|
W32.Winsky something something has been bouncing off Groupshield with remarkable tenacity this last weekend. Makes me blink to see it in the scan logs, since we're usually squeaky-clean after the usual suspects are dropped in transit.
|
#
¿
Dec 16, 2008 00:39
|
|
|
|
| # ¿ Apr 19, 2024 13:08 |
|
|
the Bunt posted:Does anyone know how to get rid of this bullshit "Virus Remover 2008" malware that somehow got on my computer without me downloading or opening any files? It constantly pops up telling me I have deadly malware on my computer and to download the program. When I try to exit or cancel out, another message pops up saying "If you want your computer to be clean click OK." It also is constantly bringing up a bunch of random popups and error messages. That may be due to other malware, though. Run one or all of the programs mentioned in this thread. From the sound of it, SUPERAntispyware would probably be my first guess.
|
|
#
¿
Dec 16, 2008 22:30
|
|
|
brc64 posted:Oh drat, explorer.exe is a backdoor! You better delete that right away! And taskman.exe is an Internet virus! All those people telling you to run the "task manager" must be responsible for the infection! I have a text file somewhere of the fake-chkdsk results that some malware put out. At first glance the formatting was all correct, but the results give him something like twelve petabytes of disk storage, eighteen petabytes of which (yes, I know) is "dirty" and needs to be "e-cleaned".
|
|
#
¿
Dec 18, 2008 17:44
|
|
|
abominable fricke posted:What a poo poo day in virus land. We should start posting combofix, malwarebytes, superantispyware, spybotsd, and hijack this logs to use as a community resource. Anyone onboard? And a good word for Dial-A-Fix, which saved me from a repair installation today.
|
|
#
¿
Dec 19, 2008 00:10
|
|
|
Varkas posted:Thanks for the help guys. I used Avira AntiVir(which interestingly enough wasn't targeted by the rootkit), GMER, and ComboFix primarily to clean everything up. Everything seems to be back to working order now. It's funny how the arms race doesn't seem to be about the best antivirus anymore, but the one that the virus maker didn't think to block.
|
|
#
¿
Dec 22, 2008 03:25
|
|
|
Footboy posted:That is a much, much cooler graphic and snazzier UI than most virus writers would take the time to put into their product. On the other hand, that more or less screams that it is absolutely not related to Windows, which is the opposite tack that the successful ones are taking these days.
|
|
#
¿
Dec 23, 2008 20:49
|
|
|
I learned as a result of reading through the Microsoft Malware Protection Center's recent entries and Googling one term I didn't recognize that you absolutely should not Google SPTH and click any of the top couple of links that look like they might answer your question as to what the hell SPTH refers to. No really, don't, there are a shitload of hostile links. I guess if you've got an isolated VM and a virus scanner you want to test out it might be worth a laugh, but I'm running latest-build Firefox 3 and McAfee still logged at least one infection with a name I've never seen.
|
|
#
¿
Dec 24, 2008 01:30
|
|
|
Win32/Yektel infection chiming in. SUPERAntiSpyware picked up the bulk of it on the first run, Combofix grabbed the good old ieupdater.exe out of System32, and now we appear to be clean. I get a genuine kick out of Win32/Yektel infections. It's got some genuine thought behind it, and that's nice to see even if it does make my day a bit more entertaining than I usually like it. As a bonus, the first user to report the infection took one look at the fake security center popup and called for help without touching anything. How often does that happen? Loving it.
|
|
#
¿
Dec 30, 2008 19:32
|
|
|
bazaar apparatus posted:Why can't my users do this.... Trade you jobs.
|
|
#
¿
Dec 30, 2008 20:01
|
|
|
Well, curiosity is killing me. Can anyone actually give a summary of what the hell SPTH stands for / means? After having McAfee throw a fit from the first couple results on Google, it seems like I might be better off just asking if anyone already knows. Public service: Don't click results for SPTH in Google. :f
|
|
#
¿
Dec 30, 2008 22:10
|
|
|
hyperborean posted:edit here's a cool (albeit old) article with probably-related details That was a really good article, and I was a bit surprised to find out that a sixteen-year old kid has made enough of a name for himself since that article (assuming it's the same SPTH, which seems likely) to be the subject of a Microsoft blog. The security side of IT is getting more interesting to me all the time.
|
|
#
¿
Dec 31, 2008 22:06
|
|
|
darkforce898 posted:Cool new trojan here Thanks, that was good for a laugh. I can't help but think it was some well-meaning torrenter hitting the torrent community in a relatively harmless way that would still make most of them panic and install the antivirus software they should've been running from the beginning. Viruses? Pssh, I'm careful. Torrent-blocking? OH GOD~~
|
|
#
¿
Jan 6, 2009 15:35
|
|
|
abominable fricke posted:Do you care to share any info, or are you going to hold out? Seconded, since signed code infections are rare to begin with, let alone code signed by Microsoft. Needs a lot more details, up to and possibly including VirusTotal stats.
|
|
#
¿
Jan 9, 2009 16:27
|
|
|
abominable fricke posted:It wouldn't surprise me if this is news to him. I still want to make one of those calls one day and speak to someone who dissolves into maniacal cackling that just goes on and on until I hang up the phone. I think it's how we all secretly wish those calls would go anyway.
|
|
#
¿
Jan 13, 2009 18:32
|
|
|
I think my favorite infection I've cleaned up so far at work isn't anything fancy, but it's one of those things that I think encourages people to just give up and let IT do everything for them. What do we do with potentially hazardous, unexpected emails? We delete them. What do we do with email from stupid mailing lists that we accidentally subscribed to at some point in the past? We click the little link that says "Click here to unsubscribe from future mailings". What do some users, who might not be able to tell a Russian-made gibberish email from a legitimate newsletter about something they don't understand, do to make it go away? Click the "Click here to unsubscribe from future mailings" button, directing them to the same infected site that the other links go to. It's funny, until you start trying to come up with an enterprise-wide solution to avoid it. Once it's in your Inbox the built-in junk mail options are mostly useless when it's coming from random addresses or botnets, and the subject lines usually mutate just enough to make subject-based filtering aggravating at best.
|
|
#
¿
Jan 13, 2009 22:19
|
|
|
The Register posted:A prolific new worm has spread to infect more than 3.5m Windows PCs, according to net security firm F-secure. The success of the Conficker (AKA Downadup) worm is explained by its use of multiple attack vectors and new social engineering ruses, designed to hoodwink the unwary into getting infected. And you thought Storm was bad. At least this time around Microsoft is on top of it and the January MSRT will take out most versions of Conficker. The lesson today, as loving always? Update update update.
|
|
#
¿
Jan 15, 2009 15:21
|
|
|
brc64 posted:Wait, you mean the MSRT actually does something? I see it in Windows Update every month, but I've never seen it actually do anything, nor is it obvious how to even use it. I figure that realistically the way it works is that it attempts to specifically hunt down and destroy the worms that either really made Microsoft look bad or have the potential to really make them look bad in the future when the screaming newspaper headlines come out. The worms it's known for hitting (Blaster, Slammer, etc) have been the big-headlines cases that just plain look bad. Conficker appears to have the capacity to be one of those embarrassments, even if at this point it's probably 90% the fault of whoever didn't patch the machines if there's a new infection. The thing is smart, ugly, and fairly well-constructed but Microsoft jumped on the vulnerability with both feet. Guess we'll see in the long run who wins out. If the volume of spam triples we'll have our answer. (ed: So yeah, it works. I dump it in the update queue just for peace of mind even though the vulnerabilities that allow the worms it's usually intended to address were patched ages ago.) (re-edit: Crosspost from Vista thread RE: Conficker's autorun prompt. I think I love this thing. 
