Malware attack through a .rar file & a disabled Task Manager

[videobruce]

I recently got hit three times (yes, I know, but please no "why didn't you......) by malware. The third time was just by opening up a ".rar" file. What happened was it disabled Task Manager and put a icon in the System Tray that was a link to a anti-virus site which was actualy a virus in itself. My questions are:

1. How can Task Manager be disabled?
2. How can it be re-enabled?
3. How can just opening up a compressed ".rar" file run a executable? I did not run any file within the folder. WinRar is the program I have used for years (stopped using Winzip many years ago).
4. Can a virus, malware, trojan etc. be anything other than a ".exe" file? IOW's can a .jpg, .txt, .mpg or a doc (for examples) be one af the above??

Anyway, this program did the trick;
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

Cleaned up what was added the the system and restored Task Manager.

 

[Schadenfroh]

Originally posted by: videobruce
1. How can Task Manager be disabled?
2. How can it be re-enabled?

via the registry

3. How can just opening up a compressed ".rar" file run a executable? I did not run any file within the folder. WinRar is the program I have used for years (stopped using Winzip many years ago).

Does WinRAR have an autoexecute for certain scripts when the original file is compressed with it? Not sure on that one, I do not use WinRAR.

4. Can a virus, malware, trojan etc. be anything other than a ".exe" file?

Yes, here is a .jpg virus for example



Interesting attack there, might have to add it to The Consolidated Security Thread.

 

[videobruce]

Great.............

 

[Madwand1]

Originally posted by: videobruce
3. How can just opening up a compressed ".rar" file run a executable? I did not run any file within the folder. WinRar is the program I have used for years (stopped using Winzip many years ago).

WinRAR.exe itself had some vulnerabilites, which were exploited by specifically-constructed data files within archives. Some known vulnerabilities have been patched in recent WinRAR release. It's a changing target -- as vulnerabilities are discovered, they'll be exploited, and you may need to apply additional patches to WinRAR, and newer releases could contain additional vulnerabilities.

Originally posted by: videobruce
4. Can a virus, malware, trojan etc. be anything other than a ".exe" file? IOW's can a .jpg, .txt, .mpg or a doc (for examples) be one af the above??

The particular "jpg virus" that was linked was not really a virus, it was more akin to messaging using .jpgs when some vulnerability has already been exploited by a piece of code which continues to run on the host. This sort of exploit can by done using any data file type, but for it to work in the first place, some specific malware code must be installed on your system.

.doc/etc. macro viruses are well-known.

Stop downloading random files, etc., and your problems will reduce greatly.

 

[mechBgon]

It couldn't hurt to

1) run Secunia's online checkup to see if you have a vulnerable version of WinRAR (in which case you can update). List of *known* WinRAR 3.x vulns

2) make sure you have your Data Execution Prevention fully enabled (right-click My Computer > Properties > do this :camera: )

3) use a non-Admin account so that even a successful exploit of your software (WinRAR, browsers, media players, IM, etc) is not going to get them anywhere.

4) get some good antivirus software. I'd suggest AOL Kaspersky and make sure you configure it at least to the extent shown in that link.

 

[videobruce]

I ran your link, All it came up with was Adobe Reader, Opera and Flash Player that weren't up to date. WinRar didn't show even though it is version 3.6, not 3.62 which I will update.

That Data Protection, I run 2k, this isn't there.

 

[mechBgon]

Originally posted by: videobruce
I ran your link, All it came up with was Adobe Reader, Opera and Flash Player that weren't up to date. WinRar didn't show even though it is version 3.6, not 3.62 which I will update.

So it's an as-yet-unidentified exploit, perhaps.

That Data Protection, I run 2k, this isn't there.

Ooops, there I go making assumptions

Where'd the file come from, what file is it? I might DL a copy and heave it into VirusTotal for analysis. Drop me a PM if you want to share that, since posting open links to malware is dangerous.

 

[videobruce]

So it's an as-yet-unidentified exploit, perhaps.

Anything to make my day.............

 

[mechBgon]

Originally posted by: videobruce

So it's an as-yet-unidentified exploit, perhaps.

Anything to make my day.............

Hehe, just because we're paranoid doesn't mean they're not out to get us

Oh, and on Windows2000, a Restricted User account is the equivalent of a Limited account on XP or a Standard account on Vista, so if you want that damage-containment capability, you can have it on 2000 as well. LMK if you need a hand setting it up.