|
abominable fricke posted:It wouldn't surprise me if this is news to him. I still want to make one of those calls one day and speak to someone who dissolves into maniacal cackling that just goes on and on until I hang up the phone. I think it's how we all secretly wish those calls would go anyway.
|
# ? Jan 13, 2009 18:32 |
|
|
# ? Jun 8, 2024 07:35 |
|
abominable fricke posted:It wouldn't surprise me if this is news to him.
|
# ? Jan 13, 2009 18:45 |
|
A few days ago I posted about malware posing as signed Microsoft drivers - we got another one in today, and it's with an AntiVirus 2009 variant - this one also redirects Google.com to a hacked DNS site that still says Google.com, but pops up something along the lines of YOUR SOFTWARE IS OUT OF DATE, UPDATE IT HERE! with a bunch of other nasties. I'll try to get the infection name, may edit this post in a few hours.
|
# ? Jan 13, 2009 19:11 |
FYI Conficker clean up guide from here at Sophos ---- - Cleanup Procedures - - Prevent re-infection by downloading and installing the Windows security update for this vulnerability from http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx - When looking to see if the patch is installed, go into Add\Remove Programs and look for KB958644 (ensure that the 'show updates' box at the top is ticked) - The Exploit Edition - In most cases, this is how the virus gets on the network in the first place. The virus takes advantage of the MS exploit. It creates a file within the Windows\System32 folder. Key things to note: - A dll file is created within the System32 folder - e.g. C:\Windows\System32\amcophji.dll - A service is created to run the dll file - It runs as a handle within one of the svchost.exe processes - normally the same one running Netsvcs - A JPG or PNG is dropped on the machine within the Temp Internet Files. - This can be easily stopped from spreading by applying the patch and cleaning the machine - The File and Print Sharing Edition - Once on the network the virus can spread using the exploit (above) or by accessing the file and admin shares on the network. When it infects an machine it will create a file with a random name and a random extension within the System32 folder. A scheduled task (running as SYSTEM) will execute this file using rundll32.exe You can prevent the creation of new scheduled tasks via a group policy using the following article- http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/92819.mspx?mfr=true Key things to note: - A dll file is created with a random extension and name within the System32 folder - e.g. C:\Windows\System32\zdtnx.g - A scheduled task(s) is created to run the above randomly named file using rundll32.exe - The task(s) is called AT*.job where * is a sequential number - It will be running within a rundll32.exe process - There will be one rundll32.exe process running for every scheduled task that has been created - To stop this from spreading, file and print sharing will need to be disabled until all machines have been fully cleaned This virus will also spread via USB drives and other removable devices; please ensure that they are scanned and cleaned before using them again.
|
|
# ? Jan 13, 2009 19:22 |
|
Just received an email with this text:quote:IKEA has a Fantastic new FREE tool for home decorating. Attached is ikea.zip which decompresses to ikea.exe which NOD32 detects as "probably a variant of Win32/Injector.AO" - too bad, I was excited about the ikea planning software. anotherone fucked around with this message at 19:53 on Jan 13, 2009 |
# ? Jan 13, 2009 19:51 |
|
anotherone posted:too bad, I was excited about the ikea planning software. http://www.ikea.com/ms/en_US/rooms_ideas/splashplanners.html
|
# ? Jan 13, 2009 20:19 |
|
Doc Faustus posted:http://www.ikea.com/ms/en_US/rooms_ideas/splashplanners.html Sweet! I'm gonna put some cabinets in my cubicle.
|
# ? Jan 13, 2009 20:32 |
|
I think my favorite infection I've cleaned up so far at work isn't anything fancy, but it's one of those things that I think encourages people to just give up and let IT do everything for them. What do we do with potentially hazardous, unexpected emails? We delete them. What do we do with email from stupid mailing lists that we accidentally subscribed to at some point in the past? We click the little link that says "Click here to unsubscribe from future mailings". What do some users, who might not be able to tell a Russian-made gibberish email from a legitimate newsletter about something they don't understand, do to make it go away? Click the "Click here to unsubscribe from future mailings" button, directing them to the same infected site that the other links go to. It's funny, until you start trying to come up with an enterprise-wide solution to avoid it. Once it's in your Inbox the built-in junk mail options are mostly useless when it's coming from random addresses or botnets, and the subject lines usually mutate just enough to make subject-based filtering aggravating at best.