Midelne fucked around with this message at 22:33 on Jan 15, 2009 |
|
#
¿
Jan 15, 2009 21:49
|
|
|
BillWh0re posted:The way Conficker works now it seem the actual exploit it uses is pretty much interchangeable with any other. The group could keep updating it to use whatever the newest big Windows exploit is. The way it's really nasty is in how it does everything else. I don't know why I have such a huge hard-on for the subsurface malware details lately but this is awesome.
|
|
#
¿
Jan 16, 2009 01:16
|
|
|
Conficker Update: FSecure puts Conficker/Downadup at approximately 9 million infected, estimated 6.5 million new infections in the past four days. My boss update from when it was 3 million: "3 million isn't that many. I bet there's more computers than that in Tacoma right now." (Pop: 196,000) edit: Here's a Happy Thought posted:The other mystery surrounding Downadup is the intentions of the people building the botnet. In early December, Royal's team at Damballa observed it interacting with a domain name that has strong ties to rogue anti-virus programs, which rake in big money installing malware that's disguised as legitimate security software. Midelne fucked around with this message at 00:14 on Jan 17, 2009 |
|
#
¿
Jan 17, 2009 00:11
|
|
|
brc64 posted:I tested VIPRE Enterprise here and loved it. My boss proposed it to the owner as an alternative to OfficeScan (which STILL isn't Server 2008 compatible), citing better protection and management AND lower cost (which means we can make more money from it). Owner dismissed the idea without even giving it 2 seconds of thought. Should have emphasized the Microsoft connection to give the aura of reliability.
|
|
#
¿
Feb 10, 2009 17:11
|
|
|
brc64 posted:Okay, I just spent 2 hours of my life battling the meanest winantivirus variant I've seen to date. This sucker appears to create some stealth software restriction policy that prevents me from installing anything that might get rid of it. MBAM setup just closes (and yes, I did try renaming the installer). HijackThis closes. Process Explorer closes, even under safe mode. I guess the next thing to try is a boot CD with portable installations of scanners already present. After that I'd just flatten/reinstall, because goddamn once you're mucking around in phantom software restriction policies you're too far in.
|
|
#
¿
Feb 10, 2009 17:28
|
|
|
$250,000 Bounty for Conficker CreatorThe Register posted:Microsoft is offering a $250,000 reward for information that leads to the arrest and conviction of the virus writers behind the infamous Conficker (Downadup) worm. This all seemed much more impressive prior to the last couple paragraphs.
|
|
#
¿
Feb 12, 2009 21:25
|
|
|
Cojawfee posted:Sounds like a modified blue screen screen saver. Yeah, that's been there since one of the original WinXPAntivirus variants. Someone said it was original a SysInternals joke if I remember right. I found another one that ran a fake chkdsk, but whoever was typing out the information hadn't been paying much attention and just kind of mashed number keys for drive stats. It was reporting like 10 petabytes of total drive space.
|
|
#
¿
Feb 13, 2009 20:22
|
|
|
Bob Morales posted:Malwarebytes finds nothing. Neither does AVG. What should I try? SUPERAntispyware is pretty decent at finding late-model crap. To clarify, do the static routes go away when you reboot?
|
|
#
¿
Feb 13, 2009 20:46
|
|
|
Suspicious posted:The administrator account doesn't lock out. And even if it did, it's not like Conficker is going anywhere on a network that uses one of those passwords. It'll be there for plenty long enough to try them all.
|
|
#
¿
Feb 14, 2009 00:21
|
|
|
devmd01 posted:They apparently had some new variant called "XP Police 2009", though malwarebytes seems to have cleaned it right up. It's probably time to get Symantec Corp 7.5 changed out for AVG, update other possible infection vectors, and get noscript+adblock installed and explained. poo poo, I don't even want to think about trying to explain how to use Noscript to someone with minimal technical literacy. Good luck man.
|
|
#
¿
Feb 18, 2009 19:49
|
|
|
d3rt posted:I've had 2 users get AV 2009. One user got it twice in a week "I only go to Yahoo!" Yeah right. I had a user get AV 2008 on their assigned laptop twice in a week when it was first becoming de rigeur for the malware scene. I assume that whatever vector it used allowed several other things to come on in as well, since we had a merry old time cleaning it both times. Denial, denial, denial the whole way up until the executives got involved, at which point she admitted that she pretty much just used the company-issued chock-full-of-confidential-information laptop as an electronic babysitter for her two children whenever she wanted to have a night on the town. If it gets infected again or she ever says anything about her children using the company laptop again, she loses her laptop. Which would be entertaining, since she's on-the-road Sales and Marketing and has no other computer. I would enjoy that.
|
|
#
¿
Feb 20, 2009 01:25
|
|
|
If you wanted a roundabout sort of damage control you could block FTP to/from any workstations that shouldn't need it. Doesn't do poo poo to the infection, but it should at least prevent them from chewing up your bandwidth and from potentially leaving your organization open to hosting illegal material even inadvertently. You could do this at your primary perimeter firewall, through Windows Firewall / GPO, IPSEC and netsh/GPO, or whatever.
|
|
#
¿
Feb 20, 2009 19:32
|
|
|
RusteJuxx posted:I also have a nice little outbreak of this guy: Our McAfee Enterprise just came up for renewal and the parent company is pitching a fit about the $2345 in licensing fees plus tax that it'll cost to renew for the first 2/3rds of our workstations that are due to expire soon. I don't have much hope that they'll use anything different, though -- the laptops I've seen walk in and out of our sites on the parent company's employees all have the little red M of despair in the notification area. Incidentally, Microsoft's malware blog just had a post that gave a nod to W32/Taterf -- the one in the threat report you linked -- for being persistant, aggressively polymorphic, and actively maintained. They also said that they can remove it at http://safety.live.com though you may run into problems if it's already moved into the position of pulling down trojans that their automation can't handle yet. If it's the one you're experiencing though, it very well might be a lot easier than you think. edit: Comprehensive information about Taterf, modifications it makes, file patterns, and whatnot here. Midelne fucked around with this message at 23:58 on Feb 20, 2009 |
|
#
¿
Feb 20, 2009 23:55
|
|
|
Ranma4703 posted:is there any way I already got a virus? Sure. The XPAntivirus variants pop up a window that looks like a popup window but is actually an image of a popup window (i.e. there is not actually a Close/Red X button there, there's a picture of one) , and if you click on any part of it you're infected. Or for added fun if the webpage was genuinely hostile or compromised instead of just being stupid there could have been an invisible iframe in the page serving out literally anything. Basically, yes. You could have gotten a virus going to CNN.com these days. A shady site? More possible.
|
|
#
¿
Feb 22, 2009 07:36
|
|
|
Cardboard Box A posted:Are Adobe Acrobat/Flash seriously the largest vectors of infections now? Largest on a fully patched machine or largest overall? I think your answers are going to be very, very different depending on which one you mean with so much of the world still vulnerable to every IE exploit under the sun.
|
|
#
¿
Feb 25, 2009 16:45
|
|
|
Doc Faustus posted:Just got this update at work. I swear to god if any of the users I work with get this I am taking their computers away, for they are too dumb to use them. I'd be pretty drat concerned about whether I got the whole thing if it's new enough that the scanner doesn't pick it up but sloppy enough that you can just wander in and delete it, even in safe mode.
|
|
#
¿
Feb 27, 2009 19:32
|
|
|
Kelson posted:There have been a couple, but the vast majority of sophisticated malware (like Conficker) would rather detect the VM then hide / delete themselves to stymie Antivirus/Security researchers. This. The overwhelming majority of infections are not going to be inside a VM unless they're being studied, and there's no reason for an intelligent virus writer to really want to display their project's behavior to someone who's studying it to find ways to kill it. VMs, despite being fairly simple to set up, are too conceptually advanced for the average user. I suspect that they always will be.
|
|
#
¿
Mar 1, 2009 16:04
|
|
|
brc64 posted:McAfee Speaking of viruses, I hate EPO so much. It doesn't help the dislike that every time I fire up Nessus it paints any system that has EPO installed -- nearly everything in my domain -- bright red for what is purportedly a high-level unpatched vulnerability featuring potential denial of service on the scanner, potential denial of service for the system it's installed on, arbitrary code execution with SYSTEM-level privileges, the whole nine yards. I guess it's just me, but I figure if you're going to make a crappy product it should at least be easy to work with, and if you're going to make one that's hard to work with it should at least be highly configurable and ultimately function as an unstoppable behemoth for the purpose you have in mind. McAfee/Groupshield/EPO works a lot of the time, but goddamn if there aren't a lot of times it doesn't. I can't imagine working with as many copies of the thing as it's intended to have used at once. I'd spend my entire day dealing with EPO not synchronizing, not updating, not starting up on system startup, not sending props to the main server, not responding to commands from the main server -- something.
