Virus out of the blue

    This story happened to me last night.

    The time was approaching midnight when I climbed the expanses and depths of the Internet in search of the text of one beautiful Ukrainian song . Having entered a search query in Yandex, I opened several tabs with search results. The screw cracked a little, and then several windows of Kaspersky Anti-Virus popped up in a row, notifying that a certain “xBXJ.exe” and several similar files were moved to the “Weak restrictions” group. Following this, a black window flickered for a split second, which usually pops up when starting console programs.

    A split second after that, I was already diving (no, not into the depths of the Internet) under the table in a futile attempt to manage to pull the patch cord from the network card of the computer.



    System configuration:
    - Win XP with all patches and updates, the Windows firewall is disabled.
    - Kaspersky Internet Security 2009 with updates from March 24, 2010, is included.
    - Opera 10.51 (the latest version at the moment)

    To start, I changed the passwords on mailboxes and ICQ from the second computer (laptop). Then I looked at the Kaspersky logs:

    03/25/2010 11:53:24 PM xBXJ.exe Activity filtering placed in the group Weak restrictions Has a high value for the heuristically calculated danger rating
    03/25/2010 23:53:44 joSB.exe activity filtering Put in the group Weak restrictions High heuristically calculated hazard rating
    03/25/2010 23:53:46 MjyD.exe Activity filtering Placed in the group Weak restrictions Has a high value for the heuristically calculated hazard rating
    03/25/2010 23:53:46 del.bat Activity filtering Put in the group Weak restrictions Has a high value for the heuristically calculated danger rating

    Honestly, I was surprised that, with default settings and a high hazard rating, Kaspersky silently skipped files for execution.

    Then I talked on the internet with the people, tried to search for file names through Google, but these names are clearly generated, apparently that's why the search did not give results. The clock was two in the morning, I went to bed.
    When I woke up and turned on the computer (I didn’t stick the network cable back into it), I saw a wonderful picture: in the center of the screen is a software porn banner that cannot be closed or minimized; and which blocks attempts to open the task manager.

    And I have a new file: C: \ Program Files \ plugin.exe A

    message from a scammer looked like this: Send an SMS with the text 1275131 to number 8353 Enter the received code: [______] (delete banner) If you encounter problems, you can always contact to the address: icq 558812836 email: lex-doroti@mail.ru ... ... Ok, the picture is clear and understandable, I think, to everyone. I go to freedrweb.com/cure-it













    , and download a free scanning utility. Which, however, finds nothing suspicious (which is strange, because it usually helps in such cases). I note that I acted as follows: I downloaded the

    program to the laptop , dropped it onto a USB flash drive, blocked the USB flash drive with the switch in read-only, and only then stuck it in the infected computer.

    Then I did the following: punching on the Internet to whom this short number “8353” belongs, the provider is the “1st Alternative Provider” (through which scammers most often work). I go to the site, call the specified number. The girl from the call center switches me to the 1st technical support line (extension 555). Then they switch me to the 2nd technical support line (direct phone 663-71-14), where short beeps sound. Calling the second

    times, and the third and fourteenth. Finally, from the fifteenth time I call, explain the situation, call the text that the trojan requires to send via SMS (1275131) to the number 8353. In response, the employee calls me a code that must be entered into this same porn banner. The code is this one: 1968845971 . I enter it, click the "Delete banner" button, the window with porn disappears. At the same time, the "Kaspersky" bastard just as calmly allows the launch of the del.bat file, which erases traces of itself.

    Work on errors, or “what I did wrong” :

    Firstly, if I turned off the main computer after the virus was detected, I had to disconnect the screw without turning it on and connect it to the laptop through the adapter (I had it) to fully check all files for viruses, or boot from a Live-CD for the same purpose.

    Secondly, I had to download and run Cure-IT _to_ shutdown / reboot the computer. Then, perhaps, a window with porn would not come out. However, this is unlikely, because running the Cure-IT utility with a software pornobanner loaded on a half-screen did not reveal any trojans.

    Thirdly, the standard Windows firewall was disabled for me. I thought that the included KIS would be enough, but - ...

    Fourth, when scanning the system for vulnerabilities, I found the following outdated programs with “holes”: winamp, adobe reader, quicktime. Vulnerabilities in these programs allowed attackers to run malicious code.

    Fifth, ... a question for the audience: what else have I done wrong? (please do not advise changing the operating system, browser, antivirus, skin color, country of residence, etc. ;-)

    What else do I want to say: all such fraud schemes work only with low control of PPSOs and service providers (in this case, the 1st Alternative Provider), because if you wish, you can create such work schemes that make it difficult for fraudsters to earn money that they will disadvantageous to work with similar programs. I think everyone can come up with such ways - and deferral of payment of money, and control SMS, etc. etc. As they say, those on whom it depends would have a desire.

    In general, relatively “happy” end. Another question is that it is not clear on which site I caught the virus, and what actions I need to take to prevent a recurrence of the situation. I can send links to suspicious pages in a personal email (pulled out of the browser history), which I visited before downloading the trojans. The pages are all suspicious - each one has a bunch of hidden iframes with different nesting, and incomprehensible Java scripts.

    So it goes.

    UPD KIS is already catching this byak. Those. I didn’t catch with updates on March 25, but already with updates on March 26th.

    Also popular now: