: humble on March 27, 2008, 05:37:25 PM

Virtual appliances are certainly the future. We were running a 100 seat citrix network back in the late 90's. It gave my contract workforce a worldwide virtual desktop capability while greatly enhancing intellectual property protection within the corporate enviornment. Most machines already have some flavor of virtual machine capability installed. Any form of "sandbox" is a virtual appliance but the true capabilities of a VA go far beyond that. Basically you can now run a full blown linux OS inside windows. Another good example is the MAC OS (tiger?) that will run windows as a VA of some flavor....

Virus writers are now targetting virtualized systems, and also making their apps sandbox aware (this started ~2 years ago). OS X running Windows under parallels/bootcamp is the most common vector for virus's I see on our network - we have 'compartmentlized' our network, with mac's in their own zone to prevent the infections they often bring in hoping across to any windows boxes (the only virus hits I've seen in the last 12 months are from them).

Then theres the handful of malware/virus's out for Apple in itself, they're extremely small in number, but then the average mac user has a false sense of security and usually NO av/malware protection.

Trying to find out where the infection came from is a waste of time, the way advertising sites get hammered with exploiits these days you cannot trust any website that supports banner or iframe advertisements. Part of my 'pitch' for Sonicwall firewalls lately, apart from gateway AV/AS, is that the content filtering blocks advertising (embedded) and that is the new major vector for malware these days.

llama · « **Reply #14 on:** March 28, 2008, 04:40:59 PM »

Quote from: Vulcan on March 28, 2008, 04:29:19 PM

Virus writers are now targetting virtualized systems, and also making their apps sandbox aware (this started ~2 years ago).

It gets even better. Some viruses are getting Virtual-Machine aware. When the virus detects that it is running in Microsoft's Virtual PC or a VMWare version, it intentionally doesn't do anything or it acts very differently than it would if it detected a "real" computer was running it.

The reason is to confound the virus researchers, who generally find VMware makes the job of researching viruses a million times easier. The virus writers hope the antivirus developers will think that an infected file isn't a problem within their testing environment, or that the AV product will take steps to kill it that are different in real life than within the testing environment.

The upshot is that AV companies don't use Virtual Machines to test for viruses anymore. And neither do I.

-Llama

Aces High Bulletin Board

Author Topic: virusheat (Read 568 times)

Mustaine

virusheat

Getback

Re: virusheat

llama

Re: virusheat

Skuzzy

Re: virusheat

Mustaine

Re: virusheat

humble

Re: virusheat

humble

Re: virusheat

humble

Re: virusheat

Mustaine

Re: virusheat

Skuzzy

Re: virusheat

RTHolmes

Re: virusheat

Eagler

Re: virusheat

MrRiplEy[H]

Re: virusheat

Vulcan

Re: virusheat

llama

Re: virusheat