|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This blog is by no means the first or last place to look for Malware alerts. This is where I post about the Malware I have seen or the really big infections. I would not have enough time to list them all so this is my experience and hopefully, you have found this page because you have found something similar and need some help with it.
My best source of information about websites to avoid and what malvertisements are out there, is Sandi's blog. Sandi Hardmeier is also a Microsoft MVP (In Internet Explorer) and has her own blog at SpywareSucks
Some of her blogs include some of the more recent nasties that infect Mac machines (June 24 2008)and also SQL injections. It is also interesting to see the Malware she has found on Disney websites (June 12 2008) and other sites you would normally trust.
I have a client who
had suspected that they had a virus for some time. They did not deem it
important to let me know. When they logged into their PC, after everything
had settled and finished loading, Explorer would crash and want to send
information off to Microsoft. From that point onwards, popup ads would start
appearing. I ran Hijackthis, rootkit revealer, Trend Micro Sysclean, Spybot
1.6 (with Rootkit plugin) and Malware bytes. Nothing found the cause of the
popup ads. I manually checked through the running processes and dll files
with process explorer. There were no clues. On reboot, I happened to start
up task manager and watch processes as they loaded. There was this
"_qbotinj.exe" file starting up. Nothing I ran could find it on the hard
disk. It seems to be a rootkit of some kind. I found information regarding
this, it is a virus and easily removed using Prevx. In this case, Prevx CSI
could not find it. I looked in C:\Documents and settings\all
users\_qbothome\ as suggested in various documentation, the path did not
exist. Then I ran regrun reanimator and it found it but could not remove it.
It did stop it running. When the rootkit was removed from memory I could see
C:\Documents and settings\all users\_qbothome\ folder and renamed
_qbotinj.exe to _qbotinj.old and created a folder called "_qbotinj.exe".
As it turns out, on reboot, something tried
to place the file _qbotinj.exe back into the file system but could not, as I
had a folder there by the same name. Then I saw all the text log files. All
websites, Internet explorer autocomplate, passwords, usernames and
Visa/Banking details had been captured through keylogging and placed into
this log file. Not nice. When you see popups ... tell someone. Get it
checked.
A while back, a virus injected itself into the registry in
the following key
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
(default) =
%system%\drivers\spools.exe "%1" %* When you clean the virus
off the system, it is gone but you
still can not run Executables. Open the key up in Regedit and change it back to
(default) = "%1" %* And everything should now work as normal.
Reader be
aware !!
In case of infection, break glass A series of emails used to spread
the Agent.JEN Trojan has appeared. The messages purport to come from the
package delivery company UPS.
I have had several clients infected with this Malware and it is very
nasty. I have a work around to remove the Malware however, running the
latest Antivirus and Antivirus patterns is the best solution (and not double
clicking strange attachments from people you do not know). One of the side effects of this Malware is that Spybot and Hijackthis
will not work. You can double click them but they do not start. If this is a networked PC, My solution is to have the user log off. This
releases various executables from memory and leaves the PC ready to be
logged on to. From another PC with local Administrator rights over the PC, I
connect remotely (using \\workstationname\c$) and then proceed to replace
and remove certain files. I extract an original file from i386 in the windows installer files, userinit.ex_.
I locate C:\Windows\buritos.exe and delete it, creating a
folder called
C:\Windows\buritos.exe.
Some
infections also produce
28 June 2008
- Mickyj.com
On the 16th we had Wayne Small (MVP) In town to talk about SBS 2008, WooHoo!
www.cc1888.cn (serving ttt.txt)
count41.51yes.com
down.cry8.com ( serving lmfile.gif)
wowgmcs1.3322.org Onto Susan's findings with the MVP blog server (SQL
injection target)
There is no such Microsoft
program or service ! In Susan's words In getting
ready for the upgrade to CS 2008 I was trying to make some special backups...
that wouldn't work. Well in digging into the matter more, that' service that is
missing some files which is causing the peer to peer backups between Brianna and
Yoda to fail.. isn't a real service at all.
June 12 2008
Sandi joins Truste.
Well done Sandi, you deserve everything that
comes your way for your tireless efforts in keeping Malware at bay.
June 12, 2008 (San
Francisco, Ca) - TRUSTe, the recognized authority
on privacy best practices on the Internet, today announced
Sandi Hardmeier will join TRUSTe as an Online Compliance
Researcher. Ms. Hardmeier is a recognized and widely sought
after industry expert in the field of malware and
malvertizing and their impact on consumer privacy and
security. She will play a key role in TRUSTe's development
of improved network monitoring strategies while providing
customers with expert insight and recommendations to combat
existing and emerging Web threats such as spyware, computer
viruses, and other types of malware. "Sandi has been studying
malware since 2000, and has watched its metamorphosis from
simplistic, easy to remove adware into the sophisticated
crime-motivated products we see today," said Fran Maier,
executive director of TRUSTe. "Sandi will help us build our
expertise in the important intersection between online
trust, privacy and security." Sandi has been a Microsoft
Most Valued Professional (MVP) since 1999, specializing in
Internet Explorer and Internet Security as it pertains to
business and consumers. She also has an array of published
work and is the author of
www.msmvps.com/spywaresucks (a Web site dedicated to
teaching Internet users about the latest risks to their
online safety and how to stay safe when surfing the Web);
www.ie-vista.com (dedicated to providing technical
support to users of IE7 and IE8); and
http://inetexplorer.mvps.org (dedicated to providing
technical support to users of IE6 and earlier). About TRUSTe Media Contact:
( ) |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|
|
