Main » 2011 » Март » 16 » The virus is on level ground
11:43
The virus is on level ground
This story happened to me last night.

Nearing midnight when I climbed on the expanses and depths of the Internet in search of the text of a beautiful Ukrainian song. Typing in the Yandex search query, opened a few tabs to the search results. Screw slightly cracked his, and then popped up a few windows in a row Kaspersky Anti-Virus, with notification that a «xBXJ.exe» and a few such files are moved into the group "Weak limits. Following this, flashed for a split second black box, which usually pops up when you run console programs.

In a split second after that I was diving (no, not in the depths of the internet) under the table in a vain attempt to have time to pull pachkord of the network card on your computer.



System Configuration:
Win XP with all patches and updates, vindovyh firewall is disabled.
Kaspersky Internet Security 2009 with updates on March 24, 2010, is included.
Opera 10.51 (the latest version at the moment)

To start with I from the second computer (laptop) has changed the password on the mailboxes, and ICQ. Then looked at the logs "Kaspersky»:

25.03.2010 23:53:24 xBXJ.exe Activity Filtering placed in a group of weak constraints is of high value heuristically calculated risk rating
25.03.2010 23:53:44 joSB. exe Activity Filtering placed in a group of weak constraints is of high value heuristically calculated risk rating
25.03.2010 23:53:46 MjyD.exe Activity Filtering placed in a group of weak constraints is of high value heuristically calculated risk rating
25.03. 2010 23:53:53 del.bat Activity Filtering placed in a group of weak constraints is of high value heuristically calculated risk rating

Frankly, I was surprised that the default settings and a high risk rating is "Kaspersky" silently skipped files for execution .

Then I talked with the people in the internet and tried to search the file names via gugloyandeks, but the names are explicitly generated, apparently so the search results are not returned. The clock was two o'clock in the morning, I went to bed.
Waking up and turning on PC (a network cable and not stuck in his back), I saw a remarkable picture: on the screen pornobanner software, which can not be closed or collapsed, and to block attempts to open taskmenedzher.

And I get a new file: C: \ Program Files \ plugin.exe

Message from the fraudster look like this:



Send SMS to number 8353 1275131
Enter the resulting code : [______]( remove banner)

If you have problems, you can always refer to the address:
icq 558812836
email: lex-doroti@mail.ru




Ok, the picture is clear and understandable, I think, everybody. I go to the site freedrweb.com / cure-it, and download a free scanning utility. Which, however, finds nothing suspicious (which is weird because it usually helps in such cases). I note that did this: downloaded to a laptop

program, overthrown on a flash drive, flash drive switch block in a read-only, and only then stuck in an infected computer.

Next I proceed as follows: Punching on the Internet, who owns the short number "8353", the provider is "a second alternative provider" (through which most often operate fraudsters). I went to the site, please call the listed number. The girl from call-center switch on my 1-st line technical support (extension 555). Then I switch on the 2 nd line technical support (direct phone 663-71-14), where the sound short beeps. I called the second

times, and third, and fourteenth. Finally, the times from the fifteenth to reach someone, explain the situation, call the text that the Trojans need to send sms (1275131) at number 8353. In response to member calls me a code that is necessary to introduce this very pornobanner. Here's the code: 1968845971. I enter it, press the Delete button banner, box porn disappears. In this case, "Kaspersky Lab, a bastard, just as calmly allows file running del.bat, to wipe up a trail.

Working on bugs, or "what I did wrong":

Firstly, if so I turned off the main computer after a virus is detected, it was necessary but not including of visible screws, and via an adapter ( I have it was) connected to a laptop for a complete scan of all files for viruses, or boot from the Live-CD for the same purpose.

Secondly, I had to download and run the Cure-IT _do_ shutdown / reboot your computer. Then, perhaps, a window with the porn did not come out like. However, this is unlikely, because Running the utility Cure-IT with a loaded half-screen software pornobannere found no trojans.

Third, I have been disabled vindovyh standard firewall. I figured that included KIS enough, but - ...

Fourth, when the scan system vulnerabilities found the following obsolete program with a "hole»: winamp, adobe reader, quicktime. Vulnerabilities in these programs allow zloumyshlinnikam run malicious code.

In the fifth, ... the question to the audience: that I have done wrong? (Please do not advise changing OSes, browsers, antivirus, skin color, country of residence, etc. ;-)

What else do I want to say: all of these fraud schemes work only with low control OPSOSov and service providers (in this case - 1 st alternate ISP), because if you wish, you can create such schemes of work that make it difficult to earn enough to fraudsters that they will not be profitable to work with similar programs. I think anyone can come up with such ways - and the postponement of payment of money, and control sms-ki, etc. etc. As they say, would wish to have those on whom it depends.

In general, relatively «happy» end. Another issue that is unclear which site I caught a virus and what action to prevent a recurrence of the situation I need to take. Wishing I can throw in a personal link to suspicious pages (pulled out of the browser's history), which I visited before downloading trojans. Changes all suspicious - for each lot of hidden iframe with different nesting, and weird Java-scripts.

That's it.

UPD. Currently, KIS already caught this byaku. Ie with updates of 25 March did not catch, and with updates on March 26 catches already.
Views: 485 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: