Virus: Caught something nasty

Browsing a website I saw something I havent seen for years, runaway popups and quirky behaviour.
It was a “specialist” website, one dealing with the dirty side of Rover SD1’s and the payload came through clicksor which seems to feature in their banner ads.

The infected pc was an odd mix of Vista/Firefox/AVG free, odd because I hate Vista but havent wiped it already.

AVG tried to catch it but its in there and hiding well from AVG, nothing on a full scan but it did spot Trojan Hider.MPT before saying the file was not found.
Stinger cannot find it either :confused:

I should just wipe it and start again but it interests me.
Opening Natwest banking brings up a different but convincing screen asking for all the login details in one, the whole pin number and the like.
Yeahh righto

All the while its port scanning for web servers on 172 addresses

Any anti virus sites resolve to 127.0.0.1 so dont work very well, I’m not sure how though, it hasnt modified drivers/ets/hosts and the dns server is correct.
nslookup from the command prompt works if you specify a nameserver but standard name resolution has been comprimised in some way.

makes me very glad I have a reasonable firewall between this and the important PC’s.

I think I’ll be building a linux firewall of some sort and capturing all its traffic for a bit.

We’re off to Thailand shortly to visit the wife’s family and I can guarantee I’ll have to spend some time dis-infecting the PC my step-daughters use… :frowning:

The last time it took me about 6 hours to sort it out… it had a rather stubborn virus on it that took a while to get rid of!!!

Malwarebytes found the last nasty I encountered on a friends machine.

As to the other problem, going old-school, is there a file somewhere in the registry thats resolving the DNS settings? The virus might have created it. Scan the registry for 127.0.0.1

Ahh yes, malwarebytes.
Its been so long since anything like this happened I have forgotten most of the tools and cures.

I’m not sure if I should kill it or feed it for a while and see what it grows into

if the hosts file is still there - post that up and then we can go geeky and play with the servers that are fake :lol:

sounds like it’s now part of a botnet, has it tried irc yet?

The hosts file is empty.
I tried adding mcafee to the hosts file so I could download stinger but it still didnt resolve.

same with avg forums which was a google hit for something I was searching for in relation to the symptoms.

Thats why I want to tinker with it, if somehow dns is redirected through interception in the TCP stack I will be impressed.
All the config looks correct :chin:

I suppose Natwest might be interested in it if this is a targeted banking attack.

Heres one for you to try.

Cold boot your PC
Have a coffee
open a DOS/cmd window (simple tools time)
run netstat -a

Can you explain every one of those connections…?

Still feel well defended ?

What happens in safe mode? Same issues?

It’s been a good while since I last had a chase like this to remove the nasties… Sometimes I miss it…

sounds like time to play with hi-jack this. still my favourite little virus finder, using hijackthis.de for a bit of interpreting was my normal way to make a few pounds chasing nasties

Well, I found bits of it scattered about.
Safely booted from trinity rescue kit

There is a javascript uploader of some sort loadorrndname.php

The file itself is a mix of binary and some sort of encoded text wher the text for some sort of menu seems to live
Using strings then od to look in a bit more detail shows this sort of thing

0227100   C   3   A   3   L   3   C   3   _   3   P   3   O   3   P   3
0227120   U   3   P   3  \0   3 020   3   S   3   h   3   o   3   w   3
0227140       3   R   3   e   3   s   3   u   3   l   3   t   3   s   3
0227160       3   A   3   s   3  \0   3  \0   3 317 272   H   3   e   3
0227200   x   3  \0   3  \0   3 320 272   D   3   e   3   c   3   i   3
0227220   m   3   a   3   l   3  \0   3 200   3 321 272   M   3   a   3
0227240   t   3   c   3   h   3       3   T   3   o   3   o   3   l   3

With a squint you can read alternate bytes as CALC_POPUP and Show Results As Hex etc

Any body got a clue how this decodes ?

Out of 42 anti virus products, currently only 9 detect it :eek:
https://www.virustotal.com/file/452750109af8ee5b0cf1e6426399e01fcfe8a192caaa7d24f6ae1ff3d3d6ccef/analysis/

There’s more after the Calc_popup:
Show Results As Hex Decimal Match Tool

In case you’re still looking at the system, here are a couple of ideas…

In addition to the hosts file there may also be a “hosts.ics” or a “lmhosts” file in the “drivers\etc” directory (that the virus would have created). These files have different purposes, but the same ability to redirect.

…Also (from lurking in the malware bytes forum), redirects can be coming from your router (if it wasn’t password protected). A simple router reset is the accepted solution for this.