Virus out of the blue
This story happened to me last night.
The time was nearing midnight when I was climbing across the expanses and depths of the Internet in search of the lyrics of one beautiful Ukrainian song . Having entered a search query into Yandex, I opened several tabs with search results. The screw cracked a little, and then several Kaspersky Anti-Virus windows popped up in a row, with the notification that a certain “xBXJ.exe” and several similar files were moved to the “Weak Restrictions” group. Following this, a black window flashed for a split second, which usually pops up when launching console programs.
A split second after that, I was already diving (no, not into the depths of the Internet) under the table in a vain attempt to have time to pull the patchcord out of the computer network card.
')
System configuration:
- Win XP with all patches and updates, Windows firewall is disabled.
- Kaspersky Internet Security 2009 with updates dated March 24, 2010, enabled.
- Opera 10.51 (latest version for now)
For a start, I changed the passwords on mailboxes and ICQ from the second computer (laptop). Then I looked at the "Kaspersky" logs:
03/25/2010 11:53:24 PM xBXJ.exe Activity filtering Posted in group Weak limitations Has a high heuristically calculated hazard rating
03/25/2010 23:53:44 joSB.exe Activity filtering Posted in group Weak restrictions Has a heuristically calculated hazard rating high
03/25/2010 23:53:46 PM MjyD.exe Activity filtering Posted in group Weak limitations Has a high heuristically calculated hazard rating
03/25/2010 23:53:53 del.bat Activity filtering Placed in a group Weak limitations It has a high heuristically calculated hazard rating
Honestly, I was surprised that with the default settings and a high hazard rating, Kaspersky silently missed files for execution.
Then I talked to the people in the internet, tried to look for the names of the files through GoogleIndex, but these names are clearly generated, apparently so I did not give any results. The clock was two in the morning, I went to bed.
When I woke up and turned on the computer (the network cable never stuck it back in), I saw a wonderful picture: in the center of the screen is a software porn banner that cannot be closed or collapsed; and which blocks attempts to open the task manager.
And I have a new file: C: \ Program Files \ plugin.exe
The message from the fraudster looked like this:
Send an SMS with the text 1275131 to the number 8353
Enter the received code: [______] (remove banner)
If you have problems, you can always contact the following address:
icq 558812836
email: lex-doroti@mail.ru
...
...
Ok, the picture is clear and understandable, I think, to everyone. I go to the site freedrweb.com/cure-it , and download a free scanning utility. Which, nevertheless, does not find anything suspicious (which is strange, because it usually helps in such cases). I note that I acted as follows: downloaded to laptop
program, threw off on a USB flash drive, a USB flash drive with a switch blocked in read-only, and only after that stuck it into an infected computer.
Then I did the following: I’m punching on the Internet who owns this short number “8353”, the provider is the “1st Alternative Provider” (through which fraudsters work most often). I go to the site, calling the number indicated. The girl from the call center switches me to the 1st line of technical support (internal number 555). Then they switch me to the 2nd line of technical support (direct telephone 663-71-14), where short beeps sound. I call the second
times, and the third, and the fourteenth. Finally, from the fifteenth time I am dialing, explaining the situation, calling the text that the Trojan requires sending by SMS (1275131) to number 8353. In response, the employee calls me a code that I need to enter into this very pornobanner. This code is: 1968845971 . I enter it, press the button "Delete banner", the window with the porn disappears. At the same time, “Kaspersky”, bastard, also calmly allows the launch of the del.bat file, which wipes down traces.
Work on the bugs, or "what I did wrong" :
Firstly, if I turned off the main computer after detecting a virus, it was necessary not to disconnect the screw, and through the adapter (I had it) connect to the laptop to completely scan all files for viruses, or boot from the Live-CD from this same purpose.
Secondly, I had to download and run Cure-IT _do_ shutdown / reboot the computer. Then, maybe, the window with a porn would not get out. However, this is unlikely, because launching the Cure-IT utility with a software porn banner downloaded on a half-screen did not reveal any Trojans.
Third, I had the standard Windows firewall disabled. I figured that the included KIS would be enough, but - ...
Fourthly, when scanning the system for vulnerabilities, I found the following outdated programs with “holes”: winamp, adobe reader, quicktime. Vulnerabilities in these programs allowed attackers to run malicious code.
Fifth, ... a question to the audience: what else did I do wrong? (please do not advise to change the operating system, browser, antivirus, skin color, country of residence, etc. ;-)
What else would I like to say: all such schemes of fraud work only with low control of PPSCs and service providers (in this case, the 1st Alternative Provider), because if you wish, you can create such work schemes that will make it so difficult for fraudsters to It is unprofitable to work with similar programs. I think everyone can come up with such ways - and the delay in the payment of money, and control SMS, etc. etc. As they say, it would be the desire of those on whom it depends.
In general, relatively “happy” end. Another question is that it is not clear on which site I caught the virus, and what actions I need to take to prevent the situation from recurring. Those who wish to can in a personal link to suspicious pages (pulled out of the history of the browser), which I went before downloading Trojans. The pages are all suspicious - on each pile of hidden iframes with different nesting, and incomprehensible Zhava-scripts.
So it goes.
UPD. Currently, KIS already catches this byaku. Those. with updates from March 25, did not catch, but with updates from March 26, already catches.