|
|
#
¿
Mar 2, 2009 17:35
|
|
|
For the edification of other enterprise admins and frontliners, I have a workstation right now that appears (haven't scanned it yet) to have a cheerful little XP Antivirus 2009 infection. Infection vector was a buffer overflow exploit on a fully patched copy of IE7. I know how it got infected because McAfee wasn't allowing IE to run on the user's computer -- kept popping up a buffer overflow notice. I disabled buffer overflow protection to get IE temporarily working thinking, "Well, I'm fully patched and I haven't seen any IE exploits reported in the wild on SANS, should be okay for a little while". Start up IE and hello popups.  McAfee catches the exploit but not the file causing it.Will update with any details I find, but I really hope we don't have a new IE7 exploit in the wild. edit: It's not XP Antivirus 2009, just some generic Trojan.BHO that looked a lot like it. Still concerned about that buffer exploit though, wish I had more details on the mechanics of what I watched. Midelne fucked around with this message at 20:39 on Mar 2, 2009 |
|
#
¿
Mar 2, 2009 20:08
|
|
|
Kelson posted:Any chance you've got a browsing history or 'suspicious' cache items? User browses primarily news sites, with a couple very regular dieting sites that are (one of my top 15 bandwidth users, shows up on the logs almost daily) and almost no variation in what they do, how much, or where. Very, very consistent and I'm inclined to believe them when they say that they didn't go anywhere unusual. MalwareBytes pulled out five registry entries tagged with Trojan.BHO and four files that were tagged with something even less specific that escapes me. I don't think any of the files were in Temporary Internet Files. Either way, I deleted everything in every temp directory everywhere and all the system restore points just as a matter of common courtesy, so I don't think there's much left to work with. If the infection persists, I'll take a deeper look.
|
|
#
¿
Mar 3, 2009 06:42
|
|
|
Elected by Dogs posted:Does IE autorestore tabs on re-execution? Depends on what you tell it to do when closing it in a situation involving tabs for the first time, I believe. In this case, no.
|
|
#
¿
Mar 3, 2009 20:08
|
|
|
Adobe PDF Vulnerability - No Click Necessary Proof-of-concept code is out demonstrating that it is possible to utilize the recent Adobe exploit in such a way that it can be triggered by hovering your mouse over the PDF. If you've ignored PDFs, now is a freakin' excellent time to stop.
|
|
#
¿
Mar 6, 2009 18:35
|
|
|
m2pt5 posted:Edit: Oh, you actually have to have Adobe's PDF reader installed to get hit by it. Good thing I only have Foxit reader. Yeah, good thing. By the way, go patch your buffer overflow and glaring security oversights. My favorite: quote:SUMMARY
|
|
#
¿
Mar 9, 2009 17:07
|
|
|
|
| # ¿ Apr 19, 2024 13:08 |
|
|
And because I'm impressed, this is the result of what the new FakeXPA variants do to your HOSTS file, courtesy of Microsoft's Malware Blog: Misspell "antivirus"? Well, no worries, Microsoft apparently guessed what you were looking for and gave you relevent results anyway! Let's click on one of those links, since we've been getting annoying popups lately asking us to get an antivirus software and these look like reputable sites. I've heard of CNet, let's try them.  Well, here we are at .. Cnet? Wow, high reviews, I better click this. For reference, the original review:  These guys continue to be smart as hell about how they present the social engineering portion of their product. Public service reminder to the people around you that aren't technologically inclined -- you can't trust something just because it came from a trusted source, not anymore. I expect to see this all over the place in the near future.
|
|
#
¿
Mar 9, 2009 17:44
|
|