[Tfug] OT: If you sometimes fix people's Windoze virii problems...

Jim March 1.jim.march at gmail.com
Sat Apr 3 06:15:31 MST 2010 

Ran into a very nasty little bug yesterday.  Guy caught it in his
WinXP virtual machine I'd set up for him, so he was mostly functional
of course (in Karmic).

This was the classic "ransomware" class of "WOW YOU'VE GOT VIRUSES OUT
THE YANG! - pay us" scam fake "antivirus".  Two big kickers: it was
spread via ads from the WALL STREET JOURNAL of all places (ad
aggregator bought themselves a nasty?) and the kicker: it remained
active even in Windows XP "safe mode".

Normally the way to nail these is to start with a known non-infected
Windows setup like my own VM copy of XP, load Malwarebytes free
edition into it, run it and update it there, copy the Malwarebytes
installer app plus the "rules.ref" updated virus profile data over to
the bad one, bring the infected system up in safe mode, install
Malwarebytes, update rules.ref manually (copy the file to wherever MWB
puts it), run Malwarebytes in safe mode, all good.

This sucker tried to block all that - IN safe mode.  Sunuvabeech.

The good news is, if you download the MWB free edition, it's now
shipping with the latest updated rules.ref file - at least it did
yesterday.  So the cure was:

* Bring the infected system up in safe mode.

* Rename the Malwarebytes installer file to something else.

* Run the installer...at the end of the installation, do the
Malwarebytes "startup" - that's the ONLY way you can start MWB with
the virus active.  In other words, even if you already had
Malwarebytes, running it at the end of a fresh installation is the
only way to run Malwarebytes.

* The virus would still actually start up but fail to block execution
of Malwarebytes.

* Do a scan, tell it to delete/quarantine what it can, but DON'T let
MWB do the reboot.  Kill power to the virtual machine (or real system)
rather than "send a shutdown signal" or equivalent.  The idea is, the
virus is now active in RAM...don't let it rapid-undo what MWB fixes.

* On restart do safe mode yet again.  Do a second scan with MWB - it
will find and this time properly delete more infected stuff but the
virus won't be brought into memory - enough of it was killed on the
previous scan to block that, probably MWB had done changes to the
registry the last time.  So this run it can nail all the problems.

Done.

This new trend of "virus still functional even with MWB in safe mode"
is a shock, I'd not seen that before.

Jim

More information about the tfug mailing list