Beyond Crappy to Shitty
Yesterday I encountered software that goes well beyond "crappy" to the truly shitty level. It's a trojan-style virus named Virtumonde.
I'm still not 100% sure how it weaseled into my system -- especially considering I keep this WinXP box patched and updated and run an anti-virus program (Avast) and WinPatrol (which checks for system modifications). Nonetheless, yesterday while I was browsing the Web in Firefox, Avast suddenly started firing off warnings of a trojan trying to install itself. I instructed Avast to block/delete it. There were 5 or 6 such warnings and I now suspect that Avast wasn't able to kill one of them.
Oh, and I should mention that I wasn't browsing for porn or looking at otherwise suspicious Websites. Rather, I was just looking up PHP tutorials. And I subsequently went back to those sites -- using Firefox's history -- and didn't have a repeat attack. So, the source of the attack remains a mystery.
At that point, WinPatrol kicked in -- setting off alarms that an add-on, a Browser Helper Object (BHO), was trying to be installed in MS Internet Explorer. Mind you, IE was not even open at this point as I was browsing with Firefox. These BHOs had no names, but the files associated with them were
opnmnkh.dll
ddcca.dll
Both these files had been placed in \WINDOWS\system32 right at the time of the Avast trojan warnings.
First, I tried to disable them within IE. No luck. Then I tried simply deleting them, but Windows would not let me because they were being used by a system process (and I couldn't terminate that process). Then I tried removing them with WinPatrol. No luck. Then I installed a second anti-virus/spyware app, Windows Defender. Defender identified the Trojan as Virtumonde, but it was unable to remove the files. It did describe the trojan and offer some advice about it:
I moved to the next level of combat: Hijack This and KillBox. Hijack This provided some additional diagnostic information, pulled from the registry:
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\opnmnkh.dll
O20 - Winlogon Notify: ddcca - C:\WINDOWS\system32\ddcca.dll
O20 - Winlogon Notify: opnmnkh - C:\WINDOWS\SYSTEM32\opnmnkh.dll
This told me that the BHOs were being loaded during the system boot, via Winlogon Notify; and Hijack This informed me that (1) this was very early in the boot process and thus hard to kill and (2) that this was a common route for trojans to install themselves. Helpful info, but then Hijack This couldn't do anything about these registry entries. For some reason I can't understand, they cannot be deleted. Next I turned to KillBox, which is supposed to be able to terminate processes and delete files associated with them. It didn't work.
And during this time, ddcca.dll was renamed to jkkll.dll and gebyy.dll -- obviously, randomly generated file names. But opnmnkh.dll remained the same and seemed to be the main culprit.
Finally, after five hours of struggling with this and screwing up my entire day, I turned to SystemRescueCd, described by Wikipedia as
gebyy.fuckoff
opnmnkh.fuckoff
Rebooted my system and, finally, I stopped getting alerts about an virus/trojan infection. Once the files were deleted, I could go back to Hijack This and remove the registry keys.
My system now seems back to normal, but, of course, I'm wondering if I fully removed that crappy (shitty) trojan.
Man, it's enough to make me spend more time on my Mac, which is not such a big, juicy target for crap like this.
P.S. And I give a bit thanks to WinPatrol for preventing those BHOs from loading! I'm off to pay for their "Plus" version right now!
P.P.S. I did try two apps that are designed specifically to remove Virtumonde, but the ones I looked at did not succeed. I suspect this trojan has been mutating and is thus resistant to the automatic removals. The most helpful information about this trojan, for me, was on Audit My PC.
I'm still not 100% sure how it weaseled into my system -- especially considering I keep this WinXP box patched and updated and run an anti-virus program (Avast) and WinPatrol (which checks for system modifications). Nonetheless, yesterday while I was browsing the Web in Firefox, Avast suddenly started firing off warnings of a trojan trying to install itself. I instructed Avast to block/delete it. There were 5 or 6 such warnings and I now suspect that Avast wasn't able to kill one of them.
Oh, and I should mention that I wasn't browsing for porn or looking at otherwise suspicious Websites. Rather, I was just looking up PHP tutorials. And I subsequently went back to those sites -- using Firefox's history -- and didn't have a repeat attack. So, the source of the attack remains a mystery.
At that point, WinPatrol kicked in -- setting off alarms that an add-on, a Browser Helper Object (BHO), was trying to be installed in MS Internet Explorer. Mind you, IE was not even open at this point as I was browsing with Firefox. These BHOs had no names, but the files associated with them were
opnmnkh.dll
ddcca.dll
Both these files had been placed in \WINDOWS\system32 right at the time of the Avast trojan warnings.
First, I tried to disable them within IE. No luck. Then I tried simply deleting them, but Windows would not let me because they were being used by a system process (and I couldn't terminate that process). Then I tried removing them with WinPatrol. No luck. Then I installed a second anti-virus/spyware app, Windows Defender. Defender identified the Trojan as Virtumonde, but it was unable to remove the files. It did describe the trojan and offer some advice about it:
Description:Sigh. No shit, Sherlock.
This program displays advertisements and may be difficult to remove.
Advice:
Remove this software immediately.
I moved to the next level of combat: Hijack This and KillBox. Hijack This provided some additional diagnostic information, pulled from the registry:
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\opnmnkh.dll
O20 - Winlogon Notify: ddcca - C:\WINDOWS\system32\ddcca.dll
O20 - Winlogon Notify: opnmnkh - C:\WINDOWS\SYSTEM32\opnmnkh.dll
This told me that the BHOs were being loaded during the system boot, via Winlogon Notify; and Hijack This informed me that (1) this was very early in the boot process and thus hard to kill and (2) that this was a common route for trojans to install themselves. Helpful info, but then Hijack This couldn't do anything about these registry entries. For some reason I can't understand, they cannot be deleted. Next I turned to KillBox, which is supposed to be able to terminate processes and delete files associated with them. It didn't work.
And during this time, ddcca.dll was renamed to jkkll.dll and gebyy.dll -- obviously, randomly generated file names. But opnmnkh.dll remained the same and seemed to be the main culprit.
Finally, after five hours of struggling with this and screwing up my entire day, I turned to SystemRescueCd, described by Wikipedia as
a distribution of the GNU/Linux operating system on a bootable CD-ROM disc, useful for repairing unbootable computer systems and retrieving data after a system crash.Yes, indeedy! I'd used this once before to rescue files from a computer that wouldn't boot into Windows. This time, I booted from the CD and, from the command line, renamed the offending files to
gebyy.fuckoff
opnmnkh.fuckoff
Rebooted my system and, finally, I stopped getting alerts about an virus/trojan infection. Once the files were deleted, I could go back to Hijack This and remove the registry keys.
My system now seems back to normal, but, of course, I'm wondering if I fully removed that crappy (shitty) trojan.
Man, it's enough to make me spend more time on my Mac, which is not such a big, juicy target for crap like this.
P.S. And I give a bit thanks to WinPatrol for preventing those BHOs from loading! I'm off to pay for their "Plus" version right now!
P.P.S. I did try two apps that are designed specifically to remove Virtumonde, but the ones I looked at did not succeed. I suspect this trojan has been mutating and is thus resistant to the automatic removals. The most helpful information about this trojan, for me, was on Audit My PC.
Labels: virus
posted by Jeremy Butler at 8:38 AM
0 Comments:
Post a Comment
<< Home