How did I get the XP AntiVirus 2008?
Date: Thursday, July 03, 2008 @ 11:58:46 UTC
Topic: What do we know?


One of the computers in our household obtained a drive-by virus infection recently. This particular infection is one of the famous backdoor Trojans that arrive by exploiting browser security from a web site that would otherwise seem harmless. The web site in question already was infected by the server SQL Injection exploit, which was replacing the web pages with ones that framed the content and contained malware JavaScript.

The computer in question was running Windows XP service pack 2, in a non-administrative account, with a 20-day old Symantec Antivirus 7.x virus list.

Why would anyone bother? In this case, the software that was loaded had all sorts of powers. It was malware, spy ware, and blackmail ware all in a blended threat. One piece attempts to open a back door to your computer, so that it can be controlled in a botnet. A botnet can be used to send internet traffic such as denial of service attacks, spam emails, and deliver other content. Another malware program brings in other software that shows up and attempts to blackmail you into buying it so that your computer will continue to work.



Here is what happened. The user of the computer, whose name shall not be used, surfed to a site owned by the National Park Service called livetheriver.org. The infected Apache web server was had a text substitution script that was attempting to force browser clients to run a script file called ngg.js. The infected Apache/Linux servers most likely have been hit with SQL injection attacks. Web sites that catalog content using a database are susceptible. The infected web servers then help to propagate malware to Windows-based client computers. In this case, our computer’s Internet Explorer loaded and ran the script. One run, a number of pieces of malware were loaded on the PC. This included the ASPROX Trojan proxy server, the BraviaX downloader, and the beep.sys rootkit. Once the BraviaX started, it loaded the XP Antivirus 2008 software. Once the XP Antivirus 2008 started, then it warned that there was a spyware infection. It tells you to send you credit card information to some company in the Ukraine. The ironic part is that it IS the infection. It reminded me of Syndrome, the antagonist in the movie The Incredibles. Syndrome sends a robot to destroy the city, then appears to fight the robot to save the city. Fortunately, the good guys are sticking right with the bad guys. Andy Manchesta has a life saving program called SDFix. http://downloads.andymanchesta.com/RemovalTools/SDFix_ReadMe.htm I ran SDFix to clear the malware. I booted up Windows XP in safe mode, and copied the program from a CD. With the beep.sys loaded, you cannot run the anti cool web search tool or Hijackthis. It knows the name of the program and blocks it from starting. Future versions may also prevent SDFix from running, so you may have to rename the program. Afterwards, I updated the computer to newly released XP service pack 3. I uninstalled Symantec/Norton, and installed AVG antivirus free version 8. I have been using the 7.5 on my Windows Vista system since March 2007. I ran a scan and it found all the suspect files including the infected web pages in the browser cache. It also found files in the System Volume Information directory. This keeps on showing up during scans, so I may have to follow up on a way to clear that out. I also installed Spybot search and destroy, which claims to be able to catch these threats. Note that Opera, Safari, Mozilla FireFox and Internet Explorer all have vulnerabilities that have been exploited by this malware group. More helpful links: Balloon Saying "your Computer Is Infected With Spyware" Most Likely Malware http://www.bleepingcomputer.com/forums/lofiversion/index.php/t134064.html So how did I get infected in the first place? http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html How the medichi rootkit works (also using beep.sys) http://www.greatis.com/security/medichi_exe_murka_dat_rootkit.htm More about the System Volume Information directory http://www.theeldergeek.com/system_volume_information_folder1.htm More about braviax http://www.cmilner.com/crapware.php AVG Antivirus http://www.grisoft.com Free version 8.0 Antivirus at http://free.avg.com/ Spybot Search and Destroy http://www.safer-networking.org





This article comes from Group29.com - What did you expect?
http://www.group29.com

The URL for this story is:
http://www.group29.com/modules.php?name=News&file=article&sid=186