|
# ? Jan 13, 2009 22:19 |
|
Well, I don't have any stories about cutting edge viruses, but many years ago I had to clean out a boot-sector memory-resident MS-DOS virus on a friend's machine, with no access to clean boot floppies. Attempts at removing the virus from the hard disk boot sector using antivirus tools or fdisk /mbr failed, as the (memory-resident) virus would immediately reinfect the drive. Trying to create a bootable floppy disk with "SYS A:" didn't immediately work either, as the virus would write its code onto the floppy just as the sys command finished up. But I noticed that "SYS A:" caused two audible floppy drive seek sounds. I guessed that the first sound was the legit boot sector being written by "SYS", and the second sound would be the virus infecting the drive. So I did another take at "SYS A:", and by listening carefully and timing things correctly, I forcibly hit the eject button between the writes, pulling the floppy out of the drive as the virus was just about to infect it again. Pushed over the write protect tab and rebooted from floppy - virus gone!
|
# ? Jan 14, 2009 00:47 |
|
CeciPipePasPipe posted:But I noticed that "SYS A:" caused two audible floppy drive seek sounds. I guessed that the first sound was the legit boot sector being written by "SYS", and the second sound would be the virus infecting the drive. So I did another take at "SYS A:", and by listening carefully and timing things correctly, I forcibly hit the eject button between the writes, pulling the floppy out of the drive as the virus was just about to infect it again. Pushed over the write protect tab and rebooted from floppy - virus gone! These moments always make me happy, but then I realize that I can't share the moment with anyone since they wouldn't understand just how clever it was, which is a downer. Well, a pat on the back for you.
|
# ? Jan 14, 2009 17:41 |
|
After fighting vundo for hours I finally managed to remove it, but now windows wont let me configure my wireless network adapter. Has anyone encountered this after a vundo removal, and is there a utility to rebuild the networking? A non-flatten windows reinstall doesn't work.
|
# ? Jan 14, 2009 18:48 |
|
RivensBitch posted:After fighting vundo for hours I finally managed to remove it, but now windows wont let me configure my wireless network adapter. Has anyone encountered this after a vundo removal, and is there a utility to rebuild the networking? A non-flatten windows reinstall doesn't work. What shows up in the network connections control panel? If nothing shows up you might have a broken COM+ on your hands.
|
# ? Jan 15, 2009 00:59 |
|
RivensBitch posted:After fighting vundo for hours I finally managed to remove it, but now windows wont let me configure my wireless network adapter. Has anyone encountered this after a vundo removal, and is there a utility to rebuild the networking? A non-flatten windows reinstall doesn't work. Sounds like it could be a problem with the LSP (Layered Service Provider) chain. Often removing malware improperly can leave the chain broken. I'm sure there are lots of free tools around to fix it but I don't know of any offhand.
|
# ? Jan 15, 2009 01:03 |
|
Anybody notice that after cleaning an hosed up xp machine msconfig is gone? Do some of these viruses/malware delete msconfig?
|
# ? Jan 15, 2009 02:05 |
|
Capnbigboobies posted:The problem with Teatimer is that if we install it on all the computers we are constantly fixing, the users would just mash accept or even worse delete a benign process/program/registry key. True. In an environment where no one knows what they are doing I would just use DeepFreeze with their desktop linked to network drive being the thaw space.
|
# ? Jan 15, 2009 02:28 |
|
darkforce898 posted:True. In an environment where no one knows what they are doing I would just use DeepFreeze with their desktop linked to network drive being the thaw space. After fixing a few computers over and over for the same poo poo I have considered installing DeepFreeze or MS SteadyState.
|
# ? Jan 15, 2009 02:34 |
|
The Register posted:A prolific new worm has spread to infect more than 3.5m Windows PCs, according to net security firm F-secure. The success of the Conficker (AKA Downadup) worm is explained by its use of multiple attack vectors and new social engineering ruses, designed to hoodwink the unwary into getting infected. And you thought Storm was bad. At least this time around Microsoft is on top of it and the January MSRT will take out most versions of Conficker. The lesson today, as loving always? Update update update.
|
# ? Jan 15, 2009 15:21 |
|
I didn't read the beginning of this thread, but the reason I brought up TeaTimer was because I got hit with that PDF exploit. I managed to stop it with TeaTimer, but it unnerved me enough to go check this out to see what was going on.
|
# ? Jan 15, 2009 16:08 |
|
Midelne posted:At least this time around Microsoft is on top of it and the January MSRT will take out most versions of Conficker. The lesson today, as loving always? Update update update.
