Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

A frightening tale of computer infection and its consequences

April 29th 2009 in Uncategorized

It all started when I wanted to get more performance out of my video card. I download the latest drivers and included this virus.

Yep, that one simple act turned into an infection nightmare lasting three weeks.  I’m hoping Micky will work out exactly where he got the drivers from, and let us know (as well as warning whoever it is that is distributing the infected drivers.

The entire sorry tale is at www mickyj com / blog htm (link deliberately broken because I’m not sure that I want anybody going there yet).

To save you from the need to visit, I’ll copy Micky’s tale of woe verbatim.  Micky’s message to everybody is “Make sure to point out that no matter how cluey you are with IT (I have 20 years experience) these things are getting nasty.”

Reproduced with permission.

“Where have I been for almost 3 weeks? – 26 April 2009 – mickeyj.com

Keywords: PE_VIRUX.E-2, PE_VIRUX.C-2, Win32/Virut, Cryp_Virux, W32.Virut, PE_VIRUX.G-1, PE_VIRUX.F

… Offline. I am lucky enough to be one of the two people in Australia/New Zealand to have been infected with a rare strain of the Virux/Virut virus on my home PC. This is according to Trend Micro’s Statistics. If you get this virus, be very afraid. It infected every EXE, SCR, DLL, HTM, HTML, ASPX file (And more). It copied itself to every USB device including my Camera flash cards and USB keys. It infected my Outlook email signatures (So I need to contact people I have emailed), Outlook stationary and more. I started seeing a pattern where infected executable files were about 20 kb larger than the originals and my internet would slow down (Due to incoming IRC connections). It was almost impossible to beat.

If I am like you, I have a whole heap of downloads on my PC that contains all my setup files. That included service packs, video drivers, scanner and printer drivers. All were infected. As I tried to reinstall my hardware I got reinfected. If I plugged in a memory card, I got reinfected. I even found the virus on my media centre and Xbox shared folders. It got everywhere. (Even played with my firmware on my router).

It all started when I wanted to get more performance out of my video card. I download the latest drivers and included this virus.

I reinstalled Windows XP Pro and all my additions at least 20 times between 26/3/09 – 16/4/09 before I finally got online again. I know this as I can no longer activate my Microsoft software. I have exceeded the install number allowed for a retail version of the product.

I got to the point of throwing out USB keys and starting to install everything fresh, from fresh downloads. Finally, I have myself back up and running (Minus all my data). Both AVG and Trend Micro could not protect me from reinfection. The virus is encrypted. It hides in space within exe files and nothing can detect is due to the encryption. Trend Micro etc can only detect it once the "exe" has started modifying other files. It happens so fast and Trend Micro and others can’t clean it. I think I had 50 infections per second once the virus broke free. The virus targets all files in C:\Windows and C:\Windows\System32 first so basically, Windows becomes one big virus. It becomes especially hard to handle when AVG and Trend Micro start quarantining the virus, removing essential Windows files out of your system so … Your system can’t reboot. I also had the virus in system restore so the OS was completely tainted.

I got to the point where as soon as Trend or AVG triggered, I pressed the workstations reset button, shoved in my XP disk and started reformatting. I think my earlier mistake was trying to clean the virus. The more I tried, the more I got infected. I tried the Symantec removal tools and many others. They all did not deal with this particular strain of the virus.

If you see this virus, run away. Be very, very afraid. Format your PC. Get your files back from backups. Don’t trust any files off your old system as the virus is encrypted and could be in any file. Certainly antivirus can detect this virus when it starts running, but by then, it is too late.

The virus detected was:

The virus downloaded and installed the following strains:

It also downloaded:

Google blocked my website
Keywords: Google, Website, Harm, iFrame

.. And rightly so. I have been hacked. It has been a shocking month for me thus far. My home PC covered in Viruses for the first half of the month, 1 week to breath and then my website hacked in the second half of the month.

When you Google mickyj.com you get a result that lists "This site may harm your computer" under my website. When you click the link for my website, you get a google page warning viewers not to go to my website. Obviously I wanted to find out more so I downloaded the code for my website and found 4 iFrame infections had been injected into the code.

I contacted Google Support through their help system, after fixing my website. It took a little bit to explain to them what I found, how I had cleaned it all and how the infection had likely occurred, then they "verified" and "reviewed" my website and it is up again in all it’s glory. Thanks Google Guys. You were awesome. I was unable to request verification of my website through the web interface as my Domain name holder has some restrictions in place that I could not get around. The Google guys understood this and did an awesome job helping me through their help system. I can’t stress enough how fantastic these guys were. Especially Johnathon at Google. you guys rock.

Website up and running, safe again on the 25th April.

New Wrinkle
Keywords: Twitter, Suspended

Twitter have blocked me for suspicious activity. 26th April Twitter suspended my account. What ?? I hope that this is related to the virus I had earlier and can be easily explained and then unblocked. This has not been a good month.

Maybe things will be better tomorrow as it is my Birthday !”

For what its worth Micky, Happy Birthday!

And… change all your passwords!

Comments are closed.

There are two malvertizements that I highlighted, being: m1.au.2mdn.net/1949664/hp_300x250.swf m1.emea.2mdn.net/989589/hp_728x90.swf The 300×250 malvert touches hit-detect.com and measurehits.com. The 728×90 malvert touches ydmstats.com and measurehits.com.   Redirects: We go from measurehits.com to crustat.com. From there we go to one of several different […]

Previous Entry

  Same old same old.  The malvertizement hits the domains statcluster.com and enjoyspringtime.com (both domains have been mentioned on this blog several times). The Adopstools results make it obvious that there is something suspicious: http://www.adopstools.net/index.asp?section=quicklink&id=R59g0m36S016WwBW From statcluster.com and enjoyspringtime.com we end up at crustat.com then […]

Next Entry