Same virus got me twice in less than 24hr period

[wseyller]

XP Antivirus 2010 - this one seems a little more annoying than its predecessors.

Was a weird conquincidence....first last night on my personal PC I got this virus. Went to the wrong web page at the wrong time. My antivirus pops up & also an evil dialog box claiming I have infections all over my pc. Normally when I see something like this I have a reflex and my finger goes to hold in the power button before it can execute to the point of infection, but it didn't help.

I got rid of it with Malwarebytes which orginally would not run in XP due to the virus locking my exe files down. I had WIN7 also installed so I booted into that to run Malwarebytes to scan all partitions.

Now it is gone except all files with .exe would not execute. Dialogs would pop up asking what program to open it with. At first I didn't figure out how to fix that I just reinstalled windows xp.

Now I go to the office the today and the guy in shipping dept says, "hey you need to come look at my computer" (He is probably downloaded torrents or something). He had the same crap. I fixed it like before except I had to use safemode to scan. Of course .exe files would not execute, but I didn't want to reformat this computer unless it was a last resort. I was able to run regedit by putting the text "regedit.exe" inside a notepad file and renaming it with a .bat extension. Of course this is a good way to run any .exe file in this situation but only a good temporary fix imo. I change some values in the registery and fixed that issue.

 

[jackofalltrades]

Did you use Rkill before you ran mailwarebytes? because then you could run mailwarebytes with no issues.

 

[wseyller]

No but I read up on it and seems interesting. I will add it to my list of antivirus/spyware tools.

 

[Lemon law]

I have two things to say.

1. The fact that your PC lacks a defense against this virus is a wake up call to you. You need a better active anti-virus to start out with. The fact that you had to remove it after it installed means your active antivirus failed to detect and arrest it before it installed.

2. There is a variety of anti malware software loosely called process control programs, that will seek your permission before allowing any new software to be installed, and almost any of them could have saved your butt, if any of them popped up and asked you, do you want to let this virus to install, yes or no? Even something like tea timer in spybot search and destroy might have done the trick. Then there is winpatrol, system safety shield, and many others. And because I use the comodo firewall, it also would have popped up if your rascal even got past my HIPS and HOST files.

 

[wseyller]

I had avira free addition installed. I do agree what you are saying. Avira pops up and ask me what to do. I can quarantine, delete, ect. A new one pops up right after and I end up having to do it 50 times or forever. I detects it but it didn't do anything to prevent it. I seen the same behavior in AVG free edition. Thanks for the info. I do need to look into to better security tools.

 

[Lemon law]

I had avira free addition installed. I do agree what you are saying. Avira pops up and ask me what to do. I can quarantine, delete, ect. A new one pops up right after and I end up having to do it 50 times or forever. I detects it but it didn't do anything to prevent it. I seen the same behavior in AVG free edition. Thanks for the info. I do need to look into to better security tools.

--------------------------------------------------------------------------------------------------

I too use avira personal, maybe I never hit the secret square to get this rather old virus, maybe its because I tick expert mode in avira, or maybe its because I have a wide variety of HIPS and HOST files plus a strong software firewall. But for what its worth, that particular virus never got into my PC to trigger any avira or process control warnings.

Perhaps, that particular virus is exploiting some unpatched vulnerability in your PC, undone windows patches, buffer over runs, obsolete or unsecured programs, or active X controls to name but a few. I only use the internet explorer web browser for windows updates, the rest of the time I use Firefox or Seamonkey. Secunia is a great web site to check for your PC vulnerabilities. You can do their on line scan or use their downloaded OSI tool which I now use.

But IMHO, Avira personal is perhaps the best freeware AV on the planet with Avast 5 only a hair behind.

 

[Oakenfold]

I had avira free addition installed. I do agree what you are saying. Avira pops up and ask me what to do. I can quarantine, delete, ect. A new one pops up right after and I end up having to do it 50 times or forever. I detects it but it didn't do anything to prevent it. I seen the same behavior in AVG free edition. Thanks for the info. I do need to look into to better security tools.

Was AntiVir guard enabled? If it wasn't....you can right click on the app icon in the taskbar and inspect it to see if there is a check mark indicating it's on.

 

[Lemon law]

I very much doubt Oakenfold is on base, if Avira antivirus guard was user disabled, windows security center would immediately pop up saying you have no anti-virus protection.

But I may be assuming a windows OS and that our OP is running only one and only one active antivirus. If our OP is running two or more active anti virus programs, always foolish on any PC, windows would not always pop up a warning.

 

[wseyller]

yes is was definately enabled. In fact avira would pop up with the warning asking what to do, such as delete or quarantine, etc. Also I check the box to remember action for that file.

When in IE8 and virus starts to work you are not able close out IE8 the normal way. It won't let you go to any other tab. Only way to close it is task manager or power the pc off. But even if you choose delete or quarantine a new one pops up with a trojan of a different name or a different file name anyway. When I click delete or quarantine there is no immediate notification of what happen, except particular avira popup goes away and a new one pops up. I guess I could check the logs to see what actions were taken, but I reformatted since so I don't have the logs to check. This was like and endless loop it seems with the avira popups, so in that case I give up and just shut the pc down with the power button as a quick way to clear everything out of memory. After rebooting I immediately see XP Antivirus 2010 had taken over.

 

[Tbirdkid]

"I very much doubt Oakenfold is on base, if Avira antivirus guard was user disabled, windows security center would immediately pop up saying you have no anti-virus protection.

But I may be assuming a windows OS and that our OP is running only one and only one active antivirus. If our OP is running two or more active anti virus programs, always foolish on any PC, windows would not always pop up a warning. "

Um not always. It truly depends on whether or not another malware/virus had shut down sec center. Thats usually the first place one of these goes.

 

[Lemon law]

I have to concede that Tbirdkid has a point, there are a rare set of real nasties that do these type of things. And worse yet, once security is disabled, they often down load helper applications that instruct your PC to download more even more malware.

All the more reason to have process control, web serf surf using a limited account, and use HIPS and Host Files because if the malware can't install it can't infect.

But the time between initial infection to total malware infestation is sometimes measured in mere milliseconds.

A computer security system has to be all about prevention, prevention, and prevention.

 

[wseyller]

Well so far I think I found a good formulation to prevent most anything hopefully. A good antivirus software which lately I've gone with Avira free edition. To suppliment it I have a registered version of Malwarebytes, and then also I have spybot search & destory.

Avira does it thing to catch most common simple stuff.

Malwarebytes seems to focus on all of the rare or extreme stuff that most other antivirus software doesn't measure up to. With the registered version of Malwarebytes you have the IP blocker and system protection. All the time I see it blocking ip addresses. Going to a torrent site sometimes it goes nuts blocking ips. Also I have it scheduled to update & scan daily. I used Malwarebytes in the past but only used the free functions to fix the aftermath of previous infections.

Spybot Search & destroy: Back in the day I used this app to manually scan for spyware built up from my normal web browsing. I now have installed it the built in tea timer & everything else it includes. It is able to immunize many files dealing with the web browsers and other applications. There is a gazillion options in the advance mode, some that allow me to schedule updates & scans daily. The advance options may intimidate some with little pc knowledge.

In the last couple weeks I literally tried to get my computer infected to fully test it all out. I googled anything I could to accomplish this. This setup would not let me so far.

In my opinion the key element to this solution is Malwarebytes. It doesn't mess around. It is not a replacement for antivirus though. It is a very good suppliment.

 

[RebateMonger]

XP Antivirus 2010 - this one seems a little more annoying than its predecessors.

I've run into variants of this a couple times now with clients. It sucks because you can't run .exe files until you modify that Registry back with a .REG file you create elsewhere. Whatever is loading this seems to be able to install itself with no assistance from a User. Even with Windows 7 running.

 

[Modelworks]

I had avira free addition installed. I do agree what you are saying. Avira pops up and ask me what to do. I can quarantine, delete, ect. A new one pops up right after and I end up having to do it 50 times or forever. I detects it but it didn't do anything to prevent it. I seen the same behavior in AVG free edition. Thanks for the info. I do need to look into to better security tools.

http://sandboxie.com/

Run anything you don't trust 100% inside it , like browsers.

 

[Modelworks]

I've run into variants of this a couple times now with clients. It sucks because you can't run .exe files until you modify that Registry back with a .REG file you create elsewhere. Whatever is loading this seems to be able to install itself with no assistance from a User. Even with Windows 7 running.

It is using the UAC exploit that will be patched in windows 7 Sp1 soon to be released. The exploit has been known for about a year now but no malware was using it until about last month.


http://www.pretentiousname.com/misc/W7E_Source/win7_uac_poc_details.html

1.1) We select a process signed with the Windows Publisher certificate, such as Explorer.exe.

1.2) We inject code into the selected process and make it run that code on a new thread. (There are no restrictions to doing this so long as the selected process is a peer of ours; i.e. same session(I think?), user and integrity level. Explorer.exe runs at medium integrity and is always running so it's a good target.)

1.3) The injected code creates an elevated IFileOperation object. (If the Win7 defaults are in effect and the selected process is a Windows Publisher one then this does not trigger a UAC prompt.)

1.4) The injected code uses the IFileOperation object to copy FileA to FolderB.

1.5) The injected code launches ProgramC. (Doesn't have to happen in the injected code but doing it there is easier.)

1.6) The injected code waits for ProgramC to finish.

1.7) The injected code uses the IFileOperation object to delete FileA from FolderB. (Cleaning up after itself.)

The second part involves FileA, FolderB and ProgramC.

FileA is actually Win7ElevateDll(32|64).dll, an extremely simple DLL whose source is included. (dllmain.cpp is the only interesting part of the DLL.) This DLL is embedded as a resource inside the EXE and extracted as needed, so that the EXE remains a standalone program.

As soon as anything attaches to the DLL it will:

2.1) Look up the arguments that its host program was run with.

2.2) Run whatever program/command is specified by those arguments.

2.3) Kill the host program.

