Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Locked thread
BillWh0re
Aug 6, 2001


AceSnyp3r posted:

I have a question kind of related to this thread. Are there/have there been any known ways for a virus to spread via e-mail without the use of an attachment or embedded image/audio/video/java/etc.?

I can't remember any offhand but there have been a few that have sent emails with attachments then used a MIME vulnerability in Outlook to open the attachment without user intervention. Also if the mail reader is vulnerable to running HTML it shouldn't in the message body then the payload can come from a remote website rather than an attachment.

quote:

That's interesting, is there another new image vulnerability in Windows or something? I'm kind of interested in how exactly a hacked JPG like you're talking about works.

Most infected JPEGs, GIFs and PNGs there days are just legitimate image files with iframes or script tags appended. I think there's some way to get a browser to render them as HTML so the tags work but I forget how it happens.

Adbot
ADBOT LOVES YOU

the Bunt
Sep 24, 2007

YOUR GOLDEN MAGNETIC LIGHT
Does anyone know how to get rid of this bullshit "Virus Remover 2008" malware that somehow got on my computer without me downloading or opening any files? It constantly pops up telling me I have deadly malware on my computer and to download the program. When I try to exit or cancel out, another message pops up saying "If you want your computer to be clean click OK." It also is constantly bringing up a bunch of random popups and error messages. That may be due to other malware, though.

Pudgygiant
Apr 8, 2004

Garnet and black? More like gold and blue or whatever the fuck colors these are
http://en.wikipedia.org/wiki/Brontok

Apparently one of the variations of this (Avast sees it as rontokbro which sarc says is a Brontok variant) spreads over shared network drives as well as email. The combination of Iraqi internet, all of the computers being hooked to one switch, and 90% of people thinking Windows Defender is an antivirus has this thing spreading like loving wildfire. I now have a thumb drive that I use only to remove this loving thing.

Kaboobi
Jan 5, 2005

SHAKE IT BABY!
SALT THAT LADY!

Namlemez posted:

Got this on a machine through some random Java applet. This was like the most nefarious one I've ever had by far:

http://en.wikipedia.org/wiki/Vundo

I've been dealing with this for the last 2 days, that fix thing doesn't work for me. Aaaarrrgghhh

Midelne
Jun 19, 2002

I shouldn't trust the phones. They're full of gas.

the Bunt posted:

Does anyone know how to get rid of this bullshit "Virus Remover 2008" malware that somehow got on my computer without me downloading or opening any files? It constantly pops up telling me I have deadly malware on my computer and to download the program. When I try to exit or cancel out, another message pops up saying "If you want your computer to be clean click OK." It also is constantly bringing up a bunch of random popups and error messages. That may be due to other malware, though.

Run one or all of the programs mentioned in this thread. From the sound of it, SUPERAntispyware would probably be my first guess.

Prosthetic_Mind
Mar 1, 2007
Pillbug

the Bunt posted:

Does anyone know how to get rid of this bullshit "Virus Remover 2008" malware that somehow got on my computer without me downloading or opening any files? It constantly pops up telling me I have deadly malware on my computer and to download the program. When I try to exit or cancel out, another message pops up saying "If you want your computer to be clean click OK." It also is constantly bringing up a bunch of random popups and error messages. That may be due to other malware, though.

I managed to get this just a month ago right when I was switching antivirus programs (my free year of AVG ran out), I made the mistake of letting my roommate use my pendrive to transfer some files and it silently autoran off of the pendrive when I put it in. The only reason I noticed it at the time was that I was shutting down and it came up with a box asking if I wanted to cancel the install.

After I finished installing avast and updated the definitions it would recognize it and prevent it from running, but the files kept replacing themselves after I deleted them.

I looked it up on the net and found that malwarebytes takes care of it nicely, though that's the last time I let my roommate use my pendrive.

Panty Saluter
Jan 17, 2004

Making learning fun!

AceSnyp3r posted:

I have a question kind of related to this thread. Are there/have there been any known ways for a virus to spread via e-mail without the use of an attachment or embedded image/audio/video/java/etc.?