|
# ? Jan 15, 2009 16:28 |
|
Symantec log entry: 260B0C0B1916,51,1,2,XX-XXX-XXX,X.XXXXXXXX,Trojan.Vundo,C:\Documents and Settings\X.XXXXXXXX\Local Settings\Temp\__72.tmp,5,1,19,256,37748804,"",0,,0,101 {2B95CA3A-CD4C-4840-AD74-A276289466D1} 11 3 Trojan.Vundo 1;0 0 0 ,135528452,28544,0,0,0,,,0,,0,0,1,0,XXXXX,{872CB071-7F57-4FF8-98BD-E1B1E5278705},Workstations,(IP)-172.22.2.62,,XXXXXXXXX,00:19:D1:5E:39:0C,10.1.4.4000,,,,,,,,,,,,,,,,999,,3736c986-b4b9-43b8-89b7-50423a4cb452,135528452,XXXXXXXXX Time for a reinstall of a corporate machine!
|
# ? Jan 15, 2009 17:23 |
|
brc64 posted:Wait, you mean the MSRT actually does something? I see it in Windows Update every month, but I've never seen it actually do anything, nor is it obvious how to even use it. It's basically a one-time scan for Blaster, Sasser, Mydoom, and some other worms. You don't "use" it, it just runs every month when it installs. I usually skip it on my personal machine, but I suppose it's nice to have it there.
|
# ? Jan 15, 2009 20:47 |
|
RivensBitch posted:After fighting vundo for hours I finally managed to remove it, but now windows wont let me configure my wireless network adapter. Has anyone encountered this after a vundo removal, and is there a utility to rebuild the networking? A non-flatten windows reinstall doesn't work. My general rule of thumb with Vundo is to put the user's files into a quarantine, zero the drive, and reinstall Windows while scanning the files. Trying to clean it out completely isn't worth the time and effort. Also, is it me, or does Vundo just kick the everloving poo poo out of Symantec? It was a problem for my company until we switched from SAV to Trend. It could just be coincidence, though.
|
# ? Jan 15, 2009 20:49 |
|
GreenFuz posted:My general rule of thumb with Vundo is to put the user's files into a quarantine, zero the drive, and reinstall Windows while scanning the files. Trying to clean it out completely isn't worth the time and effort. It's funny you should mention that. My boss just logged into the machine in our office that sits across from mine. Trend Micro popped up red flagging DLL files in Windows\System32 as being Vundo. No idea how the gently caress it got there and why it found it today. Nasty poo poo, too. It won't let me boot into safe mode, stop it in msconfig, terminate processes, etc. Right now I put scanners on a jump drive and loaded them up on the infected machine (also unplugged its network connection).
|
# ? Jan 15, 2009 21:31 |
|
brc64 posted:Wait, you mean the MSRT actually does something? I see it in Windows Update every month, but I've never seen it actually do anything, nor is it obvious how to even use it. I figure that realistically the way it works is that it attempts to specifically hunt down and destroy the worms that either really made Microsoft look bad or have the potential to really make them look bad in the future when the screaming newspaper headlines come out. The worms it's known for hitting (Blaster, Slammer, etc) have been the big-headlines cases that just plain look bad. Conficker appears to have the capacity to be one of those embarrassments, even if at this point it's probably 90% the fault of whoever didn't patch the machines if there's a new infection. The thing is smart, ugly, and fairly well-constructed but Microsoft jumped on the vulnerability with both feet. Guess we'll see in the long run who wins out. If the volume of spam triples we'll have our answer. (ed: So yeah, it works. I dump it in the update queue just for peace of mind even though the vulnerabilities that allow the worms it's usually intended to address were patched ages ago.) (re-edit: Crosspost from Vista thread RE: Conficker's autorun prompt. I think I love this thing. Midelne fucked around with this message at 22:33 on Jan 15, 2009 |
# ? Jan 15, 2009 21:49 |
|
GREAT BOOK OF DICK posted:It's funny you should mention that. My boss just logged into the machine in our office that sits across from mine. Trend Micro popped up red flagging DLL files in Windows\System32 as being Vundo. No idea how the gently caress it got there and why it found it today. Nasty poo poo, too. It won't let me boot into safe mode, stop it in msconfig, terminate processes, etc. Right now I put scanners on a jump drive and loaded them up on the infected machine (also unplugged its network connection). Hilariously, a short time after I typed that, I got a nice little notification from our Officescan server: quote:Date/Time: 1/15/2009 12:58:32 "No action required" = No cleaning done. Yeah, I think I'll stop using Active Action and start nuking everything on sight. So now I'm having fun with UBCDWin, scanning merrily away so I can grab files, maybe do some forensics, and then some hot hot flattening action. edit: wierdly, the logs say that cleaning WAS done, but just to the registry. I doubt that it was limited to that. GreenFuz fucked around with this message at 00:28 on Jan 16, 2009 |
# ? Jan 16, 2009 00:20 |
|
