Warning: been hit hard by a new VX2 trojan

GeorgeTH · 2004-12-31, 04:25 AM

...which disguised itself as a fake Microsoft Security update!

It hit me on Thursday night, just before I wanted to go to sleep, so my awareness was seriously affected by the wish to go to bed... "Bloody leave me alone and do what you have to do" sorta reaction. Took me well over 30 hours to get my computer to work again (at this stage I don't say it's really fixed)!

Initial warning signs: you get the same little pop-up bubble above the taskbar "Your latest Microsdoft Security Update is ready..." (or so), just that the edges are not quite as clean and the dropshadow is kinda rough!

It tells you something about a Java update, and then installs way over 100 files on your computer, all viruses and and scripts burried in .cab compressed files - that's why my AVG didn't react! Only after they self-extracted the alarm bells went off! In the Java cache were 57 files alone, recognised by AVG, but also 57 zip files of same name NOT recognised by AVG! Sun simply recommends to empty the entire cache.

But there were also some 30 files which no virus checker recognised at all!!! [I've been to at least 4 different so-called housecall sites to do on-line checks]

Some solutions were to simply delete everything in affected directories which had the date stamp of the 29th/30th of December - just figured that the computer had worked before w/o these files, so why would there be a reason to keep them.

Whenever I returned from "Safe Mode" I went online and checked on these files; they appeared on some webboards (always in connection with trojans/virus discussions dating from 20th of Dec. or later - thank Google for spidering some sites very frequently), but they showed nowhere in wellknown knowledge-bases run by virus protection software co's. So I figure it's just a new thread with no protection against - yet.

I'm not completely sure if it came from a website or via ICQ; my guttfeeling tells me it came through ICQ, because by now I have removed some Java component (not really on purpose, was part of the cleaning process) and ICQ is complaining everytime it logs on (but it still runs).

Fu@#ing bastards doing malicious stuff like this should be tied to concrete blocks facing the Thai/Ceylon tsunami! |raygun|

It's New-Years-Eve now - I'll go and have a shower, eat something, and then some PARTY (though: I am exhausted already!)

HAVE A GOOD ONE!

Linkster · 2004-12-31, 07:38 AM

Do you have the VX2 removal tool from AdAware? its a little plugin that you can run or you can go and get a separate program called VX2Cleaner from lavasoft.

GeorgeTH · 2004-12-31, 08:31 PM

Quote:

Originally posted by Linkster
Do you have the VX2 removal tool from AdAware? its a little plugin that you can run or you can go and get a separate program called VX2Cleaner from lavasoft.

That was among the dozen (or so) programs recommended on one board, I installed it, but it didn't clean my thing very well - at least I still had many symptons afterwards...
Other programs: stinger.exe, evido, spysubtract, and 2 little tools I found useful: dsostop (my Spybot finds dso exploits on an almost daily basis) and htastop (to prevent outgoing leak).

This piece of shit was absolutely malicious: Zonealarm blocked the mshta (and came up with a warning), so soon after I had this "official looking warning" pop-up in the middle of the screen with an alert along the lines of
"Microsoft Alert: your Microsoft Firewall is detecting suspicious activities. Click here to upgrade your firewall" -
bad luck that in my case I have MS firewall disabled so I knew this message was bogus. No 2 minutes later I get one of these grey bubbles pop-up at the taskbar, saying something like
"Microsoft Warning: your virus protection is not up to date (or was it: not working properly?) - Click here to upgrade" -
I'm sure that virus was really trying hard to open my ports, and the upgrades wouldn't have been anything but some script to crack the firewall...

GeorgeTH · 2004-12-31, 09:58 PM

I found one board in particular which was very helpfull:
http://www.wilderssecurity.com/showthread.php?t=50662

...and I found several times links to a "HOSTS" file, for which I've posted an extra thread here, since I believe it's affecting everybody's business!

RawAlex · 2004-12-31, 10:22 PM

George, the hosts file thing is more than a couple of years old as a trick, and even the most basic spyware program picks it off right away. I use to actually use that for some good things, but adware kept getting upset about it.

If you are running IE, you are in the stone age. Get rid of it and use firefox or similar non-MS browser. You will be SO happy.

Alex

GeorgeTH · 2004-12-31, 11:01 PM

Quote:

Originally posted by RawAlex
George, the hosts file thing is more than a couple of years old as a trick...

The HOSTS File [different post here] I was talking about is a recommended download, but when you replied I hadn't finished writing the post...

Quote:

Originally posted by RawAlex
If you are running IE, you are in the stone age. Get rid of it and use firefox or similar non-MS browser. You will be SO happy.

So far I haven't managed to get ROBOFORM to work with FireFox - and I'm using it almost daily to submit galleries... That's why I'm still hooked to IE!
Before RoboForm for years I'd been happily (more or less - LOL) using Netscape and didn't touch IE!

Opti · 2005-01-01, 12:20 AM

Quote:

Originally posted by GeorgeTH
The HOSTS File [different post here] I was talking about is a recommended download, but when you replied I hadn't finished writing the post...

So far I haven't managed to get ROBOFORM to work with FireFox - and I'm using it almost daily to submit galleries... That's why I'm still hooked to IE!
Before RoboForm for years I'd been happily (more or less - LOL) using Netscape and didn't touch IE!

