Blonde virus Trojan.Click1.25237
As shown by a survey conducted among Habrakhabr users, only half a percent (!) (0.52%) of surveyed users struggle with new viruses, sending them to tech support. Approximately one third treats with “proprietary antivirus” and almost as many with free ones or try to remove them themselves.
Further, the story of how to fight the virus for "blondes".
(ps 15 votes left for the topic to get an invite to Habr for a good person. Or 65 votes in karma, but this is less likely)
It all started with the fact that a friend complained: "I have some kind of blonde with a butterfly on a flash drive!" It turned out - on the flash drive autorun.inf, intrsrv.exe (both hidden) and the file "Blondochka.swf.exe". All three icons were in the form of a pink butterfly. Well, as theblonde user does not click, eh? But, strangely, nothing starts ... "Oh, maybe on another computer try, right?"
Here you have all the "social engineering".
')
Usually, Windows displays only the first part of such a “double” extension, so the user thinks that this is another fun video featuring a blonde babe. The gender of the user, as it turned out, does not matter.
Under the guise of "Blonde", of course, was a Trojan. Included free avast! with fresh bases calmly gave it a run. Online check by Kaspersky Anti-Virus, Doctor Web, and McAfee assured that everything is in order . ( upd. ESET NOD32 - separate hello)
Only Comodo Firewall in the enhanced analysis mode suspected that something was wrong and suggested that there could be malicious code on the flash drive. After blocking the "beast" it turned out that access to the local network is now closed tightly, only the Internet remains. And thanks for that.
I sent technical support letters to the above-mentioned antivirus writers. At first, both companies were silent. The next day he sent again to "Doctor Web." Literally immediately a letter arrived that the request was being processed. Then another 25 (!) Letters arrived confirming that the request was being processed - and each time a new number was assigned to the request.
In the evening, the trojan got its own name Trojan.Click1.25237 and was added to a fresh update.
Morality.
1. Free antivirus without a firewall is a useless toy.
2. A user who does not know how to behave with “blondes” is more dangerous than a virus.
3. Do not self-medicate (but, if your level of knowledge allows, to your health).
4. If the antivirus does not see the virus, then this does not mean that the computer is “pristine clean.”
5. Found a new "virus" - send to the database.
Here is a list where you can (and should!) Send a virus or trojan caught in the "wild nature"
(just pack it in the archive with the password "virus"):
1. Doctor Web https://vms.drweb.com/sendvirus/
2. Kaspersky http://support.kaspersky.ru/virlab/helpdesk.html
3. ClamAV http://www.clamav.net/lang/en/sendvirus/
4. Comodoantivirus@comodo.com malwaresubmit@avlab.comodo.com
5. Avast! virus@avast.com
6. ...
7. ...
Utilities and analyzers:
1. AVZ http://www.z-oleg.com/secur/avz/download.php
2. Anubis http://anubis.iseclab.org/
ps Photos of the computer screen from the Society of the Blind , which was blocked by another Winlocker.SMS lay out later.
upd. He fed the "beast VirusTotal, he is very fresh www.virustotal.com/analisis/04e233d396e65f8e853a166ce6fc1d16283f22416a3745068e5caa2e703893d2-1279272442
upd 2. Added to our list ClamAV, Comodo (e-mail)
upd 3. Added Avast!
Further, the story of how to fight the virus for "blondes".
(ps 15 votes left for the topic to get an invite to Habr for a good person. Or 65 votes in karma, but this is less likely)
It all started with the fact that a friend complained: "I have some kind of blonde with a butterfly on a flash drive!" It turned out - on the flash drive autorun.inf, intrsrv.exe (both hidden) and the file "Blondochka.swf.exe". All three icons were in the form of a pink butterfly. Well, as the
Here you have all the "social engineering".
')
Usually, Windows displays only the first part of such a “double” extension, so the user thinks that this is another fun video featuring a blonde babe. The gender of the user, as it turned out, does not matter.
Under the guise of "Blonde", of course, was a Trojan. Included free avast! with fresh bases calmly gave it a run. Online check by Kaspersky Anti-Virus, Doctor Web, and McAfee assured that everything is in order . ( upd. ESET NOD32 - separate hello)
Only Comodo Firewall in the enhanced analysis mode suspected that something was wrong and suggested that there could be malicious code on the flash drive. After blocking the "beast" it turned out that access to the local network is now closed tightly, only the Internet remains. And thanks for that.
I sent technical support letters to the above-mentioned antivirus writers. At first, both companies were silent. The next day he sent again to "Doctor Web." Literally immediately a letter arrived that the request was being processed. Then another 25 (!) Letters arrived confirming that the request was being processed - and each time a new number was assigned to the request.
In the evening, the trojan got its own name Trojan.Click1.25237 and was added to a fresh update.
Morality.
1. Free antivirus without a firewall is a useless toy.
2. A user who does not know how to behave with “blondes” is more dangerous than a virus.
3. Do not self-medicate (but, if your level of knowledge allows, to your health).
4. If the antivirus does not see the virus, then this does not mean that the computer is “pristine clean.”
5. Found a new "virus" - send to the database.
Here is a list where you can (and should!) Send a virus or trojan caught in the "wild nature"
(just pack it in the archive with the password "virus"):
1. Doctor Web https://vms.drweb.com/sendvirus/
2. Kaspersky http://support.kaspersky.ru/virlab/helpdesk.html
3. ClamAV http://www.clamav.net/lang/en/sendvirus/
4. Comodo
5. Avast! virus@avast.com
6. ...
7. ...
Utilities and analyzers:
1. AVZ http://www.z-oleg.com/secur/avz/download.php
2. Anubis http://anubis.iseclab.org/
ps Photos of the computer screen from the Society of the Blind , which was blocked by another Winlocker.SMS lay out later.
upd. He fed the "beast VirusTotal, he is very fresh www.virustotal.com/analisis/04e233d396e65f8e853a166ce6fc1d16283f22416a3745068e5caa2e703893d2-1279272442
upd 2. Added to our list ClamAV, Comodo (e-mail)
upd 3. Added Avast!
Source: https://habr.com/ru/post/99272/
All Articles