There is a new plague of viruses, trojans, and exploits hammering web users... and no one easy solution.
Be advised, I will add the most useful information I have found so far in the first reply, which I am doing for the sake of simple formatting ease.
In my comments that follow is the first block of information, in the reply is the second, more detailed:
Further info:
A user reply ( source:
http://forums.net-integration.net/index.php?s=592e606fbc24738bf10ca59d0ae2cf05&showtopic=16917&st=15 )
Clint1
Posted: Jul 9 2004, 03:04 AM
Quote Post
New Member
Group Icon
Group: Member
Posts: 17
Member No.: 16730
Joined: 18-May 04
V_sPeC:
(Some words have to be misspelled so they'd get posted to that list).
This is a bit long, but worth it. ;-) I sent this email below
to Panda, PCcillin, and a few other AV software places that
had email addresses. It's rather horrifying to see that
EVERY AV software program and anti-spyware program
is missing a LOT of vir-uses/worms/Tr0jans. I thought
the list would like to know which is working better than
others, and how all canNOT rely on ONE program, but
MUST run online scans of your HD on a regular basis
a t all of these online scanners (links at bottom) of which
their AV programs you don't already use.
Some of you will remember my recent run-in with one or more
website attacks that placed 7 executables on my PC. I ONLY
FOUND them AFTER doing a HD search for files created on that
day!! I recognized ALL of the files found in the results,
except for 7. Not a single anti-malware or anti-spyware
program found them! Not SpyBot, AdAware, SpywareGuard,
SpywareBlaster, SpySweeper, BPS, HijackThis, CWShredder, etc.,
etc, NONE of them. I also mentioned that even with these
programs running in the background (the ones that CAN run in
the background which is several of them), they did not stop the
installation of these files on my HD. Also, PCcillin, Norton
(Symantec), and to this day some of the newer scanners I found
DID NOT and ARE NOT seeing these malware files. To add,
remember my "notpad" and "notepad" issue? As I expected, it
TOO was a Tr0jan downloader vir-us and was identified by only
TWO places.
(Orig. sent to Panda, then TrendMircro after that).
Hello, your online scanner missed some infected files I had
saved, that ARE infected. I think you may be interested in
adding them to your database and vir-us def's.
To make a long story short, in a recent severe hijack
"attempt", I got 7 executables downloaded to my HD. I
had all of these running in the background: SpywareGuard,
SpywareBlaster, SpySweeper, new version of SpyBot 1.3
(that has the "TeaTimer" additional security module running
in the background), Sygate firewall, a hardware firewall from
my router, XP's firewall, and PCcillin. ALL of these passed
not only the executables, but there was also some malware
registry keys added. I WAS warned by ALL of these
programs that a hijack or "attack" was being attempted, and
of malware attempting to be downloaded and I of course said
NO to them all, and denied firewall requests. Yet, this still
happened!
I cleaned the registry tags, and I thought it would be a good
idea to search my HD for all files created or modified during
this attack. It's a good thing I did that. I found 7 of
unknown origin that I KNEW were suspect. They were:
"m.exe" (was "vir-us:Trj/Zerolin.A" identified by Panda, Panda
deleted it, so I couldn't go back to Kaspersky's site to get it
scanned by them).
"setup.exe" (was "Tr0janDownloader.Win32.Small.gl" identified
by Kaspersky, "vir-us:Trj/Downloader.EC" identified by Panda,
and "TR0J_SMALL.GL" identified by PCcillin).
"dlltemp.exe" (was Tr0jan.Win32.Startpage.hk identified by
Kaspersky).
"dllhelp.exe" (was Tr0jan.Win32.Startpage.hk identified by
Kaspersky).
"IEengine.exe" (was Tr0jan.Win32.StartPage.he identified by
Kaspersky)
"dpe.dll" (NOTHING identified this).
"msxmidi.exe" (NOTHING identified this).
"e.exe" (NOTHING identified this).
