|23/02/2008||22:44:04||Jonathan *firstname.lastname@example.org||it watches this animation of bush|
First thing is, never run an .exe from the internet. Even if your friend has told you its safe (How do they know? Answer most commonly given “Well it didn’t trip out my copy of McAfee”). As we’ll see, even downloading the little pucker can be hazardous.
Normally when I do malware research, I use the electronic equivalent of thick rubber gloves and a bacterial safety screen. No one is pleased when malware stomps all over their system, including me.
Avast didn’t pick it up. Not quite trusting one AV, I submitted the result to VirusTotal, and the scan results showed a couple of potential heuristic nasties (the link is to the report). In the meantime, I deleted bush.exe unopened.
And this is where it went wrong.
You see, even deleting a file (or moving it to the Recycle Bin) counts as an access to a file. On access virus scanners open up a packed file (like bush.exe) to see what’s inside. This means that code set to execute when the file is opened… does. The next thing I knew, my resident protection for Spybot S&D was going crazy.
By the way, Spybot S&D is freeware. If you don’t have it installed, either you didn’t know about it (you do now), or you are certifiably crazy. Go install it now, I’ll wait.
Spybot reported that three new files had appeared, and were trying to insert themselves into my startup. Those files:
They picked C:\WINDOWS because that’s the default setting of the %temp% variable in Windows. There are times when UNIX’s /tmp folder looks eminently more sensible than using a system executable folder to drop stuff in, and this is indeed one of them.
A popup appeared (in Spanish) asking me to install the latest Flash player. Oops. Clicking “don’t install” did not help, and Spybot screamed at me for firing off more instances of the virus. I blacklisted the processes from adding themselves to my startup registry, and spybot went ballistic, warning me that this thing was indeed running rife through my system, trying to infect as much as possible.
So, while spybot was ringing every alarm bell it could find to let me know I had a problem (Houston?) and bringing my machine to a crawl, I fired up Security Task Manager (not free, but useful) and quarantined the nasty processes. I booted from clean, ran a startup AV scan. Everything looked ok.
This took about 2 hours, and the lessons I’d pass on are:
- Don’t ever download and run an .exe file. My friend didn’t even know that I’d received this message from her, as it fires up windows messenger silently (fortunately I have this set to block already).
- Run Spybot. Its a line of defence.
- If you absolutely must download these things, use a virtual machine (Microsoft’s Virtual PC, or VMWare) and examine what’s going on under a clean disk image. Then wipe and start afresh. Better not to.
- Don’t trust processes that “look good”. WINLOGON.EXE and LSASS.EXE are both names of system processes, however they normally live in %systemdir% (C:\WINDOWS\SYSTEM32)
- I got thwacked in the chops by being too careless, and was lucky. My friend still has this thing running around their machine. Not so good.