Aces Highest Interruptus

[Zygote404]

Today I was in the middle of a dogfight when I got a booted to windows to a spyware message.  Tried to continue playing but I kept getting thrown to desktop.  Anyway I had to run my spybot n malwarebytes n it turned out I suddenly had Virut. 

Anyone know if its possible to get a virus just by being connected to the internet.  Was not doing anything other then playing Aces High.

Its one of the worst viruses I have seen.  Its a polymorphic code injector that injects code into most of windows system files.  It also isn't very good at injecting the code so the files are pretty much corrupted beyond saving.  Can be cleaned out with a lot of work but the system is screwed anyway.

It also opens up a backdoor to an IRC server in russia which then downloads a plethora of spyware, viruses and trojans onto your system and runs them.

Anyway now I got no uber AH computer.  And no idea how it managed to get onto the system.

Any techies know anything about this thing?

[ozrocker]

Wow, that sucks. You CAN get hit by so-called "Drive-by" viruses. It seems most viruses these days are coming out of Russia, China and N. Korea.


                                                                                                              <S> Oz

[Skuzzy]

The problem with viruses today, is they very seldom instantly announce themselves.  Virtually all of them plant themselves into the computer and wait for some time to pass, before actually activating.  This helps prevent the user from knowing where it came from.

Currently there is approximately 20,000 WEB sites on the Internet which are handing out viruses.  Another 30,000 handing out malware/spyware.  Most of the sites are not even aware they are infected.

Joomla sites got hit hard late last year and earlier this year.  Over 70% of them got infected with virus delivery code and virtually none of the owners knew about it.  Took the Joomla folks 6 months to fix that backdoor and not all sites have been updated to prevent it, as updating Joomla is a pain in the butt.  Many of the owners are still not aware of it either, despite Joomlas best efforts to notify them.

That is just one example.  It amazes me how many innocuous sites I have hit that are infected.  I always notify the webmasters about it, and some of them are rather belligerent about how there is no way their site could be infected.

Bottomline is this;  If you have ActiveX enabled, Java enabled, Javascript enabled, Flash enabled, or use Acrobat for PDF reading, your computer is wide open to infections from a multitude of sites on the Internet.

Also note, it is quite impossible for Aces High to deliver a virus to your computer.  Once you understand how viruses are delivered you would understand why.

[Traveler]

are you talking about the W32/Virut, it's been out there for about a year.  It has been identified as being triggered by one of these:

%System%\aewuuwufbvv.exe
%System%\arowzdrkjgtwr.exe
%System%\bgzmdaaauies.exe
%System%\bkzzrtliuprckz.exe
%System%\dllcache\sxch0st.exe
%System%\dllcache\wintcps.exe
%System%\ewmtgqkh.exe
%System%\explorer.exe
%System%\gyvtncthhidoir.exe
%System%\ifbtomotphe.exe
%System%\ikpprhznityacq.exe
%System%\irmwsyf.exe
%System%\khjdphmyttggvt.exe
%System%\lhttk.exe
%System%\mwaehuczvshuh.exe
%System%\mzdgz.exe
%System%\naszaoytn.exe
%System%\ocekhdcr.exe
%System%\orqbhjddhbfp.exe
%System%\qwkoykyojjn.exe
%System%\ruqbcalrxsfw.exe
%System%\sgvq.exe
%System%\sgwnlbki.exe
%System%\wbem\winscrvs.exe
%System%\xirwqznybc.exe
%System%\xroyiabh.exe
%System%\yvscb.exe
%System%\zeuvqlghbbfv.exe
%System%\zoxtyjayxnkwuh.exe
%ProgramFiles%\common files\system\msasp32.exe
%ProgramFiles%\common files\system\msiwa32.exe
%Windir%\antiv.exe

All the top anti-virus software find and remove it before it has a chance to trigger.  As skuzzy stated the initial infection is generally in sleeper mode and no telling what might casuse it to popup.  Once it does trigger your operating system is pretty much fryed.  found this on the internet http://www.softpedia.com/get/Antivirus/Win32-Virut-Remover.shtml good luck

[Zygote404]

The problem with viruses today, is they very seldom instantly announce themselves.  Virtually all of them plant themselves into the computer and wait for some time to pass, before actually activating.  This helps prevent the user from knowing where it came from.

Currently there is approximately 20,000 WEB sites on the Internet which are handing out viruses.  Another 30,000 handing out malware/spyware.  Most of the sites are not even aware they are infected.

Joomla sites got hit hard late last year and earlier this year.  Over 70% of them got infected with virus delivery code and virtually none of the owners knew about it.  Took the Joomla folks 6 months to fix that backdoor and not all sites have been updated to prevent it, as updating Joomla is a pain in the butt.  Many of the owners are still not aware of it either, despite Joomlas best efforts to notify them.

That is just one example.  It amazes me how many innocuous sites I have hit that are infected.  I always notify the webmasters about it, and some of them are rather belligerent about how there is no way their site could be infected.

Bottomline is this;  If you have ActiveX enabled, Java enabled, Javascript enabled, Flash enabled, or use Acrobat for PDF reading, your computer is wide open to infections from a multitude of sites on the Internet.