The time was nearing midnight when I was climbing across the expanses and depths of the Internet in search of the lyrics of one beautiful Ukrainian song . Having entered a search query into Yandex, I opened several tabs with search results. The screw cracked a little, and then several Kaspersky Anti-Virus windows popped up in a row, with the notification that a certain “xBXJ.exe” and several similar files were moved to the “Weak Restrictions” group. Following this, a black window flashed for a split second, which usually pops up when launching console programs.
A split second after that, I was already diving (no, not into the depths of the Internet) under the table in a vain attempt to have time to pull the patchcord out of the computer network card.
')
System configuration:
- Win XP with all patches and updates, Windows firewall is disabled.
- Kaspersky Internet Security 2009 with updates dated March 24, 2010, enabled.
- Opera 10.51 (latest version for now)
For a start, I changed the passwords on mailboxes and ICQ from the second computer (laptop). Then I looked at the "Kaspersky" logs:
03/25/2010 11:53:24 PM xBXJ.exe Activity filtering Posted in group Weak limitations Has a high heuristically calculated hazard rating
03/25/2010 23:53:44 joSB.exe Activity filtering Posted in group Weak restrictions Has a heuristically calculated hazard rating high
03/25/2010 23:53:46 PM MjyD.exe Activity filtering Posted in group Weak limitations Has a high heuristically calculated hazard rating
03/25/2010 23:53:53 del.bat Activity filtering Placed in a group Weak limitations It has a high heuristically calculated hazard rating
Honestly, I was surprised that with the default settings and a high hazard rating, Kaspersky silently missed files for execution.
Then I talked to the people in the internet, tried to look for the names of the files through GoogleIndex, but these names are clearly generated, apparently so I did not give any results. The clock was two in the morning, I went to bed.
When I woke up and turned on the computer (the network cable never stuck it back in), I saw a wonderful picture: in the center of the screen is a software porn banner that cannot be closed or collapsed; and which blocks attempts to open the task manager.
And I have a new file: C: \ Program Files \ plugin.exe
The message from the fraudster looked like this:
Send an SMS with the text 1275131 to the number 8353
Enter the received code: [______] (remove banner)
If you have problems, you can always contact the following address:
icq 558812836
email: lex-doroti@mail.ru
...
...
Ok, the picture is clear and understandable, I think, to everyone. I go to the site freedrweb.com/cure-it , and download a free scanning utility. Which, nevertheless, does not find anything suspicious (which is strange, because it usually helps in such cases). I note that I acted as follows: downloaded to laptop
program, threw off on a USB flash drive, a USB flash drive with a switch blocked in read-only, and only after that stuck it into an infected computer.
Then I did the following: I’m punching on the Internet who owns this short number “8353”, the provider is the “1st Alternative Provider” (through which fraudsters work most often). I go to the site, calling the number indicated. The girl from the call center switches me to the 1st line of technical support (internal number 555). Then they switch me to the 2nd line of technical support (direct telephone 663-71-14), where short beeps sound. I call the second
times, and the third, and the fourteenth. Finally, from the fifteenth time I am dialing, explaining the situation, calling the text that the Trojan requires sending by SMS (1275131) to number 8353. In response, the employee calls me a code that I need to enter into this very pornobanner. This code is: 1968845971 . I enter it, press the button "Delete banner", the window with the porn disappears. At the same time, “Kaspersky”, bastard, also calmly allows the launch of the del.bat file, which wipes down traces.
Work on the bugs, or "what I did wrong" :
Firstly, if I turned off the main computer after detecting a virus, it was necessary not to disconnect the screw, and through the adapter (I had it) connect to the laptop to completely scan all files for viruses, or boot from the Live-CD from this same purpose.
Secondly, I had to download and run Cure-IT _do_ shutdown / reboot the computer. Then, maybe, the window with a porn would not get out. However, this is unlikely, because launching the Cure-IT utility with a software porn banner downloaded on a half-screen did not reveal any Trojans.
Third, I had the standard Windows firewall disabled. I figured that the included KIS would be enough, but - ...
Fourthly, when scanning the system for vulnerabilities, I found the following outdated programs with “holes”: winamp, adobe reader, quicktime. Vulnerabilities in these programs allowed attackers to run malicious code.
Fifth, ... a question to the audience: what else did I do wrong? (please do not advise to change the operating system, browser, antivirus, skin color, country of residence, etc. ;-)
What else would I like to say: all such schemes of fraud work only with low control of PPSCs and service providers (in this case, the 1st Alternative Provider), because if you wish, you can create such work schemes that will make it so difficult for fraudsters to It is unprofitable to work with similar programs. I think everyone can come up with such ways - and the delay in the payment of money, and control SMS, etc. etc. As they say, it would be the desire of those on whom it depends.
In general, relatively “happy” end. Another question is that it is not clear on which site I caught the virus, and what actions I need to take to prevent the situation from recurring. Those who wish to can in a personal link to suspicious pages (pulled out of the history of the browser), which I went before downloading Trojans. The pages are all suspicious - on each pile of hidden iframes with different nesting, and incomprehensible Zhava-scripts.
So it goes.
UPD. Currently, KIS already catches this byaku. Those. with updates from March 25, did not catch, but with updates from March 26, already catches.
Source: https://habr.com/ru/post/89016/
All Articles