Midelne posted:And you thought Storm was bad. At least this time around Microsoft is on top of it and the January MSRT will take out most versions of Conficker. The lesson today, as loving always? Update update update. The way Conficker works now it seem the actual exploit it uses is pretty much interchangeable with any other. The group could keep updating it to use whatever the newest big Windows exploit is. The way it's really nasty is in how it does everything else. The autorun.inf file is better obfuscated than anything seen before; usually you see a worm start using pretty simple autorun.inf files and gradually add more obfuscation over time as they become detected by AV software. Conficker starts off with something that's probably impossible for a lot of products to viably detect (not that they can't, but that they would have to look so deep into the file it would slow scans of clean files down too much). The way it names its files means that the worm DLL on any one computer will always use the same pseudorandom name. Doesn't seem important (and could just have been implemented to prevent multiple infections of the same machine) until you realise that means that any registry keys or scheduled tasks let lying around after the file is deleted will cause it to run again as soon as the file reappears... which happens all the loving time since other infected computers are copying the file back over Windows file sharing. Oh and it removes all permissions on its service registry keys which breaks most registry tools, forcing the user to add permissions back again just in order to see the worm's service entries. The deterministically generated domain name poo poo has been done before but it's still pretty smart. BillWh0re fucked around with this message at 01:16 on Jan 16, 2009 |
# ? Jan 16, 2009 01:07 |
|
BillWh0re posted:The way Conficker works now it seem the actual exploit it uses is pretty much interchangeable with any other. The group could keep updating it to use whatever the newest big Windows exploit is. The way it's really nasty is in how it does everything else. I don't know why I have such a huge hard-on for the subsurface malware details lately but this is awesome.
|
# ? Jan 16, 2009 01:16 |
|
GreenFuz posted:Hilariously, a short time after I typed that, I got a nice little notification from our Officescan server: I used all of the programs I could possibly think of to clean the machine, but I still think there's something on there. The end task window appearing prompting me to shutdown cmd.exe upon logging out of an administrative account is a good hint. I'll just have to re-image the machine via the WDS server. Sucks I have to do it because this particular machine has a lot of AD, SMS, etc. utilities installed on it. I think this infection pissed my boss off so much, he called TrendMicro and cancelled our licensing. Looks like we're switching to Kaspersky! What I found interesting was a scan with SUPERAntiSpyware flagged a .gif image as being an infection and that image was in the profile of a former co-worker. If that's how Vundo actually got there in the first place color me impressed. GREAT BOOK OF DICK fucked around with this message at 04:23 on Jan 16, 2009 |
# ? Jan 16, 2009 04:20 |
|
GREAT BOOK OF DICK posted:I think this infection pissed my boss off so much, he called TrendMicro and cancelled our licensing. Looks like we're switching to Kaspersky!
|
# ? Jan 16, 2009 04:34 |
|
This thread has been really helpful to someone with only a little knowledge as to how to get rid of viruses and malware. Are a lot of viruses these days infecting thumbdrives? How do you keep your removal kit from getting infected as well?
|
# ? Jan 16, 2009 05:35 |
|
AVG Free just popped something up about wdmaud.sys being a Trojan.RootKit.CQ or something like that. I tried removing it, and it seems to have gotten the one wdmaud.sys, but it says it cannot find the specified file. It appeared that there were three. Anyone heard of this?
|
# ? Jan 16, 2009 05:37 |
|
GREAT BOOK OF DICK posted:I used all of the programs I could possibly think of to clean the machine, but I still think there's something on there. The end task window appearing prompting me to shutdown cmd.exe upon logging out of an administrative account is a good hint. I'll just have to re-image the machine via the WDS server. Sucks I have to do it because this particular machine has a lot of AD, SMS, etc. utilities installed on it. I think this infection pissed my boss off so much, he called TrendMicro and cancelled our licensing. Looks like we're switching to Kaspersky! Yeah, I'm really disappointed with Trend after this one. It completely missed all but one Vundo file. Avira caught a few instances of what I think was Vundo (it called it XPACK.gen), while also finding some evidence of Seneka. Superantispyware found more Vundo and Seneka, and something else called Prun. Malwarebytes found yet more Vundo & Seneka, and found another instance of Prun. And even after that I had to nuke some poo poo from the startup items list using ccleaner. The system is probably still filthy, so I'm just gonna nuke it and restore the user's filez from backup. Still, I'm just flabbergasted at the egg Trend laid.