That's interesting, is there another new image vulnerability in Windows or something? I'm kind of interested in how exactly a hacked JPG like you're talking about works.

I poked around in Google for "jpg trojan" but a lot of the results looked sketchy so click at your own risk I guess :v:

thelightguy posted:

The last JPG arbitrary code execution vulnerability I've heard of was one that affected Windows 2000 and, I think, Windows XP RTM. I don't think there have been any since then but I may be wrong.

XP RTM? I was running XP SP3 at the time. Maybe Vista patched that up. I didn't even know I had the nasty little bugger until my girlfriend's WoW account was hacked.

corgski
Feb 6, 2007

Silly goose, you're here forever.

http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx

quote:

Microsoft Security Bulletin MS04-028
Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)

Issued: September 14, 2004
Updated: December 14, 2004
Version: 3.0

quote:

Non-Affected Software


Microsoft Windows NT Server 4.0 Service Pack 6a


Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6


Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4


Microsoft Windows XP Service Pack 2


Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (Me)

This was the latest one I could find and given that this bulletin was last updated in 2004, I'd imagine that SP3 is also not affected, just not listed.

EVGA Longoria
Dec 25, 2005

Let's go exploring!

deviant. posted:

XP RTM? I was running XP SP3 at the time. Maybe Vista patched that up. I didn't even know I had the nasty little bugger until my girlfriend's WoW account was hacked.

You might've been running SP3, but unless these Chinese gold farmers know of some jpg exploit that nobody else in the universe does, you didn't get it via a jpg, you got it from doing something else. Probably something stupid, too.

Otacon
Aug 13, 2002


A while back I remember having a jpg file that instantly crashed explorer.exe when you viewed the folder it was contained in. If you put it on the desktop, it would crash explorer constantly. If you viewed it in any browser, it would instantly cause an overflow and your system would bluescreen unless you closed it through Procman. I wonder if I saved it...

EDIT Found it. It no longer crashes explorer, but it does cause iexplorer to jump to over 500mb RAM, and firefox to 791mb! Interesting.

Otacon fucked around with this message at 13:00 on Dec 17, 2008

Panty Saluter
Jan 17, 2004

Making learning fun!

Casao posted:

You might've been running SP3, but unless these Chinese gold farmers know of some jpg exploit that nobody else in the universe does, you didn't get it via a jpg, you got it from doing something else. Probably something stupid, too.

The only thing I can think of is there was a thread on a gold farmer in another forum with a hotlinked picture. I hadn't got any email attachments and certainly wouldn't have opened them. Who the hell knows, though...

brc64
Mar 21, 2008

I wear my sunglasses at night.

Casao posted:

You might've been running SP3, but unless these Chinese gold farmers know of some jpg exploit that nobody else in the universe does, you didn't get it via a jpg, you got it from doing something else. Probably something stupid, too.
I vaguely remember reading that the gdiplus.dll file that's at risk is used by a lot of 3rd party apps as well, so I guess it's possible if he was using a 3rd party image viewing application with an unpatched DLL... yeah, I dunno.

My least favorite question to answer clients is "how did I get infected?" There's never a good way to answer that.

-Dethstryk-
Oct 20, 2000

brc64 posted:

My least favorite question to answer clients is "how did I get infected?" There's never a good way to answer that.
Same here. Especially considering that with a lot of infections, they aren't going to admit to everything they were doing in the first place.

Panty Saluter
Jan 17, 2004

Making learning fun!
Well, I was using Firefox....does this mean IE7 is actually safer? :v:

Also, I wasn't running real-time-AV at the time. Yeah, pretty dumb.

fishmech
Jul 16, 2006

by VideoGames
Salad Prong

Otacon posted:

A while back I remember having a jpg file that instantly crashed explorer.exe when you viewed the folder it was contained in. If you put it on the desktop, it would crash explorer constantly. If you viewed it in any browser, it would instantly cause an overflow and your system would bluescreen unless you closed it through Procman. I wonder if I saved it...