A search for all of these executable names on Google found that
EVERY ONE of them was indeed a Tr0jan of some kind, or malware,
worm, etc. What I can't understand, is how so many 'laymen' PC
users KNEW of these files, yet so many antivir-us software
products at the time did NOT, and are STILL not aware of them!
I ran the TWO online vir-us scanners at Symantec's website, the
one at TrendMicro, and they found nothing, they missed ALL of
these files. PCcillin said their pattern file 895 is supposed
to cover TROJ_SMALL.GL and that was the pattern file I was
running at the time and it did NOT! It showed clean on all of
these files. As soon as they had pattern file 896 I installed
it, and only it identified "setup.exe" as TROJ_SMALL.GL, but
still did not identify the rest. They said that pattern file
897 (just installed) covers Zerolin.A, but it does NOT, they
are still passing m.exe which is the Zerolin.A! Since then
they have released pattern 899, and it too is still not
recognizing any of these other Tr0jans. Since then, 901
STILL does not identify any of these others.
I went to every AV site I could find (Panda, Norton, Trend,
McAfee, Fsecure, Kaspersky, NOD, etc.), and very FEW of
them had any info in their databases on these malware files*!
At most, each site would only have info on ONE of these
malware files. Even at your site and Kaspersky that ARE
identifying some of the files, there is no info on them!
*Doing a search on Google for Zerolin.A DOES have a hit for
Symantec, but it is NOT found at their website's search!
http://www.symantec.com/region/se/corporat...stan200402.html This makes no sense that they would have this in their
database of KNOWN "baddies", yet cannot detect it!
At the time this attack occurred, I did not know you [Panda] or
Kaspersky had an online scanner. I went there today and
you can see the results above. So, I think you may want to
add those tagged by Kaspersky (#2, 3 and 4) into your
database, and as for the last 3 no one identified, can I
send those to you as well so you can investigate them and find
out exactly what they are? I'm sure you'd also want to put
their def's in your database as well. I can zip and email you
these files, or zip and upload them to my website. Since
they are malware, I cannot upload them to my server in their
present condition, they must be zipped, and I also cannot send
.exe files for obvious reasons, they also have to be zipped to
be emailed.
Here's an update. I found some more online scanners, and just
as I expected, dllhelp.exe and dlltemp.exe WERE identified as
Win32.Startpage.DT by Computer Associates' AV scanner.
"BitDefender" and RAV Antivir-us also found a file I forgot
about in a DIFFERENT online attack. This was when I got
warnings that Notepad.exe was trying to be accessed. I again
denied it, but it still got on my HD. The file "Notepad.exe"
was REPLACED by "notpad.exe" (that's without the "e"), and a
file called "NOTEPAD.EXE" (all caps) was in its place. It had
a different icon (generic blue & white MSDOS type executable
icon), and it was 3k in size where Notepad.exe, the real file,
is 64.5k in size. I of course suspected this and knew it was a
bad file. I put it in another folder until I could find something
that identified it. BitDefender's & RAV's online scanner were
the ONLY AV software that correctly saw this file, and
identified it as "Tr0jan.Downloader.Small.JC". Additionally,
RAV was the only one that saw some GFI email test
emails I had saved to test OE. These are BENIGN, but they
mimic exploits and other vir-us behavior. These were
"HTML/IFrame_Exploit". Panda saw only ONE of these files
(and deleted it like I mentioned), but RAV saw all of the other
emails. So, these are some additional files you should also
add to your vir-us def's and online scanner.
----END OF EMAIL TO PANDA & TREND
So, here's a list of several free online scanners I found.
Some are only vir-us/worm/Tr0jan scanners, some are only
"exploits" scanners, and some are both. Note that you need
to turn off any PopUp blocker at most of these sites, and
some you have to disable your running AV software. I highly
recommend (if you haven't, and you SHOULD if you haven't)
install the new version of SpyBot v1.3 that has this new
"TeaTimer resident" IE protection. This is something new on
this latest version that runs in the System Tray IN ADDITION
TO SpyBot's "Immunize" area that also provides real time
protection (but the Immunize area does not have to be running
in the background). The reason I recommend it is because
most of these sites will place a registry tag in your registry
that's NOT needed. TeaTimer saw this and asked me if
I wanted to deny it, and I did, and they still ran correctly.
Also, some of these places ask for an email address/info
about you, and all but one that does ask for it is not necessary,
you can give a made up address. The one place that does
require a valid one I don't recall, but you'll know it on the next
page where it states "link will be emailed to you". Some of
these will not run if you block their cookie, so keep that in mind.
Some of theses sites also scan email, and they found several
emails in my inbox with an "HTML Frame exploit" type of
malware. (These were NOT the GFI test emails I spoke of
above that I placed in a folder, but valid emails in my Inbox).
1.
http://info.ahnlab.com/english/ (TWO areas at lower left)
2.
http://www.auditmypc.com/ 3.
http://www.bitdefender.com/scan/Msie/index.php (May be IE only, and you have to accept a cookie to run it).
4.
http://www.commandondemand.com/eval/index.cfm 5.
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx 6.
http://www.dslreports.com/scan (Many tools there)
7.
http://www.freedom.net/viruscenter/onlineviruscheck.html 8.
http://www.emailsecuritytest.com/ (Best place for checking Outlook and OE security).
9.
http://grc.com/default.htm (One of the best places on the net for checking and fixing
vulnerabilities).
10.
http://www.kaspersky.com/scanforvirus (Appears to be able to only scan one file at a time, so
it's good for checking individual suspicious files).
11.
http://www.pandasoftware.com/activescan/co...n_principal.htm 12.
http://www.pcflank.com/ (Another great place like GRC, yet it didn't find any of
my bad files).
13.
http://www.pcpitstop.com/antivirus/default.asp (Many other tools there @left margin).
14.
http://www.pestscan.com/Scan.asp 15.
http://browsercheck.qualys.com/ (A great place for checking AND fixing browser vulnerabilities).
16.
http://www.ravantivirus.com/scan/indexn.php (Individual file scan)
17.
http://www.ravantivirus.com/scan/indexie.php (Full scan)
18.
http://www.dials.ru/english/www_av/ (Individual files)
19.
http://stealthtests.lockdowncorp.com/ (Mainly just an FYI site,
they do have valid good scans, but try they and "scare" you into
buying their product, so keep that in mind).
20.
http://scan.sygate.com/ 21.
http://security.symantec.com/ssc/home.asp 22.
http://security.norton.com/sscv6/default.asp 23.
http://housecall.trendmicro.com/ 24.
http://www.Tr0janscan.com/ (Still down)
Again, EACH of these scanning sites that scan for malware, have
their good, and bad points. One may only find ONE bad file,
yet it will be a file that none of the other sites will see! You
may be surprised what they will turn up. Careful with what you
let them delete. Since I was aware of all files these places found
(except for two emails in my inbox), I did not let them do anything
to these files since I saved them for testing purposes. If you are
not sure about what to delete if they find anything, then you should
post it. Like I mentioned before; anti-spyware programs for example
can and will tag VALID NEEDED things *as* SpyWare, and can mess
up a computer.
-Clint
END
(Since this email, TrendMicro replied and asked me for the files and they are going to add them to the virus def's. As of pattern file 931, they still have not! This below is another related post I posted BEFORE that email above to the same list) :
I think many will find this interesting, and helpful if this
ever happens to you. This is what happened to me during a
visit to a website. It's a bit long, but necessary for all the
details.
