Matt wrote in with the following: "It might be a good idea to make end users aware that the fake-antivirus scan / trojan / ransomware people have raised the bar. I'm planning to put together a small educational email to send to my end users. Thanks Matt! Couldn't agree more. Cheers, |
Adrien de Beaupre 353 Posts ISC Handler |
Subscribe |
Sep 4th 2009 1 decade ago |
Whenever I run against a stubborn piece of malware such as this, I usually just boot off of a USB stick with Fedora LiveUSB or drop the hard disk into a seperate machine for disinfection. Trying to clean a live OS is just too time consuming.
|
Anonymous |
Quote |
Sep 4th 2009 1 decade ago |
Best of luck to anyone else who catches this thing.
I ran into this same virus about a week and a half ago using the name Antivirus Pro 2009. Same M.O., awe inspiring fake control panel, desote.exe. The variant I was dealing was completely missed by everything at virustotal, but I was able to remove most of the startup scripts/services/etc using a xp PE boot cd. Unfortunately, I couldn't prevent desote.exe from reactivating on boot. I removed the rest of it using malwarebytes, but I had to resort to renaming all of the MBytes *.exe files to *.com. It worked, and I was able to kill the rest of the virus by hand. I played with it for a week and every time I rebooted the vm, the files had a different name, checksum, and were in different locations. Also, the AV software would update and start catching this thing, but by the following day it had changed enough that the files were being missed again. (I was scanning the vm;s drive from a different vm, and rolling it back after each scan) Not sure how we can fully protect users from this, but if anyone has any ideas, I'd love to hear them. |
Anonymous |
Quote |
Sep 4th 2009 1 decade ago |
I'm curious, does the user of the infected machine have administrative rights? Would the malware manage to infect machine if user had only 'User' or 'Power User' rights?
|
Anonymous |
Quote |
Sep 4th 2009 1 decade ago |
Hijacking the EXE handler is not a new tactic. It used to be a very popular way to get the virus running if the autorun's got killed off.
The regkey responsible is: HKEY_CLASSES_ROOT\exefile\shell\open\command The (default) key should be set to: "%1" %* If you are unable to change the key, try doing an offline registry edit from a PE or other environment. Open the SOFTWARE hive and look under Classes\exefile\shell\open\command. Othewise, check the permissions of the key. I've seen more and more malware change permissions on reg keys to lock out dll's, or disable the windows update service. As usual, a reinstall is always recommended, but sometimes that isn't an option. Perhaps we should use their tactics against them and deny all write privileges to some things like the exefile class... I think I will try that out this week. |
CCDKP 1 Posts |
Quote |
Sep 4th 2009 1 decade ago |
I'd like to see an example of Matt's (or anyone's) educational e-mail for users. Educated users are a good thing.
|
Bullwinkle 4 Posts |
Quote |
Sep 4th 2009 1 decade ago |
I had 2 or 3 incidents like this a few weeks ago. Not getting infected, but getting the fake AV screen. It turned out to be a drive by from wunderground.com ads. I notified wunderground and they were very responsive in getting it cleaned up. I was very impressed.
|
Jim 3 Posts |
Quote |
Sep 4th 2009 1 decade ago |
I have had a couple of customers get this as well. Seems it embeds itself in several ways and changes a lot of security permissions. My most recent variant had several files running called do_not_delete.exe which were the virus. When deleted, the system would no longer finish a login. It would crash and reboot. I do know where they got it from though. LimeWire! I have had too many get things this way. That file sharing service is giving me lots of business, but unfortunately a reinstall is usually necessary now. Too many settings changed that make the infection easier to recur I find, even if it can be defeated and removed. The door is still open...
-Al |
Al of Your Data Center 80 Posts |
Quote |
Sep 4th 2009 1 decade ago |
Anyone have a link to virustotal or an MD5 of some/all of the involved files?
|
Anonymous |
Quote |
Sep 4th 2009 1 decade ago |
I too have been facing similar issues in the IT trenches. I was surprised at the results of some of my personal pen testing that I was able to so easily circumvent most of the popular A/V solutions deployed in corporate networks these days. It was only a matter of time before the bad guys made a run at this.
Why not have M$ use the magic number of a file to determine it's association? It would make much of the use of extension association issues completely mute. Of course the assocative app can still be hijacked... hhhmmm... Has anyone been able to determine if this variant is sensitive to user rights? (Power User, User, etc). These are good lines of defense and often keep users in check as well which is always a good thing. |
GuenTech 16 Posts |
Quote |
Sep 4th 2009 1 decade ago |
From whta Eldorel said, this thing morphs which effects file names, paths and MD5s as well.
|
GuenTech 16 Posts |
Quote |
Sep 4th 2009 1 decade ago |
After seeing this post, I decided I needed to do a write-up on the single most effective way I know of to defend a Windows computer without making it useless: application whitelisting.
Submitted for your review: https://patrickwbarnes.com/blog/2009/09/defending-windows-with-application-whitelisting/ |
GuenTech 11 Posts |
Quote |
Sep 6th 2009 1 decade ago |
Thanks Patrick I am going to look into this Whitelisting. As we run both norton and trendmicro i have seen these infections 3 times. in some cases i have thought of blocking there internet to prevent it. But this might be better.
|
GuenTech 17 Posts |
Quote |
Sep 17th 2009 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!