The Sneakiest VirusPosted on: October 28th, 2008 Today I encountered the sneakiest virus that I’ve seen in all computers. I’d like to give some information on this virus and how someone get rid of it (it might be too technical for some people). I worked on a computer using remote assistance which had a fake antivirus notification (you know, “click here to download the protection…”). Previously I had luck doing this remotely and in this case seemingly AVG on the computer seemed to take care of the infected files and when I checked with my tools the files were already gone. So I restarted the computer. The naging message was gone and everything seemed fine. However when I tried to update AVG it always failed. I tried to go to www.avg.com but couldn’t access it. I did a ping to avg.com and I saw that it was redirected to 127.0.0.1 (the loopback address). Then I found that other antivirus website show this behavior too – such as symantec.com or mcafee.com. Obviously something was still there but checking the system with all the tools I had showed nothing out of the ordinary. AVG didn’t find any new infected files, Spybot also came up with nothing. I checked the Hosts file to see whether it was manipulated but it was correct. So I had to conclude that I have to check this computer out on-site. I booted the system up from my troubleshooting CD and checked out the Windows system folder (system32 and system32\drivers). I found a whole bunch of files that were not there at all when I started the system from the hard drive. All of these files started with the characters ‘TDSS’. Here’s the list of them: TDSSNMXH.LOG I checked their digital signatures and they either didn’t have one, or they had it as “microsoft corporation” – which I’ve only seen on legitimate system files. However these files were very suspicious because So I moved these files out of their original location and after checking for further suspicious files I rebooted the computer to start from the hard drive. When booted up, I checked the previously blocked websites. They were all accessible and AVG’s update went though just fine. I had AVG check the folder where I moved these files and it did recognize some of these files as trojan viruses! So I was right. The computer worked just fine without these files so they were not legitimate system files. Later I checked Google for these file names but nothing turned up. The file names might be randomized but if not, then this article hopefully will help some people to get rid of this infection. This virus (virus collection actually) was the sneakiest one I’ve seen so far because it hid itself so well that without starting the computer from a CD there could have been no way to get rid of it – except for reinstalling Windows from scratch. It completely hid its registry entries, as well as its files. Even checking the threads of running processes I could not locate it! This case also demonstrate that even if your antivirus software is up-to-date and running it can’t stop every infections. I actually found how this virus got onto the computer: through a malicious website called freehostportal.com. This website was the first entry in the log file I found on the infected computer and when I went to visit it I got a big red security warning that this site is a “reported attack site!”. The user was probably lured to this website by an email link, or a pop-up on another site that mimicked a legitimate warning message (common trick). It’s more and more common that the first action a virus, or other malicious software takes is to render the existing anti virus on the computer useless. In this case it was prevented from updating so that it would not recognize the infection. Did you find this information useful?
Please consider donating. You can leave a comment for the above article. Comments will not show up automatically but will be reviewed and incorporated into the article if they contain useful information. |
Address: 9506 Thornwood Dr, Phone: 317-363-4200
|
 |
Subscribe to email updates on new articles
