|
A festival of malware in pcsurg.rar A festival of malware in pcsurg.rar I had the misfortune of experiencing this 1sthand the other day: 3 ISTbar regkeys/values, 4 from media-motor.net (popuppers.com)which targets internet trusted zones (inf from AdAware), & the exe from which all this sprang, rraut.exe (associated with "blue"-something in the registry) & a .txt file, composed of numbers. Yes, I did click on it. I was lulled into a false sense of security by Limewire dl warnings in the past, & NAV warning about/deleting W32Tibick. Later, it found and quarantined 2 "bloodhound unknown" suspects, deleted DealHelper, & NetOptimizer, failed to delete ISTbar(s), mmxsitessc.exe, gammainstaller.exe.exe. 12 hours later, 2 Norton Antivirus, AdAware, X Clean, Spyhunter, SpySubtract scans (not to mention finding & manually rewriting over them with Norton “wipe info”)! I did another AdAware scan, and found 9 reg keys/values for DyFuCA and about 40 for Backweb lite! Rraut.exe planted itself in my startup group, & gives a reg value, but its neither finable in registry, nor in the C drive! If this had been one of my early experiences with file sharing, I would never have gone near it again. Not only would I have been chicken, but I wouldn’t have known enough to have used the arsenal of tools I did to even remove as much as I have! My computer would have been as frozen as the wretched NYC outdoors is today, all the malwares trying to phone home at once! On one of the googled sites, I saw a reference to an article, which may explain the viciousness & amount of malware in one small download: ” PC World has learned that some Windows Media files on peer-to-peer networks such as Kazaa contain code that can spawn a string of pop-up ads and install adware. They look just like regular songs or short videos in Windows Media format, but launch ads instead of media clips”. The rest of the article can be found at: http://www.pcworld.com/news/article/0,aid,119016,00.asp Although mine was a .rar which decompressed into an exe, I’m sure that it would be no great stretch to code. If there is anything to be learned from this (aside from the obvious), its 1) virus-hunting programs like NAV aren’t especially made for malware, so its possible that some might slide on through into your computer. 2) Adaware doesn’t keep vigil like virus-monitoring programs do. You actually have to set the scan in motion. 3) NEVER just hit “accept” when AdWatch mentions a pgm is trying to access the registry! True, if you click on the link for more details, it just sends you to the Lavasoft page where they tell you to be careful (the link isn’t specific for each instance). The popup AdWatch box is kind of small and cuts off the end of long entries, so you don’t really have all the inf. And most of the time, the change was instigated by an action on your part. But, when in doubt, CHOOSE BLOCK! I will never get back the time spent exorcising all this trash, but what might make me feel a little better about this is if someone reads it and avoids the same fate. I probably would get absolutely wickedly cheerful if presented with writer of this rarbomb, trussed up on a spit (hint… ; ) ). Be careful! |
Speak of the Devil... Here I am, bravely going forth to complete my task (see what happens when you download a trial programs from a reputable site like downloads.com, only to find that when you try and use it, the only thing it will say is "trial period expired"?) Anyway, I was also hoping to run into that nasty rar again *combative look* I look to my results, and find PC Surgeon Crack, an exe, 263kb. However, it contains a lovely little worm called W32.Tibick. From Symantec: W32.Tibick is a worm that propagates through file-sharing networks. This worm also connects to an IRC channel and listens for messages from the attacker. Also Known As: Worm.P2P.Tibick [Kaspersky] Type: Worm Infection Length: 12,820, vary When W32.Tibick executes, it does the following: Copies itself as %System%\svcnet.exe. Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). Adds the value: "System Restore" = "svcnet.exe" to one of these registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run so that the worm runs when you start Windows. Creates a folder named %Windir%\msview and copies itself as multiple file names (here they name all sorts of files one might find at a file sharing site). Modifies the settings of various file-sharing applications, if present, to use the newly created folder as the default sharing folder. This applies to the following applications: Kazaa iMesh Morpheus wareo eMule DC++ The worm may also update itself when a new version is available. This seemed familiar, so I looked at my incomplete dl's - it was the file responsible for the W32.Tibick I mentioned in my 1st posting! Here it is, just lurking & waiting for another victim! I blocked the sender, 208.191.143.130. In 2 days time, even the densest of people would have noticed the changes (mentioned above), in their system. Several of the anti-malware, antivirus pgms I used were free ones on the web. There really is no excuse for ignorance in this matter! I don't understand deliberate, casual cruelty, especially to those who you have never even met. Is there any other way a worm-bearing file could still be around 2 days later, unless its deliberate? |
| All times are GMT -7. The time now is 02:25 PM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
SEO by vBSEO 3.6.0 ©2011, Crawlability, Inc.
Copyright © 2020 Gnutella Forums.
All Rights Reserved.