I had ALL of the following RUNNING IN THE BACKGROUND:
SpywareGuard, SpywareBlaster, SpySweeper, SpyBot (the newest
version of SpyBot v1.3 that has a new feature that can run in
the system tray for added protection), my hardware firewall,
and of course my software firewall and AV software. All of
sudden I got this onslaught of "attacks" where SpywareGuard,
Sygate (firewall), SpySweeper, PCcillin (Trend Micro AV),
SpywareBlaster, and that new version of SpyBot, ALL gave alerts
that my search settings were being changed and my home page
being changed, and about a worm by PCcillin. The Sygate
warning was about some file trying to be accessed, but there
were so many dozens of alert windows popping up I didn't have
to time to read it! There must have been 50 or 60 alerts in a
matter of 2-3 minutes and I could not exit out of them! I of
course kept denying all of them, and telling the anti-spyware
programs to deny the changes, and with every denial came
another popup warning. No harm was done except for rendering
my address bars unusable*.
When I closed all browser windows and ran the anti-spyware
programs; SpyBot only found 2 or 3 things and they were
registry keys regarding browser hijackers. AdAware found
THIRTEEN pieces of malware. Most were the criminal parasite
@!#$! at "Cool WWW Search" and some cr-p from e-finder, but
some were p-0-rn links that were ADDED TO MY FAVORITES
FOLDER WITHOUT my knowledge!! SpySweeper found
nothing (but it did find something several hours earlier that
both AdAware and SpyBot missed, fairly harmless). Then I
let the programs (all were running at the same time) remove
the malware, but not before I copied all the registry keys and
made a backup of the entire registry, plus I always opt for the
programs to where applicable save backups of what was
removed/changed.
*I thought all was well, but when I typed a URL in my address
bar under the Quick Launch toolbar (I wanted to find out about
e-finder.cc), I got these errors I've never before seen!
*******tests/1.gif
/tests/2.gif
/tests/3.gif
Every time I typed or pasted an address in the address bar and
hit [enter] this is what was happening! Obviously from this I
surmised that some associations somewhere regarding outside
search functions was screwed up. I realized that the address
bar WOULD work IF and only if the http:// was added first! It
was then I realized it was a URL prefix issue that had gotten
corrupted. I searched the registry for anything regarding
prefixes and found a couple of keys. I then remembered two
tags that SpyBot "fixed", or so I thought. I went to check
them again and what SpyBot did was REMOVE them completely,
instead of fixing them:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UR
L\DefaultPrefix]
(something missing here)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\U
RL\Prefixes]
"ftp"="
ftp://" "gopher"="
gopher://" "home"="
http://" "mosaic"="
http://" "www"= (something missing here)
Below the first key above (in the right pane of the registry I
should say) should be http:// and that "www" area in the
second key should have http:// after that equal sign, which
would show in the right pane. I wanted to see if some piece of
software would fix this all on its own, and in some searches
regarding these 7 mysterious files that showed up**, I found
"HijackThis", another anti-spyware program. It saw those
keys and it did indeed FIX them without me having to re-enter
the correct data again. So, that's another great program to
use, it's free to download and I suggest you guys try it! It
really works.
http://www.spychecker.com/program/hijackthis.html .
What SpyBot tagged on those keys was "!www" and "http!"
or something like that. Instead of removing the ! marks (if
that's what it was tagging), or maybe it just added the ! marks
for emphasis and in that case instead of removing the bogus
parts, it removed the whole area at the right pane in the
registry. So, it's a good idea to always make notes and
backups of EXACTLY what malware SpyBot or any other
anti-spyware program is changing or removing.
**Now, regarding these new files mysteriously added to my
HD....remember that these SEVEN FILES were added to my
HD EVEN WITH ALL of these anti-spyware programs running,
and TWO firewalls!!! When I realized I had the address bar
problem, I thought I'd better check for any newly added files
on my HD, so I opened the Windows folder and System32
folder and arranged icons by date, so the newest files would
be in one spot at the end of the folder. In the Windows
folder, I found these files: dllhelp.exe, dlltemp.exe, e.exe,
m.exe, dpe.dll, and msxmidi.exe (of which some sites are
saying it's a vir/us). All except the dll file were the
default blue and white icons for "applications" or executables.
