 
Support Wrong Planet Awareness!
| View previous topic :: View next topic |
| Author |
Message |
Fogman
Econo-class Iconoclast
Joined: Jun 20, 2005
Age: 41
Posts: 2054
Location: SC, USA
|
 Posted: Thu Oct 09, 2008 10:31 am Post subject: Attn. Windows Users : Malware Alert |
 |
|
There is relatively new piece of Malware entitled 'XP Anti Spyware 2009' that is able to autoinstall via 'driveby' with the Opera web browser. It may also be able to autoinstall via Firefox as well if you are running an XP system. Whether or not this will happen with WinVista is unknown. If you encounter this program, a simple uninstall via it's uninstall selection in the Windows start menu will possibly get this app off of your system.
It also downloads and installs brastk with the command of 'brastk.exe' as a startup item, so if people encounter this piece of malware, they will want to run an MSCONFIG and deselect this item from their startup menu, and reboot accordingly. You may also want to further update the definitions of your malware removal tools to further immunise yourself against this.
I am currently on my Linux computer posting this as I'm running diagnostics on my windows system to ensure that this malware is removed.
_________________
"Blessed are the Distinctly Alien, for they shall inherit the Earth." -- Genesis P. Orridge |
|
| Back to top |
|
Fnord
Metasyntactic Variable
Joined: May 07, 2008
Posts: 3658
Location: Pantopia
|
| Posted: Thu Oct 09, 2008 10:50 am Post subject: |
|
|
From http://www.spywareremove.com/removeXPAntispyware2009.html
| Quote: | XP Antispyware 2009 Description
XP Antispyware 2009, or XPAntispyware2009, is a rogue security program that was found to be installed from a Trojan horse infection or rogue website. Once XP Antispyware 2009 infiltrates your system it may start to annoy you repeatedly with popups or system alert messages used as scare tactics. XP Antispyware 2009 scares you into purchasing a full version of the XP Antispyware 2009 program.
XP Antispyware 2009 does not live up any expectations as it is not able to remove parasites or viruses. XP Antispyware 2009 was also found to be sponsored on XP Antispyware 2009.com which is a site that you should never visit. XP Antispyware 2009 should not be purchased under any conditions. If you have XP Antispyware 2009 on your system then it is recommended that you utilize a reputable spyware scan program in order to locate and remove XP Antispyware 2009 and its files. |
The site also features a detailed method of removal.
_________________
The leaders of the American automobile industry have been amazingly consistent in their management philosophy, in that they have never missed an opportunity to miss an opportunity. |
|
| Back to top |
|
Fogman
Econo-class Iconoclast
Joined: Jun 20, 2005
Age: 41
Posts: 2054
Location: SC, USA
|
| Posted: Thu Oct 09, 2008 11:00 am Post subject: |
|
|
Thanks, I'm using this, and brastk.exe ( a trojan downloader) is gone from that system via Windows defender, but I still had to manually delete a duplicate of the file from c:\\windows\system32.
Furthermore, when the stealth download occured, my system closed all windows and did an auto - reboot which made me suspicious that something bad was happening to my system. --Suspicions verified, and the problem is now solved.
FWIW, the stealth/driveby download occured when I accessed a site for music lyrics. Gone are the days when things like this only occured with IE.
_________________
"Blessed are the Distinctly Alien, for they shall inherit the Earth." -- Genesis P. Orridge |
|
| Back to top |
|
Orwell
Outer Party Member
Joined: Aug 09, 2007
Age: 19
Posts: 4243
Location: Room 101
|
| Posted: Thu Oct 09, 2008 12:05 pm Post subject: |
|
|
Gotta love my *nix systems.
Alt text: We actually stand around the antivirus displays with the Mac users just waiting for someone to ask.
Link: http://xkcd.com/272/
_________________
WAR IS PEACE
FREEDOM IS SLAVERY
IGNORANCE IS STRENGTH |
|
| Back to top |
|
lau
Quinquaginta Novem! Male Gee-knee-us + silly bits.
Joined: Jun 18, 2006
Age: 59
Posts: 7448
Location: Somerset UK
|
| Posted: Thu Oct 09, 2008 2:21 pm Post subject: |
|
|
A shear coincidence, but I happened to want to test if my ISP was filtering my email today.
It turns out that they will not permit me to send an email with an attached "virus". I have the strong feeling that they may be violating their terms of service with me.
This website is where I obtained the virus. It is the standard EICAR test virus. However, I would strongly recommend that you DO NOT use this site if you have any qualms about it.
http://www.rexswain.com/eicar.html
The site supplies the raw EICAR file, then that file inside a "zip" file, and then again zipped two levels down.
I run Linux, so had no qualms about downloading all three. I then threw them all though ClamAV, which detected the virus in all three cases.
_________________
Phases of a project: (1) Exultation. (2) Disenchantment. (3) Confusion. (4) Search for the Guilty. (5) Punishment for the Innocent. (6) Distinction for the Uninvolved. |
|
| Back to top |
|
richie
Ye Olde Bookwyrme
Joined: Jan 10, 2007
Age: 50
Posts: 12016
Location: Lake Whoop-Dee-Doo, Pennsylvania
|
| Posted: Thu Oct 09, 2008 3:21 pm Post subject: Re: Attn. Windows Users : Malware Alert |
|
|
| Fogman wrote: | There is relatively new piece of Malware entitled 'XP Anti Spyware 2009' that is able to autoinstall via 'driveby' with the Opera web browser. It may also be able to autoinstall via Firefox as well if you are running an XP system. Whether or not this will happen with WinVista is unknown. If you encounter this program, a simple uninstall via it's uninstall selection in the Windows start menu will possibly get this app off of your system.