Also note, it is quite impossible for Aces High to deliver a virus to your computer.  Once you understand how viruses are delivered you would understand why.

Thanks Skuzzy, yeah this ones being handed out by a group in poland I believe, domain name is zief.pl and ircgalaxy.pl.  They've been doing it for 3 years or more and no one will shut down the domains.

Also didn't think I got it from AH, thought maybe it just hooked onto my network by just checking random ports etc, that might sound dumb but I have no idea regarding that stuff.

[Zygote404]

are you talking about the W32/Virut, it's been out there for about a year.  It has been identified as being triggered by one of these:

%System%\aewuuwufbvv.exe
%System%\arowzdrkjgtwr.exe
%System%\bgzmdaaauies.exe
%System%\bkzzrtliuprckz.exe
%System%\dllcache\sxch0st.exe
%System%\dllcache\wintcps.exe
%System%\ewmtgqkh.exe
%System%\explorer.exe
%System%\gyvtncthhidoir.exe
%System%\ifbtomotphe.exe
%System%\ikpprhznityacq.exe
%System%\irmwsyf.exe
%System%\khjdphmyttggvt.exe
%System%\lhttk.exe
%System%\mwaehuczvshuh.exe
%System%\mzdgz.exe
%System%\naszaoytn.exe
%System%\ocekhdcr.exe
%System%\orqbhjddhbfp.exe
%System%\qwkoykyojjn.exe
%System%\ruqbcalrxsfw.exe
%System%\sgvq.exe
%System%\sgwnlbki.exe
%System%\wbem\winscrvs.exe
%System%\xirwqznybc.exe
%System%\xroyiabh.exe
%System%\yvscb.exe
%System%\zeuvqlghbbfv.exe
%System%\zoxtyjayxnkwuh.exe
%ProgramFiles%\common files\system\msasp32.exe
%ProgramFiles%\common files\system\msiwa32.exe
%Windir%\antiv.exe

All the top anti-virus software find and remove it before it has a chance to trigger.  As skuzzy stated the initial infection is generally in sleeper mode and no telling what might casuse it to popup.  Once it does trigger your operating system is pretty much fryed.  found this on the internet http://www.softpedia.com/get/Antivirus/Win32-Virut-Remover.shtml good luck

Yup thats the one.  Thing is I had malwarebytes, spybot resident and AVG installed but not resident.  I know antivirus are not 100% though.  Computer is completely dead as a doornail.  Having a hell of a time getting windows loaded back on cause my backup didn't have 1; or something and my ntlloader is not letting it boot.  Spent all night trying to make a windows xp boot disk that'll boot to dos n let me run the winsetup

[Traveler]

You should be able to boot from the windows disk.

[Zygote404]

You should be able to boot from the windows disk.

Boots fine on this computer.  On the other computer it says Boot: Cannot find NTLLOADER or somesuch thing.  This ones a frigging Hewlett Packard.  Figured I'd just put the video card into this system so I could play but HP are retarded, it has a AGP slot but its got about 2 inches of space to put a vid card in.

[Getback]

Its somewhat scary these days. Seems like there are more viruses than ever. I know there are more posts recently regarding viruses.

My basic rule is to stay away from porn sites and free music downloads. Those are notorious for viruses and malware. I once asked a kid what's the best site for downloading music, iTunes or Walmart. He said, some free site. I said that site is bad about giving viruses (I had read about it). He said so what, I will just wipe my drive. Then I asked, what about the people you e-mail? You talk about a deer stuck in headlights.

[eagl]

Skuzzy,

I know some guys who could probably use AH to infect a computer...  They're the kind of folks who would start from the bare metal though, and they can mess with your computer without a hardware connection.  Scary good hacker types with advanced physics degrees and a govt license to hack.  Any aperture, including unshielded twisted pair, is subject to exploitation.  If you know what you are doing, it is even possible to hack into fiber optics without cutting the line (no I won't say how haha).  I remember my first "find" for a hardware level exploit while in school.  It wasn't a new exploit since it was a very old memory controller design, but it was fascinating to see how just the right sequence of ones and zeroes targeted at edge conditions within hardware (or microcode) could be exploited.

A very simple method AH could use to infect a computer - suppose HT gets the confidential specifications for writing hard drive firmware from, say, seagate.  He could include code in the game to send the right commands to the hard drive to write a new firmware that loads boot-time code from an unused portion of the hard drive.  That code could do anything, including setting up the boot rom found on many network controllers to attack other computers on the lan from a "trusted" network address.

Hell, by re-writing the firmware on the network controller, or even attacking the network stack itself (easier on XP than on vista/win7 but still possible), any networked game developer could set up the computer to transparently handle commands hidden within the bitstream coming from the game server.

Not many people do that anymore since the OS and utilities you mention are such easy targets, but the basic hardware, microcode, and core OS (like network stack) exploits are still there, and a few people still know how to use them.  Some of those people work for my employer, and only an a5signment to pilot training instead of computer geek school kept my career from going down that path  

[eagl]

Sheesh, "a5signment" is filtered as sweetiegnment