|
# ? Jan 16, 2009 06:08 |
|
TheDemon posted:This thread has been really helpful to someone with only a little knowledge as to how to get rid of viruses and malware. Are a lot of viruses these days infecting thumbdrives? How do you keep your removal kit from getting infected as well? You could always get one of those USB to SD adapters, and then set the SD card to read only.
|
# ? Jan 16, 2009 07:01 |
|
Don't know if you guys saw this, but here's an interview with an adware coder: http://philosecurity.org/2009/01/12/interview-with-an-adware-author Some of the stuff he did is pretty clever, like the undeletable registry keys.
|
# ? Jan 16, 2009 10:11 |
|
Conficker Update: FSecure puts Conficker/Downadup at approximately 9 million infected, estimated 6.5 million new infections in the past four days. My boss update from when it was 3 million: "3 million isn't that many. I bet there's more computers than that in Tacoma right now." (Pop: 196,000) edit: Here's a Happy Thought posted:The other mystery surrounding Downadup is the intentions of the people building the botnet. In early December, Royal's team at Damballa observed it interacting with a domain name that has strong ties to rogue anti-virus programs, which rake in big money installing malware that's disguised as legitimate security software. Midelne fucked around with this message at 00:14 on Jan 17, 2009 |
# ? Jan 17, 2009 00:11 |
|
Ugh, my wife got her PC infected last night while looking for sheet music. A security center warning pops up that looks like a legitimate windows protection warning, saying that she is infected with win32.zafi.b, along with a button to "activate protection", which links to http://defender-review.com/[some string of characters]. It's obviously a BS error that routes you to a product that will no doubt install more problems on your PC if you're dumb enough to buy it. NOD32 didn't find anything, but it did throw a ton of "locked file" errors. I'm scanning with Malwarebytes now and doing some research on it while I wait for results.
|
# ? Jan 18, 2009 17:50 |
|
All right, I think I may have messed up. I had a large PDF document to print for my job today, so I put it on my USB flash drive and took it to a local print shop. I scanned the drive the day before with AVG to make sure that it was clean. I plugged the flash drive into my computer at work after coming from the print shop, and OfficeScan quarantines an autorun.inf virus (some variant of Otorun). When I get home, I scan the drive again with AVG, and AVG quarantines two more virii (AutoRun.EQ and Heur). I'm pretty sure that these virii came from the print shop. OfficeScan picked up the one virus, but there was no notice about the other two. I'm not in the company's IT department, and I don't have the privileges on the machine at work to run a scan on my own. There's a few scenarios racing through my mind right now:
Are virii exploiting the Windows Autorun feature only malicious if the file is allowed to run? Do these virii still execute if "Take No Action" is selected?
|
# ? Feb 5, 2009 07:29 |
|
1. No one program will catch everything. 2. The viruses came from the print shop. They most likely have no antivirus programs on their machines, and some other person brought in an infected flash drive, and infected the computer, then your drive. 3. The one at your office probably only caught the autorun one because the other wasn't being accessed. If you have another copy at home or somewhere else, just wipe the flash drive clean.
|
# ? Feb 5, 2009 07:36 |
|
fygar posted:All right, I think I may have messed up. I had a large PDF document to print for my job today, so I put it on my USB flash drive and took it to a local print shop. I scanned the drive the day before with AVG to make sure that it was clean. I plugged the flash drive into my computer at work after coming from the print shop, and OfficeScan quarantines an autorun.inf virus (some variant of Otorun). When I get home, I scan the drive again with AVG, and AVG quarantines two more virii (AutoRun.EQ and Heur). I'm pretty sure that these virii came from the print shop. OfficeScan picked up the one virus, but there was no notice about the other two. I'm not in the company's IT department, and I don't have the privileges on the machine at work to run a scan on my own. There are probably only two malicious files here, but AVG and Trend use different names for one of the components. Generally Otorun and Autorun refer to the same kinds of malware though that could be either the autorun.inf file itself or the executable it references. There may be another reason Officescan only picked up one of the files -- did it perform a full scan of the disk, or just a quick on-access scan when you plugged it in? A likely explanation is that Windows tried to load the autorun.inf when you plugged the drive it, causing Officescan to scan and report (and block) it, and the second file was never scanned since you don't have permission to scan the whole drive and Windows never tried to load it since the autorun.inf that points to it was blocked. Then when you got home you scanned the whole drive with AVG and got both of them.
|
# ? Feb 5, 2009 11:19 |
|
|
# ? Jun 8, 2024 07:35 |
|
Keep in mind too that corporate anti-virus software is terrible at catching things, especially the "on access" scanner. We use McAfee where I work, and I run malwarebytes/superantispyware constantly because McAfee doesnt catch poo poo.
|
# ? Feb 5, 2009 17:52 |