You can try http://maxthon.com it works with roboform and although is based on IE, appears to be a lot easier to protect yourself against unwanted content. I like it a lot to surf with too.

I'm not sure Maxthon, Firefox or any browser will really help people avoid what you have descibed though.

RawAlex · 2005-01-01, 01:53 PM

I think also you are misunderstanding the use of that hosts file. It would be actually useful DURING the process of attempting to remove some of these hacks and cracks from your system because they are self-respawning. They connect back to their host and reinstall themselves, needing only a very small kernel of code on your system to get the job done. Using that sort of hosts file while you are in process of removing stuff, downloading, and such would probably not be a bad idea - for a very short period of time.

The various antiscumware programs will then filter it and toss it out.

Also, note they are directing surfers to nothing (127.0.0.1 - never never land for IP addresses), so they would just get a page not found. Surfer clicks back and goes somewhere else. it's like the net isn't working well that day.

Just one of those things.

Alex

2004-12-31, 04:25 AM	#1
GeorgeTH Don't let a programmer design your front-end pages! Join Date: Aug 2003 Location: currently on the road in CA Posts: 781	Warning: been hit hard by a new VX2 trojan ...which disguised itself as a fake Microsoft Security update! It hit me on Thursday night, just before I wanted to go to sleep, so my awareness was seriously affected by the wish to go to bed... "Bloody leave me alone and do what you have to do" sorta reaction. Took me well over 30 hours to get my computer to work again (at this stage I don't say it's really fixed)! Initial warning signs: you get the same little pop-up bubble above the taskbar "Your latest Microsdoft Security Update is ready..." (or so), just that the edges are not quite as clean and the dropshadow is kinda rough! It tells you something about a Java update, and then installs way over 100 files on your computer, all viruses and and scripts burried in .cab compressed files - that's why my AVG didn't react! Only after they self-extracted the alarm bells went off! In the Java cache were 57 files alone, recognised by AVG, but also 57 zip files of same name NOT recognised by AVG! Sun simply recommends to empty the entire cache. But there were also some 30 files which no virus checker recognised at all!!! [I've been to at least 4 different so-called housecall sites to do on-line checks] Some solutions were to simply delete everything in affected directories which had the date stamp of the 29th/30th of December - just figured that the computer had worked before w/o these files, so why would there be a reason to keep them. Whenever I returned from "Safe Mode" I went online and checked on these files; they appeared on some webboards (always in connection with trojans/virus discussions dating from 20th of Dec. or later - thank Google for spidering some sites very frequently), but they showed nowhere in wellknown knowledge-bases run by virus protection software co's. So I figure it's just a new thread with no protection against - yet. I'm not completely sure if it came from a website or via ICQ; my guttfeeling tells me it came through ICQ, because by now I have removed some Java component (not really on purpose, was part of the cleaning process) and ICQ is complaining everytime it logs on (but it still runs). Fu@#ing bastards doing malicious stuff like this should be tied to concrete blocks facing the Thai/Ceylon tsunami! \|raygun\| It's New-Years-Eve now - I'll go and have a shower, eat something, and then some PARTY (though: I am exhausted already!) HAVE A GOOD ONE! __________________ Have a nice day!

2004-12-31, 07:38 AM	#2
Linkster NO! Im not a female - but being a dragon, I do eat them. Join Date: Mar 2003 Location: Sex Delta Posts: 5,084	Do you have the VX2 removal tool from AdAware? its a little plugin that you can run or you can go and get a separate program called VX2Cleaner from lavasoft. __________________ Pussy Chompers Porn Links NSCash

2004-12-31, 09:58 PM	#4
GeorgeTH Don't let a programmer design your front-end pages! Join Date: Aug 2003 Location: currently on the road in CA Posts: 781	I found one board in particular which was very helpfull: http://www.wilderssecurity.com/showthread.php?t=50662 ...and I found several times links to a "HOSTS" file, for which I've posted an extra thread here, since I believe it's affecting everybody's business! __________________ Have a nice day!

2004-12-31, 10:22 PM	#5
RawAlex Took the hint. Join Date: Mar 2003 Posts: 5,597	George, the hosts file thing is more than a couple of years old as a trick, and even the most basic spyware program picks it off right away. I use to actually use that for some good things, but adware kept getting upset about it. If you are running IE, you are in the stone age. Get rid of it and use firefox or similar non-MS browser. You will be SO happy. Alex

2005-01-01, 01:53 PM	#8
RawAlex Took the hint. Join Date: Mar 2003 Posts: 5,597	I think also you are misunderstanding the use of that hosts file. It would be actually useful DURING the process of attempting to remove some of these hacks and cracks from your system because they are self-respawning. They connect back to their host and reinstall themselves, needing only a very small kernel of code on your system to get the job done. Using that sort of hosts file while you are in process of removing stuff, downloading, and such would probably not be a bad idea - for a very short period of time. The various antiscumware programs will then filter it and toss it out. Also, note they are directing surfers to nothing (127.0.0.1 - never never land for IP addresses), so they would just get a page not found. Surfer clicks back and goes somewhere else. it's like the net isn't working well that day. Just one of those things. Alex