So if we can trick an elevated program into loading that DLL then we can run whatever we specify with elevation.

 

[mechBgon]

Leo says that if you want to be protected, max out UAC on Win7. But how fascinating... if we use a Standard User account on Win7, UAC is maxed-out by default 🙂

+1 for best practices, eh?

If you go against the defaults and run as a non-admin user or turn UAC up to the Always Prompt level, so it behaves like it did in Vista, then it is no longer possible for code-injection from unelevated processes to bypass UAC prompts. So the advice remains as before:

If you are using Windows 7 and want to be protected against silent elevation then turn UAC up to the highest level.

 

[VirtualLarry]

Is SRP effective in blocking the UAC elevation exploit?

Someone should start a thread detailing how to implement SRP on Windows 7, and compare and contrast AppLocker (Ultimate/Enterprise-only, I think).

I'm going to be bullshit if MS restricted SRP to only the Professional edition of Win7 and up. MS seriously needs to stop removing anti-malware features from the most-used editions of their OSes. It's totally counter-productive to enhancing OS security.

If anything, I would ensure all Windows OSes had SRP, and tout the benefits loudly. Too bad MS isn't that smart.

(Hell, even Intel added NX bit support to ALL of their CPUs, as far as I know, and hasn't restricted that security feature to only their higher-end CPUs, like they did with VT support. MS could learn a thing or two from Intel.)

Edit: Hey, Mech, your SRP guide mentions Vista and Windows 7, but then it goes on to say use the "run" box in the start menu to launch gpedit.msc or secpol.msc. But there's no "Run box" in Win7 home premium, only a search box.
How do I launch those in Win7?

 

[RebateMonger]

Edit: Hey, Mech, your SRP guide mentions Vista and Windows 7, but then it goes on to say use the "run" box in the start menu to launch gpedit.msc or secpol.msc. But there's no "Run box" in Win7 home premium, only a search box.

How do I launch those in Win7?

There's no "Run box" in Win7 Ultimate, either. You can just type "gpedit.msc" into the Search bar and hit enter.

 

[mechBgon]

The site's been updated to fix that. SRP underwent an upgrade with Win7, for those who find such things interesting: http://technet.microsoft.com/en-us/magazine/2009.10.win7security.aspx

AppLocker consists of a service and a kernel-mode driver; its rules are evaluated in the driver, so now the OS really is the enforcer. If for some odd reason you wanted to continue using SRP rules rather than AppLocker rules, at least they're stronger: in Windows 7 the SRP APIs are redesigned to bypass parent processes and hand rule enforcement and binary file verification to the AppLocker service.

The scenario for bypassing SRP involves the non-Admin user being able to run an arbitrary executable they hauled in themselves, which would either involve a loophole location for the file, or Admin rights. On Vista and 7, I'm not aware of any loophole locations that'd actually work (there are a couple on WinXP). Anyhow, I keep meaning to fiddle around with AppLocker, but SRP isn't nearly as hard to deal with as these articles all make it out to be, so hey 🙂

I'm going to be ******** if MS restricted SRP to only the Professional edition of Win7 and up. MS seriously needs to stop removing anti-malware features from the most-used editions of their OSes. It's totally counter-productive to enhancing OS security.

If anything, I would ensure all Windows OSes had SRP, and tout the benefits loudly. Too bad MS isn't that smart.

The bad news is, yes, SRP is only on Professional, Ultimate and Enterprise. The good news is that the Home versions do feature Parental Controls, which appears to accomplish the same end effect:

1) make a Standard User account

2) apply Parental Controls to it

3) choose to ONLY allow the Standard account to run the programs you allow, then hit Check All to whitelist the ones currently on the system (or be more selective if you want).

Result when trying to run .EXEs in unapproved locations:

I haven't done an exhaustive check to confirm it'll restrict every filetype that SRP does, but it was blocking more than just .EXEs. I may add this to the SRP page as an option for the users of the Home version.

 

[Rubycon]

There's no "Run box" in Win7 Ultimate, either. You can just type "gpedit.msc" into the Search bar and hit enter.

Hold down the Windows key and press the R key. 😉

 

[RebateMonger]

Hold down the Windows key and press the R key. 😉

Sorry, but I can only learn one Windows shortcut a month. :-/

My shortcut of the month is "Windows-Pause", which brings up the System control panel in Win7.

But thanks. 🙂

 

[Rubycon]

Sorry, but I can only learn one Windows shortcut a month. My shortcut of the month is "Windows-Pause", which brings up the System control panel in Win7.

But thanks. 🙂

Holy moly I've been using that one since Win95 days!

Then again I use a lot of systems with keyboard only so I have to depend on these shortcuts. (or run NIX) 😱

 

[mechBgon]

The Precious* doesn't have a Windows key 😀



*IBM Model M

 

[Rubycon]

The Precious* doesn't have a Windows key 😀



*IBM Model M

You can remap a key easily.

That fails use a switch.

Some pervs have a panic button that shuts down their computer instantly. Gee I wonder what they would be doing that they would need THAT!!?😱