Page 1 of 1 [ 11 posts ] 

Fogman
Veteran
Veteran

User avatar

Joined: 19 Jun 2005
Age: 59
Gender: Male
Posts: 3,986
Location: Frå Nord Dakota til Vermont

09 Oct 2008, 9:31 am

There is relatively new piece of Malware entitled 'XP Anti Spyware 2009' that is able to autoinstall via 'driveby' with the Opera web browser. It may also be able to autoinstall via Firefox as well if you are running an XP system. Whether or not this will happen with WinVista is unknown. If you encounter this program, a simple uninstall via it's uninstall selection in the Windows start menu will possibly get this app off of your system.

It also downloads and installs brastk with the command of 'brastk.exe' as a startup item, so if people encounter this piece of malware, they will want to run an MSCONFIG and deselect this item from their startup menu, and reboot accordingly. You may also want to further update the definitions of your malware removal tools to further immunise yourself against this.

I am currently on my Linux computer posting this as I'm running diagnostics on my windows system to ensure that this malware is removed.


_________________
When There's No There to get to, I'm so There!


Fnord
Veteran
Veteran

User avatar

Joined: 6 May 2008
Gender: Male
Posts: 60,951
Location:      

09 Oct 2008, 9:50 am

From http://www.spywareremove.com/removeXPAn ... e2009.html

Quote:
XP Antispyware 2009 Description
XP Antispyware 2009, or XPAntispyware2009, is a rogue security program that was found to be installed from a Trojan horse infection or rogue website. Once XP Antispyware 2009 infiltrates your system it may start to annoy you repeatedly with popups or system alert messages used as scare tactics. XP Antispyware 2009 scares you into purchasing a full version of the XP Antispyware 2009 program.

XP Antispyware 2009 does not live up any expectations as it is not able to remove parasites or viruses. XP Antispyware 2009 was also found to be sponsored on XP Antispyware 2009.com which is a site that you should never visit. XP Antispyware 2009 should not be purchased under any conditions. If you have XP Antispyware 2009 on your system then it is recommended that you utilize a reputable spyware scan program in order to locate and remove XP Antispyware 2009 and its files.

The site also features a detailed method of removal.


_________________
The mere fact that science may not yet adequately explain an object, event, or experience does not mean the immediate explanation should automatically default to a conspiratorial, extraterrestrial, paranormal, or supernatural cause.


Fogman
Veteran
Veteran

User avatar

Joined: 19 Jun 2005
Age: 59
Gender: Male
Posts: 3,986
Location: Frå Nord Dakota til Vermont

09 Oct 2008, 10:00 am

Thanks, I'm using this, and brastk.exe ( a trojan downloader) is gone from that system via Windows defender, but I still had to manually delete a duplicate of the file from c:\\windows\system32.

Furthermore, when the stealth download occured, my system closed all windows and did an auto - reboot which made me suspicious that something bad was happening to my system. --Suspicions verified, and the problem is now solved.

FWIW, the stealth/driveby download occured when I accessed a site for music lyrics. Gone are the days when things like this only occured with IE.


_________________
When There's No There to get to, I'm so There!


Orwell
Veteran
Veteran

User avatar

Joined: 8 Aug 2007
Age: 36
Gender: Male
Posts: 12,518
Location: Room 101

09 Oct 2008, 11:05 am

Gotta love my *nix systems.

Image

Alt text: We actually stand around the antivirus displays with the Mac users just waiting for someone to ask.

Link: http://xkcd.com/272/


_________________
WAR IS PEACE
FREEDOM IS SLAVERY
IGNORANCE IS STRENGTH


lau
Veteran
Veteran

User avatar

Joined: 17 Jun 2006
Age: 77
Gender: Male
Posts: 9,798
Location: Somerset UK

09 Oct 2008, 1:21 pm

A shear coincidence, but I happened to want to test if my ISP was filtering my email today.

It turns out that they will not permit me to send an email with an attached "virus". I have the strong feeling that they may be violating their terms of service with me.

This website is where I obtained the virus. It is the standard EICAR test virus. However, I would strongly recommend that you DO NOT use this site if you have any qualms about it.

http://www.rexswain.com/eicar.html

The site supplies the raw EICAR file, then that file inside a "zip" file, and then again zipped two levels down.

I run Linux, so had no qualms about downloading all three. I then threw them all though ClamAV, which detected the virus in all three cases.


_________________
"Striking up conversations with strangers is an autistic person's version of extreme sports." Kamran Nazeer


richie
Supporting Member
Supporting Member

User avatar

Joined: 9 Jan 2007
Age: 67
Gender: Male
Posts: 30,142
Location: Lake Whoop-Dee-Doo, Pennsylvania

09 Oct 2008, 2:21 pm

Fogman wrote:
There is relatively new piece of Malware entitled 'XP Anti Spyware 2009' that is able to autoinstall via 'driveby' with the Opera web browser. It may also be able to autoinstall via Firefox as well if you are running an XP system. Whether or not this will happen with WinVista is unknown. If you encounter this program, a simple uninstall via it's uninstall selection in the Windows start menu will possibly get this app off of your system.

