Friday, 17 October 2008

Intruders

On the 12th of October, I've inadvertedly turned off my firewall/anti virus for a few minutes. The result as you can imagine is that I've got infected, not me, my computer, by a series of weird diseases, all grouped in the same package, or probably from the result of the same original sin. My firewall started shooting scary messages like the one in the picture. The funny thing is that when I clicked on "enable protection", it'd just send me to a page telling me to buy antimalware/antivirus software from two different brand. To buy an antivirus I didn't even know?! I thought it was really weird. And scary, seen the nature of the messages popping up in my screen. So I took note of the names of the trojans, and after digging in the net here's what came up.




trojan-Clicker.Win32.Tiny.h
Trojan-Spy.Win32.GreenScreen
Trojan-Spy.Win32.KeyLogger.aa
Trojan-Spy.Win32.Agent.bq
Trojan-Spy.HTML.Bankfraud.dq



Trojan-Clicker.Win32.Tiny.h Description
Trojan-Clicker.Win32.Tiny.h is an imaginary Trojan name used to threaten and trick users into buying the rogue anti-spyware application PC Antispy. The user gets infected after downloading the video codec that infects the computer with a nasty Trojan. This Trojan then displays a fake "Windows Security Alert" message which recommends to download a software (most probably PC Antispy) to resolve the issue. The message reads:

"Windows Security Alert
To help protect your computer, Windows Firewall has detected activity of harmful software. Do you want to block this software from sending data over the internet?
Name: Trojan-Clicker.Win32.Tiny.h
Risk Level: CRITICAL
Description: This is spy trojan that installs itself to the system, hides itself and then captures screen images and saves them to disk files in encrypted form. Thus it allows to a hacker to watch screen images."

PC Antispy or whatever software the fake Trojan-Clicker.Win32.Tiny.h alert message recommends will not fix your PC but might actually expose you to more security threats
from "http://www.spywareremove.com/removeTrojanClickerWin32Tinyh.html"

PCAntispy, also known as PC-Antispy and PC Anti Spy, is a rogue anti-spyware program that sells itself as a spyware removal superhero under the slogan: "Protecting Against Intruders". Ironically, PCAntispy is an intruder itself. PCAntispy is a clone of PCAntispyware and will use any means necessary to lure you into buying the full PCAntispy program.

Zlob Description
Spyware Image
It is a backdoor designed to give the attacker remote control over a compromised PC. It changes essential computer settings and modifies certain files. Zlob starts automatically on every Windows startup and hides its activities by injecting code into explorere.exe. It waits for remote connections and allows the attacker to download and install additional software, execute certain commands and manage the entire computer. Zlob can be very dangerous. Use antivirus and malware removal tools in order to get rid of this spyware.
from "http://www.spywareremove.com/removeZlob.html"

This Trojan opens a range of web pages without the knowledge or consent of the user. It is a Windows PE EXE file. It is 5120 bytes in size. It is packed using FSG. The unpacked file is approximately 23KB in size.
Installation

Trojan-Clicker.Win32.Tiny.h
The Trojan adds a rule to the Windows Firewall which permits any network activity caused by the Trojan.
from "http://www.viruslist.com/en/viruses/encyclopedia?virusid=108900"

Trojan-Spy.HTML.Bankfraud.dq (Kaspersky Lab) is also known as: Phish-BankFraud.eml.a (McAfee), Trojan.Bankfraud (Doctor Web), HTML.Phishing.Bank-1 (ClamAV), HTML/Bankfraud.gen (Eset)
from "http://www.viruslist.com/en/viruses/encyclopedia?virusid=75870"

First off, never trust a bug that tells you to buy something to get rid of it. It's always a scam, exportion to be exact.

Run the McAfee free scan and see exactly which virus you have and list it out here. If the one you think you have is "Trojan.spy.html.bankfraud.dq" you need to dig a little deeper. That trojan was targeted towards a specific bank's customers (unless you are a Regions bank customer.).

I would run MSCONFIG and stop disable all programs you do not recognize, then reboot and perform another scan. Then go to TrendMicro.com and reseach each one of them. Trend is pretty good at giving the manual removal workaround.
from "http://answers.yahoo.com/question/index?qid=20080728223233AAzKkOh"

I checked a few forums, all saying to download such and such software, which I did for a few, but after running them, nothing could be found, desperatly. On one the forums, someone had the idea (I've lost the address of that source, forgive) to check all files created and modified during the last two days, in the System32 folder in Windows, you know, with the search tool (or find, on other OS's). In the list that's come up, there was someting called "juxslopm.exe" which caught my attention, well that a very strange name that I've never come across before. At first, I could not delete it, which was a quite risky solution if my suspicion was proved wrong. So I changed its name to C:\Windows\System32\juxslopmOld.exe and left it for a while. After a few hours, the creepy messages were gone, and all was back to normal. So I've assumed that was my culprit, I've moved to my desktop, and now it allows me to delete. And more, my antivirus (AVG) has recognized it and accused,
trojan horse generic11.azou
process Name: C:\Windows\Explorer.EXE
Process ID: 3440

too late, I did it first. I still don't understand why it took so long to identify the trojan. It's still on my desk, where I can see its dead corpse, yeah, I feel like a bounty killer.
Conclusion: they infect me and then offer to cure me, my computer actually, I'm still allright. That's a bit sci-fi, but probably a good marketing strategy, for who is not, or can't afford to inform himself. Those guys who are selling the miraculous software should have problems for doing that.

0 comments: