11 replies to this topic

[Kenny]

i got this nasty little get a few days back ...

i downloaded a malware deliberate to my system to take a closer look after a friend and member here got it on their computer and was stumped how to clean it...no names mentioned

anyway after looking it over scanning etc and reports came back as a trojan...(it was in the form of a keygen).. Trojan.FakeAlert !

so decided to rename and delete...

now the clever trigger bit was RIGHT click select delete...that's what opened it ...in other words if you download to a folder...any form of mouse click gesture will activate it...sneaky left or right click

the keygen was downloaded from getsoftdownload.com if any software comes from that site you bet its infected... google the site

example:

http://safeweb.norto...oftdownload.com

don't trust anything from them..google reports show how active they are

http://www.google.co...q...earch&meta=

it spawned a hidden txt file called k.txt and has a vbs attached to it... it then opens up numerous urls saying your computer his unstable... every time you click on a folder etc or open a browser it opened at site link ...to porn , videolinks , usual shit... in the end i tracked it down to the k.txt and ran
Malwarebytes Anti-Malware program to clean the pest..

http://www.malwarebytes.org/mbam.php

it wrote to the registry , dropped dll's in the system32 folder , opened browser went to various websites , tried to download some cleaning tool obvious a virus or backdoor etc ... re-spawned on every boot-up... lol kept me busy for an hour watching and tracking changes it made

bleeding pests grrrr

Malwarebytes DID clean it up...so is a handy tool to have just in case you come across it by accident...better safe than sorry

a more detailed info on this trojan is here:

http://www.threatexp...41-ad8f21a59bdc

anyway just pointing out a bit of interest and a warning if you come across them

[Edu]

hmmm thanks bud.. I hope u did it in a virtual machine cause some malwares leaves traces or open attack vectors in the system so that next time they can easily re-infect. they may leave a driver for example or alter the registry so one of the dlls it dropped to the system dir gets loaded by an important process such as the System or winlogon.exe. the attack vectors they may open can be changing the security settings of the computer and run legitim applications like telnet server for example and create a hidden user account.

another great tool I recommend is process explorer and autoruns from sysinternals (downloadable from Microsoft website)

about u getting infected by only right clicking the file, I would guess it is exploiting a flaw eg. a buffer overflow in windows explorer or maybe the system had its settings altered so to run something upon right clicking or deleting some types of files.

[Baphomet]

another great tool I recommend is process explorer and autoruns from sysinternals (downloadable from Microsoft website)

And the Ghost Security Suite, it gives you a good heads up about changes in the registry and driver installations.

[webdevil]

now the clever trigger bit was RIGHT click select delete...that's what opened it ...in other words if you download to a folder...any form of mouse click gesture will activate it...sneaky left or right click

I wanna have a look, do you think all the stuff at getsoftdownload.com is infected with this?

[GhostShell]

This is a really tricky thing I was infected a few weeks ago by the same thing.
I can second that claim that you don't have to click on anything.
I think it was some rogue file that I was deleting and it fuckin executed itself,
it wasn't very visible either other that it bugging the hell out of me about buying rogue anti-spyware software.
I got rid of it the very same way BTW Malwarebytes.
I am very glad you wrote something on it cause ATM I was lost cause info on the web was vague.

[Kenny]

@edu... thanks for advice edu...will double check for file changes and dates and times... just to be sure no bytes have been added

@webdevil...am not sure .... pretty sure if you download some from them then its bound to have that keygen , waiting to hear from him what program he downloaded

@ghostshell..yup for a small program it sure spawned a lot of hassle...glad you got rid ...but one to note for future reference if anyone comes across it defiantly a tricky one if you don't know what your doing....simple solution don't download warez with keygens your unsure of ..and make sure your running a AV/Trojan scanner in real time if you do ... then again it might be an undetected Trojan/Virii be warned..

[Edu]

@Ken
my pleasure here mate
u know, some programs modify files date creation / time to to try and trick people into thinking they were there before, etc.

Running the tools I mentioned (autoruns) will show ya what is starting with your system (even if the file got deleted, but the registry entry didnt and it will show up) and process explorer shows u detailed info about running processes, such as the strings, command line, user account used to run it, DLLs loaded... yeah Dlls can be loaded by important system processes and process explorer makes us the favor to list them all, show their description plus company name (all u gotta do is click the process explorer window and press CTRL+D) then you scan your running processes to see if there´s a DLL related to the malware there. if u had previously installed firewall/anti-virus/anti-spyware/etc u may see a trace they usually leave behind : a Dll that still gets loaded by critical processes (not usual though). btw they dont necessarily got to have the .dll extension. if u find something weird and have trouble removing it let me know.

a tip : some DLLs have a function called DllCanUnloadNow, so calling this will unload the Dll from the program´s memory and u will be able to delete it. (u may use Rundll32.exe to execute the function)

[Kenny]

thanks once again edu..pretty sure all is normal .. i do have a couple of programs running to check on things

HttpAnalyser and X-Netstat pro... at the moment to monitor incoming and out going packets just to double check am clean...nothing out of the norm has happend

also loaded a snapshot of running processes to compare all is fine... nothing has changed or hidden and running . but if something does send a running command then am alerted to that process and process tree if need be to kill any illegal activity

[GhostShell]

I hope anyone who searches google for this infection finds us.
cause the info you wrote is alot more helpful than those spyware forums.
all those places that are just as bad as the damn infection in my opinion.
they don't want to help you till after you buy their shit.
taken into consideration there was one really good helpful one.
thats the net though 1000 bad sites, 1 pure gold.
that infection it was horrible i haven't had anything like that since i was a complete beginner.

PeAcE!

[Edu]

@Ken

ah good everything is just fine at your end. it is always good to monitor network activities, so to intercept illegal/undesirable stuff. the only thing is the possibility of having a stealth rootkit hidden in the system. and when we talk about programs running in kernel land, the story is a bit different, as they may bypass some security or monitoring programs....guess I am being too paranoide lol. Currently I only access warez sites and download their stuff in virtual machines so no harm can be done to the host computer unless it exploits a bug within the virtual machine software, but that would be very unlucky hehe.
cheers mate

@ghostshell

yeah that´s marketing, they want people to buy their craps. unless it is a very stealth rootkit, usually removing malwares is not very hard and u can create an automation script/program in like 1 hour or a bit more or less hehe.
that´s because they usually have a default behaviour, like copying files over the system (specially to system dir, they love to do it lol) injecting dlls into trusted applications and add startup entries. if u can find the startup entry in the registry, it is basically game over. time to find new startup methods

[Crash 0verride]

Next time is your downloading "War3z" as a safe assurance use a well known site to get your stuff like Piratebay? Deminoid? AlienWa3z? PakWar3z? ect. Get the picture I have never heard of this site and that is why my systems wasn't effected by my brother's pirating frenzy.

[guerillagardens]

Those are quite common, the downloads-by-mouse-click warez - usually it's just javascript commands that are responsible (just have the mouse clicks, or other events, trigger a download).

There are a lot of kernel level rootkits about, so it's not that para to be wary of them. Some malware can monitor processes too, and know when they're being scanned for - so they wait until they aren't.

I wouldn't be surprised if they start or already can traverse and recognise virtual machines too - as if software can detect if it's running in a VM (which it can), then so can malware. How they detect it depends on what kind of VM it is, eg some separate off privileges in terms of the ring layers, so it looks to see what layer it is at.

- if you want to download warez (can't believe I'm using that term in a post, it's what happens when you start out using stuff like 'lol' and it's all downhill from there) then one way to be relatively safe is to use a linux or non-Windows OS, as most of them exploit Windows (just because most people use it, as opposed to having something against it). Not all though - it's a relatively safe way, other than for browsers. If it's a browser exploit, then also use a VM if you want to look at those. Best using a VM guest of a different OS to the host OS.

I've been getting some fake bank login request emails, and one of my favourites was a page for a well known UK bank that had a section on phishing there, and about how you shouldn't use faked websites to enter personal info into.

One thing I'd like to do, is build a really blingy PC to use as a 'biohazard repository'. You know, with a cut-out on the case side with a biohazard symbol and bright green watercooled liquids bubbling behind it. That kind of thing. And name it Infector. And use an OS that doesn't support any of the compiled file formats.