EDIT Found it. It no longer crashes explorer, but it does cause iexplorer to jump to over 500mb RAM, and firefox to 791mb! Interesting.

I had a corrupted image in a folder full of images on an old hard drive that would crash explorer after a few minutes when explorer worked its way to the file to thumbnail it or something. Sounds like you had/have a similar thing.

abominable fricke
Nov 11, 2003

What does Pottsylvania have more than any other country? Mean! We have more mean than any other country in Europe! We must export mean.

brc64 posted:

My least favorite question to answer clients is "how did I get infected?" There's never a good way to answer that.

I hate that question, I generally just tell them that there isn't really any way for me to know the exact point of entry and that anything I might say would purely be speculation.

It is a nice out when they say that there kids use the computer and then start down the line of "the only things they do online..." I generally try to interrupt politely and point out that they have kids are going to get infected, guaranteed.

Shredder
Sep 14, 2000

Thanks for this thread, I've been running into some really nasty poo poo lately and hopefully the tools you guys have listed will help me out.

URL grey tea
Jun 1, 2004

IT'S A SAD THING THAT YOUR ADVENTURES HAVE ENDED HERE!!

Casao posted:

You might've been running SP3, but unless these Chinese gold farmers know of some jpg exploit that nobody else in the universe does, you didn't get it via a jpg, you got it from doing something else. Probably something stupid, too.
This is W32/Conficker

It exploits the Server service vulnerability (MS08-067) and dumps x.exe / x.dll / x into C:\Windows\system32, which then pulls down other poo poo into .jpg files (which are actually .exe and .dlls) within your IE Temporary Internet Files folder.

It's nasty as poo poo, get the MS patch, install, unplug, reboot and full system scan the poo poo out of it

ShizCakes
Jul 16, 2001
BANNED

Otacon posted:

My Toolkit lately has included 4 pieces of software:

1. ComboFix
2. Malwarebytes/SuperANTIspyware
3. CCleaner

That seems to fix 98% of the things I come across at my job. One client had a particularly bad rootkit like the ones above - it would not let me install any of these tools. I had to take the drive out and scan using another machine.

With these 4 tools, you can do no wrong.

Thanks for the SuperANTISpyware recommendations in this thread. I'm a HUGE NOD32 fan, but it failed me today. I remembered looking at this thread, and came back, downloaded the free edition, and will now be purchasing a professional license.

nail
Jul 15, 2005



:xd:

Hillridge
Aug 3, 2004

WWheeeeeee!
I've been dealing with Vundo, aka Virtumonde for a couple weeks. I think I actually removed it once, then got reinfected. Now my java is up to date and it will hopefully stay off my system.

The first time I used combofix and malwarebytes to get rid of it. This time I just renamed all the suspected dlls in my system32 folder then rebooted into safemode and deleted them. I then ran Spybot to take care of the left over registry entries. I ran it twice, and it caught a single entry the second time, so I hope it isn't still alive somewhere.

Finally, I ran the symantec removal tool (which took for loving ever) and it didn't find anything. I'll do another Spybot scan tonight and see if any signs of it are back.

brc64
Mar 21, 2008

I wear my sunglasses at night.

hyperborean posted:



:xd:
Oh drat, explorer.exe is a backdoor! You better delete that right away!

Midelne
Jun 19, 2002

I shouldn't trust the phones. They're full of gas.

brc64 posted:

Oh drat, explorer.exe is a backdoor! You better delete that right away!

And taskman.exe is an Internet virus! All those people telling you to run the "task manager" must be responsible for the infection!

I have a text file somewhere of the fake-chkdsk results that some malware put out. At first glance the formatting was all correct, but the results give him something like twelve petabytes of disk storage, eighteen petabytes of which (yes, I know) is "dirty" and needs to be "e-cleaned".

brc64
Mar 21, 2008

I wear my sunglasses at night.