It also downloads and installs brastk with the command of 'brastk.exe' as a startup item, so if people encounter this piece of malware, they will want to run an MSCONFIG and deselect this item from their startup menu, and reboot accordingly. You may also want to further update the definitions of your malware removal tools to further immunise yourself against this.

I am currently on my Linux computer posting this as I'm running diagnostics on my windows system to ensure that this malware is removed.

About a week ago I reported to google a a similar web forgery that put bogus security software and auto installed.....fortunately
the Avast anti crap-ware that I am running got rid of it pretty quickly...upon detection I thought some fire alarm or something had
gone off as it made quite a racket in alerting me..


_________________
Life! Liberty!...and Perseveration!!.....
Weiner's Law of Libraries: There are no answers, only cross references.....
My Blog: http://richiesroom.wordpress.com/


KenithSobel
Yellow-bellied Woodpecker
Yellow-bellied Woodpecker

User avatar

Joined: 20 May 2008
Age: 40
Gender: Male
Posts: 52
Location: Las Vegas NV

10 Oct 2008, 8:59 am

:evil: XP Anti Spyware 2009 got it last week,

never let your friend use IE on your computer ! !!



lau
Veteran
Veteran

User avatar

Joined: 17 Jun 2006
Age: 77
Gender: Male
Posts: 9,798
Location: Somerset UK

10 Oct 2008, 11:05 am

PS. Just to be safe, the site I gave earlier does (or at least did) have the "correct" EICAR test file, as I thought I would just verify:
http://www.eicar.org/anti_virus_test_file.htm

http://en.wikipedia.org/wiki/Eicar_test_virus

As it says on the EICAR site, the essential part of the test file is the first 68 characters, all printable with no lower case letters. In fact, it is just:

Code:
X5O!P%@AP[4\PZX54
(P^)7CC)7}$EICAR-
STANDARD-ANTIVIRU
S-TEST-FILE!$H+H*

where I have deliberately broken it into four blocks of seventeen characters each, just in case any software is stupid enough to register it as a virus inside this message!

The version on the site I gave earlier is (was) 70 bytes long, which is exactly the above string, but with a carriage return and a line feed appended. The file can in fact have any layout characters added, up to a maximum length of 128 bytes.

============

I found it rather interesting that, when I attempted to email the "virus" to a friend, I got a "bounce" message, helpfully telling me that I had attempted to email an attached virus. I did not regard that as too disturbing.

I have just attempted to email the doubly-zipped version to myself, and that has also given me a bounce message saying that my ISP refuses to let me send it. Also not too disturbing - as to be honest, it does stop people who have been compromised by a virus from sending out more copies of that virus (although, the chances are that they received the virus from an email in the first place, so why didn't the ISP block it before it arrived... ho hum... nothing is perfect.)

My ISP was even smart enough to detect the EICAR test inside a bzip2'ed file.

They were also stupid enough to detect is as a virus when it was merely a text string in the body of an email - hence my care to break up the string above, just in case it set off idiotic alarms.

They did let me send it to myself once I had split it into two 34-character lines.

==============

However... my friend up in Scotland is also not permitted (by his ISP) to send viruses... but receives no indication that his emails have not been sent on. I.e. if the virus check were to come up with a false positive on one of his emails, it would just get deleted, and he will have no idea that his email has been thrown away. Not at all good.


_________________
"Striking up conversations with strangers is an autistic person's version of extreme sports." Kamran Nazeer


chever
Veteran
Veteran

User avatar

Joined: 21 Aug 2008
Age: 38
Gender: Male
Posts: 1,291
Location: Earth

10 Oct 2008, 12:16 pm

lau wrote:
My ISP was even smart enough to detect the EICAR test inside a bzip2'ed file.


Really? Cool. I'd be even more impressed if they detected it in an LZMA'd attachment.


_________________
"You can take me, but you cannot take my bunghole! For I have no bunghole! I am the Great Cornholio!"


lau
Veteran
Veteran

User avatar

Joined: 17 Jun 2006
Age: 77
Gender: Male
Posts: 9,798
Location: Somerset UK

10 Oct 2008, 2:27 pm

chever wrote:
lau wrote:
My ISP was even smart enough to detect the EICAR test inside a bzip2'ed file.


Really? Cool. I'd be even more impressed if they detected it in an LZMA'd attachment.

So... there's your answer... if you want to send someone a copy of a virus as an attachment, don't forget to lzma it.

My ISP didn't care in the slightest about delivering eicar.com inside my eicar.lzma file.


_________________
"Striking up conversations with strangers is an autistic person's version of extreme sports." Kamran Nazeer


atxa
Velociraptor
Velociraptor

User avatar

Joined: 3 Jun 2006
Age: 54
Gender: Male
Posts: 464
Location: Can

10 Oct 2008, 7:39 pm

To avoid that kind of crap, you should use Firefox or IE within "DropMyRights" or within a non-admin account.