It also downloads and installs brastk with the command of 'brastk.exe' as a startup item, so if people encounter this piece of malware, they will want to run an MSCONFIG and deselect this item from their startup menu, and reboot accordingly. You may also want to further update the definitions of your malware removal tools to further immunise yourself against this.
I am currently on my Linux computer posting this as I'm running diagnostics on my windows system to ensure that this malware is removed. |
About a week ago I reported to google a a similar web forgery that put bogus security software and auto installed.....fortunately
the Avast anti crap-ware that I am running got rid of it pretty quickly...upon detection I thought some fire alarm or something had
gone off as it made quite a racket in alerting me..
_________________
Life! Liberty!...and Perseveration!!..... |
|
| Back to top |
|
KenithSobel
Tufted Titmouse
Joined: May 21, 2008
Age: 22
Posts: 49
Location: Las Vegas NV
|
| Posted: Fri Oct 10, 2008 9:59 am Post subject: |
|
|
 XP Anti Spyware 2009 got it last week,
never let your friend use IE on your computer !!!
_________________
Kenith Sobel,
Network Security Engineer |
|
| Back to top |
|
lau
Quinquaginta Novem! Male Gee-knee-us + silly bits.
Joined: Jun 18, 2006
Age: 59
Posts: 7448
Location: Somerset UK
|
| Posted: Fri Oct 10, 2008 12:05 pm Post subject: |
|
|
PS. Just to be safe, the site I gave earlier does (or at least did) have the "correct" EICAR test file, as I thought I would just verify:
http://www.eicar.org/anti_virus_test_file.htm
http://en.wikipedia.org/wiki/Eicar_test_virus
As it says on the EICAR site, the essential part of the test file is the first 68 characters, all printable with no lower case letters. In fact, it is just:
| Code: | X5O!P%@AP[4\PZX54
(P^)7CC)7}$EICAR-
STANDARD-ANTIVIRU
S-TEST-FILE!$H+H* |
where I have deliberately broken it into four blocks of seventeen characters each, just in case any software is stupid enough to register it as a virus inside this message!
The version on the site I gave earlier is (was) 70 bytes long, which is exactly the above string, but with a carriage return and a line feed appended. The file can in fact have any layout characters added, up to a maximum length of 128 bytes.
============
I found it rather interesting that, when I attempted to email the "virus" to a friend, I got a "bounce" message, helpfully telling me that I had attempted to email an attached virus. I did not regard that as too disturbing.
I have just attempted to email the doubly-zipped version to myself, and that has also given me a bounce message saying that my ISP refuses to let me send it. Also not too disturbing - as to be honest, it does stop people who have been compromised by a virus from sending out more copies of that virus (although, the chances are that they received the virus from an email in the first place, so why didn't the ISP block it before it arrived... ho hum... nothing is perfect.)
My ISP was even smart enough to detect the EICAR test inside a bzip2'ed file.
They were also stupid enough to detect is as a virus when it was merely a text string in the body of an email - hence my care to break up the string above, just in case it set off idiotic alarms.
They did let me send it to myself once I had split it into two 34-character lines.
==============
However... my friend up in Scotland is also not permitted (by his ISP) to send viruses... but receives no indication that his emails have not been sent on. I.e. if the virus check were to come up with a false positive on one of his emails, it would just get deleted, and he will have no idea that his email has been thrown away. Not at all good.
_________________
Phases of a project: (1) Exultation. (2) Disenchantment. (3) Confusion. (4) Search for the Guilty. (5) Punishment for the Innocent. (6) Distinction for the Uninvolved. |
|
| Back to top |
|
chever
'Mud'
Joined: Aug 22, 2008
Age: 20
Posts: 1668
Location: Earth
|
| Posted: Fri Oct 10, 2008 1:16 pm Post subject: |
|
|
| lau wrote: | | My ISP was even smart enough to detect the EICAR test inside a bzip2'ed file. |
Really? Cool. I'd be even more impressed if they detected it in an LZMA'd attachment.
_________________
"You can take me, but you cannot take my bunghole! For I have no bunghole! I am the Great Cornholio!" |
|
| Back to top |
|
lau
Quinquaginta Novem! Male Gee-knee-us + silly bits.
Joined: Jun 18, 2006
Age: 59
Posts: 7448
Location: Somerset UK
|
| Posted: Fri Oct 10, 2008 3:27 pm Post subject: |
|
|
| chever wrote: | | lau wrote: | | My ISP was even smart enough to detect the EICAR test inside a bzip2'ed file. |
Really? Cool. I'd be even more impressed if they detected it in an LZMA'd attachment. |
So... there's your answer... if you want to send someone a copy of a virus as an attachment, don't forget to lzma it.
My ISP didn't care in the slightest about delivering eicar.com inside my eicar.lzma file.
_________________
Phases of a project: (1) Exultation. (2) Disenchantment. (3) Confusion. (4) Search for the Guilty. (5) Punishment for the Innocent. (6) Distinction for the Uninvolved. |
|
| Back to top |
|
atxa
Velociraptor
![]()
Joined: Jun 04, 2006
Posts: 443
|
| Posted: Fri Oct 10, 2008 8:39 pm Post subject: |
|
|
| To avoid that kind of crap, you should use Firefox or IE within "DropMyRights" or within a non-admin account. |
|
| Back to top |
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