Midelne posted:

I have a text file somewhere of the fake-chkdsk results that some malware put out. At first glance the formatting was all correct, but the results give him something like twelve petabytes of disk storage, eighteen petabytes of which (yes, I know) is "dirty" and needs to be "e-cleaned".
I hope he has a fast harddrive, because that's going to take a while.

ab0z
Jun 28, 2008

by angerbotSD
At our shop the WinAntivirus2008 etc and it's variants are old hat by now, not even an issue. One that DID give us a heart attack the other day was this:
csrsc.exe
Registers itself as a service "WinSpoolerService" and lists it's publisher as Microsoft. We had to quickly kill the process, then delete the file on disk and a registry key, and if you weren't fast enough then it would run again and you couldn't delete the file. the scary part was when I took my flash drive with the tools out of that computer and plugged it into another computer, and all of a sudden that person's windows defender wanted to know if it was ok to attach csrsc.exe to like every drat startup process.
Apparently this virus actually a. copies itself to removable media b. creates an autorun that c. fucks your poo poo up in about 3 seconds when you connect it to your computer.

nail
Jul 15, 2005

Midelne posted:

And taskman.exe is an Internet virus! All those people telling you to run the "task manager" must be responsible for the infection!
Security Center's warning about virus protection is my favorite part

Suspicious
Apr 30, 2005
You know he's the villain, because he's got shifty eyes.
If NOD32 is dropping the ball, which is the SH/SC goto antivirus now?

Also a lot of people in this thread need to disable autorun.

nail
Jul 15, 2005

Suspicious posted:

If NOD32 is dropping the ball, which is the SH/SC goto antivirus now?
avast!, Avira, Antivir, AVG (in order of my personal preference). Someone linked this site in another thread, it's great for making your own pick based on hard numbers from extensive testing.

brc64
Mar 21, 2008

I wear my sunglasses at night.

hyperborean posted:

avast!, Avira, Antivir, AVG (in order of my personal preference). Someone linked this site in another thread, it's great for making your own pick based on hard numbers from extensive testing.
I've been liking VIPRE Enterprise in my tests, but the decision makers don't want to invest a new product (that's less expensive, easier to manage and would make us more money), so we're stuck with a product that's only compatible with Windows Server 2008 if you use the beta. Yay!

-Dethstryk-
Oct 20, 2000

Suspicious posted:

If NOD32 is dropping the ball, which is the SH/SC goto antivirus now?

Also a lot of people in this thread need to disable autorun.
Let's be fair, a lot of people are dropping the ball on these latest threats. I've been installing NOD32 at variou businesses for close to four years now, and this latest batch of crap is the first time I've ever had NOD32 fail during that time.

Everyone is being blindsided and is caught up in a cat-and-mouse game with this latest crapware.

Siroc
Oct 10, 2004

Ray, when someone asks you if you're a god, you say "YES"!
I had Vundo on my PC in November. I tried every antispyware program and specific Vundo fix program I could find. I ran Ubuntu on startup to get rid of all the crap. None of it worked and I had to wipe it and recover what I could. Its the only virus I've gotten since I was 13 and the nastiest thing I've ever seen.

nail
Jul 15, 2005

brc64 posted:

I've been liking VIPRE Enterprise in my tests, but the decision makers don't want to invest a new product (that's less expensive, easier to manage and would make us more money), so we're stuck with a product that's only compatible with Windows Server 2008 if you use the beta. Yay!
Oh yeah, I was only thinking of personal stuff. For enterprise, unfortunately I've only ever seen Norton or Trend. (Neither of those is worth a drat)

Also, VIPRE doesn't start with A, so it doesn't count :v:

Hillridge
Aug 3, 2004

WWheeeeeee!
Has Vundo been known to do anything beyond just being annoying? I'm wondering about things like keylogging, password stealing, etc. All it seems to do on my system is slow things down and occasionally try to open tabs to defunct websites in firefox.

Capnbigboobies
Dec 2, 2004
What makes this newest generation of virues/malware is that you can never be 100% sure its gone unless you just reformat the whole system. On badly infected machines it seems that even after a antivirus scan, malwarebytes/superantispyware/adaware/spybot and combofix the machine still can still be hosed.