Right clicking each of them and checking properties gave no
information as to what they were, nor what app used or opened
them. But they ALL were "created on:" the same day within an
hour of each, some created at the EXACT same minute and second
during these attacks I mentioned. So during some searches on
each of these files, I found out all of them are indeed spyware
of some kind (except for e.exe, couldn't find anything on it),
and I also found that something called "IEengine.exe" may be in
my IE folder, and it WAS, and it was also created at the same
time as these other 6 files. NONE of these files did ANY of
the anti-spyware programs find! If I would not have
investigated the matter further by checking for any new files
added to my HD, these 7 files would still be on my PC. I had
no references anywhere to "mypoiskovik", not even in the
registry. Even though some of these files are associated with
that bug, it does not appear to be the actual Mypoiskovik bug.
As for the file called msxmidi.exe, I don't understand why
people are saying "my Norton AV identified it as a vir/us". I
ran the vir/us scan at Norton's website, and it didn't see it
and that's what people were using to identify it as a vir/us!
(What is strange is Norton DID find 3 "vir/uses" on my PC,
but I put them there. They were "exploits" and not vir/uses.
What's great about this is they were only TEXT FILES and
NAV still identified them! That's pretty good. What these
files are, is I have some codes in Notepads that I execute
on every new Windows install to make sure they can't run.
They are harmless, but they COULD be very bad if designed
to run a bad code. What I made will only execute the Windows
calculator when you click the .html file. You put the code in
a Notepad file, then rename the extension to .htm or .html,
and click the file and see if the calculator is launched. It's
a similar thing here on one of the following pages:
http://browsercheck.qualys.com/ I think XP by default
is protected against that).
Ok, so I then went to XP's Native search and searched for all
files created on this day, and was sure to go to "folder
options" first and check/uncheck boxes to show hidden files and
show "protected operation system files" as well. I went
through the entire results list and didn't find any more files
created on this day of which I did not know the origin. So,
apparently it was "only" these 7 files that were added.
It's OBVIOUS that having every anti-malware program you can
find and even having them running in the background is NOT
enough to protect you, and additionally, running the programs
to find malware is STILL not enough to protect you! They can,
and DO make changes that (like SpyBot did) can mess up your PC
if you don't make notes of the changes, and in the case of all
of them miss these 7 executable files.
I could have run XP's restore function, or ran the undo/restore
feature of SpyBot, or run my backup of XP's "Files and Settings
Transfer Wizard" ("settings only") of which any of these would
have probably fixed the URL prefix issue, and I would have done
that if I would not have been able to find out the cause. But,
I wanted to find out the cause, and none of these would have
identified nor removed the 7 executables.
From this I think it's safe to say that when you get infected
with any kind of malware, it's a good idea to try what I did.
Search for any files that were recently created and if you are
not familiar with them (if they are not obvious like a your AV
software updates or the like), and you have to use the
"advanced" search options of Windows to do this. Then put
these file(s) names you may find in any search engine to find
out about them. And, to always be sure you don't totally
delete anything that the anti-malware programs find, to only
quarantine them and to make notes of exactly what they are
doing. Also, if anyone ever has this address bars issue that I
had, check those registry keys.
======END
A side note.....when I mention things like "all of these are running in the background", I only execute all of the programs when I go to a crack/hack type website for added protection. And, AGAIN, I've had bad crap dumped on my PC when going to legit BUSINESS websites! This is usually from there #@$% ad banners by hitbox, doubleclick, humanclick, etc. I guess it's best to have all of these running all the time, but I don't like to have a lot of things running in the BG, it sucks too much RAM and resources. However, apparently these days you must have all of them running always for maximum protection. I still only have TeaTimer running in the BG, but I may change that approach soon to include all that can be running.
It's also worth repeating again, that not one of these anti-malware programs will find everything! One may find nothing, another may find 1 or 2, and still another may find a dozen or more malware files! This is during the exact same time, say day, running one right after the other. I don't close out the programs, I keep them open so they won't delete anything, and so I can then check the other programs to see if they find the same things. THEY NEVER DO. Then I'll let each program (at my discretion) delete/fix the bad files or tags.