Windows XP's level of security in the hands of an average retard computer user is almost zero, even with the best antivirus. I find its often far faster to just backup and nuke the OS. Often a reinstall of windows is far faster than running several scans on a slow computer.

abominable fricke
Nov 11, 2003

What does Pottsylvania have more than any other country? Mean! We have more mean than any other country in Europe! We must export mean.

ab0z posted:

At our shop the WinAntivirus2008 etc and it's variants are old hat by now, not even an issue. One that DID give us a heart attack the other day was this:
csrsc.exe
Registers itself as a service "WinSpoolerService" and lists it's publisher as Microsoft. We had to quickly kill the process, then delete the file on disk and a registry key, and if you weren't fast enough then it would run again and you couldn't delete the file. the scary part was when I took my flash drive with the tools out of that computer and plugged it into another computer, and all of a sudden that person's windows defender wanted to know if it was ok to attach csrsc.exe to like every drat startup process.
Apparently this virus actually a. copies itself to removable media b. creates an autorun that c. fucks your poo poo up in about 3 seconds when you connect it to your computer.

Sounds like you got the spools. That one seems to have burned itself out because I haven't seen it since sometime in July, but for a couple months prior to that I saw it everywhere. Before we understood what was going on we had infected probably five or six machines just by using our flash drives.

ShizCakes
Jul 16, 2001
BANNED
By the way, if you have things that are "hidden", and resurgent or whatever, you need this tool:

http://www.gmer.net/index.php

It's aimed at rootkits but really it picks up anything running on the system.

GREAT BOOK OF DICK
Aug 14, 2008

by Ozma
Another recommendation for GMER, but it's a little more advanced. Solutions like Malwarebytes and SuperAntiSpyware are fairly simplistic and almost anyone can operate them. GMER is good at showing you some really nasty poo poo (if it's there.)

The latest AV-Comparatives report for November shows AntiVir and Kaspersky with the best rating, even though it's only around 70%. NOD32 is a well-built antivirus application with a small memory footprint. The problem with it is, in my opinion at least, is it's no longer capable of keeping up with the release rate of the latest infections.

As for wiping and reinstalling Windows, it ultimately is the best solution to eliminating infections. However, it's important to keep in mind that MBR rootkits are making a comeback. Not to mention when people reinstall systems via a recovery partition, what's the possibility of a virus infecting that partition?

nail
Jul 15, 2005

GREAT BOOK OF DICK posted:

Another recommendation for GMER, but it's a little more advanced. Solutions like Malwarebytes and SuperAntiSpyware are fairly simplistic and almost anyone can operate them. GMER is good at showing you some really nasty poo poo (if it's there.)
How does GMER compare to Process Explorer? Looking at the screenshots it seems similar, although it's hard to tell because I can't read Polish or whatever that is.

BillWh0re
Aug 6, 2001


hyperborean posted:

How does GMER compare to Process Explorer? Looking at the screenshots it seems similar, although it's hard to tell because I can't read Polish or whatever that is.

Different tools for different jobs mainly. Process Explorer is great for seeing whats happening with loaded modules and handles. GMER is more of a rootkit-revealer type tool and extracts a lot of information about the internal state of the Windows kernel (and even the DOS IVTs and boot sectors). I haven't used Process Explorer for a year or so though so it might have changed since then.

Adbot
ADBOT LOVES YOU

Hillridge
Aug 3, 2004

WWheeeeeee!
I'd flatten and reinstall if it didn't take so long to get everything back to the way it was. First you have to install the OS and apply all the updates, which includes what seems like 50 reboots. You can save a little time by slip streaming in the latest service pack to the install disc, but it still sucks. Then you have to reinstall drivers. Then you have to reinstall all the applications and possibly update them. Then you have to reconfigure all the applications and little tweaks you've setup since the last reformat. I'd estimate that it takes me the better part of a week to rebuild my system and get it back to how it was just before infection.

  • Locked thread