PDA

View Full Version : Just saw a new one


RyanMeray
12-09-2008, 03:49 AM
So I just did a removal today on a client's system, and they got lucky because they immediately noticed there was a problem and shut the system down.

I fired it up and removed it pretty easily, since it didn't have a chance to get its hooks too deep into the registry.

They infection date was actually the 5th, but he kept the notebook turned off since then. So we're dealing with a virus at LEAST 3 to 4 days old.

So I submit it to Virustotal.

4 out of 38.

No wonder we're so fucked.

Anyways, the infection was called "Perfect Defender 2009." Firefox hasn't added the following URLs to its blocklist yet, so browse at your own risk.

www.defender-review.com
www.defender2009.com

Romaniac
12-09-2008, 05:14 AM
Thanks for the heads up!

RyanMeray
12-09-2008, 02:32 PM
The guy who got infected was both lucky and smart, he shut the system down before it was able to do much. There were only two startup links created, one to a hidden file the program had stored in the %userdata%\Application Data\Google directory, the other stored in Program Files\Perfect Defender 2009.

The app didn't have a chance to throw out any Winlogon hooks or anything like that, so I was able to boot into safe mode, zip up all the bad looking files in both directories, and then I ran Malwarebytes quick scan to verify it was clean.

How the heck is a small little group like Malwarebytes beating the pants off 34 out of 38 virus companies, I'll never know. But I'm really starting to love these guys. They remind me of Spybot back when it could actually detect and get rid of the nasty stuff.

jaydude23
12-09-2008, 02:42 PM
Thanks for the heads up.

RyanMeray
12-09-2008, 05:40 PM
It really depends on how you're invoicing. I've found that 9/10 malware infections can usually be removed with a couple scans and maybe 1 hour of manual registry editing, sometimes throwing a repair install in at the end if it broke Windows networking components more than Winsockfix can deal with.

If I look at the system onsite, take it offsite, run the scans, and then do the manual fixes, I'm looking at maybe 1 hour onsite to cover the pickup/dropoff, and 2 to 3 hours of actual work offsite.

So since I bill hourly, this 'average' scenario costs the client between $130 to $170.

Now, this is a bit higher than a lot of the 'flat-rate' places around here, but those flat-rate places won't fix the problem for $100 if it's not the super-simple type, they'll say, "This is horrible, can't be fixed, you have to reinstall Windows, and that's a higher fee!"

Since it takes 3 to 4 hours offsite to back up the user's data, reformat, put the data back in place, and reinstall basic apps and security software, there's no price incentive for my clients NOT to go with the removal vs. reformat. And they get the added bonus of not having to dig up licenses and software, reinstall their apps, etc.

My biggest problem is it's getting harder and harder to insulate my existing clients from these threats. I think I've said this before, but the only people I WANT to do spyware removal for is new clients. For existing clients, I want to keep them protected and sell them products and services that make their lives better, not keep putting bandaids on their constant infections.

TimeCode
12-09-2008, 08:43 PM
My biggest problem is it's getting harder and harder to insulate my existing clients from these threats. I think I've said this before, but the only people I WANT to do spyware removal for is new clients. For existing clients, I want to keep them protected and sell them products and services that make their lives better, not keep putting bandaids on their constant infections.
Now that is a great attitude and I hope we all feel similarly.

Unfortunately, as you said, it is getting harder to protect people from the emerging threats. I truly wish there was a way of keeping PCs virus free. Of course, we could disconnect them from the internet, remove their floppy drives and put superglue in the USB ports (Don't laugh, I really have heard of that last part) but then we are stuck with PCs that are no more than glorified typewriters. We could have stayed at Windows 3.1 forever... :rolleyes:

usacvlr
12-09-2008, 11:21 PM
If people would just use seamonkey(I don't like firefox) and not open email attachments with executable extensions life would be simpler. Another thing is that say you get an email with a word doc attached and you're using seamonkey's mail or thunderbird you should right click on the extension filename and choose save as so that you can see the actual file name. A trick that has been used is that the file name will say whatever.doc in the attachment dropdown list but if you look at the entire filename by using save as then it will actually be the following.
whatever.doc .pif

Almost all viruses use dumb tricks to work. People who get infected by browsing tend to do so because they have the option turned on to 'always do this with this type of file' in IE so the next time they click on a link or whatever that is fraudulent it automatically downloads and opens the virus. There are genuine activex exploits meaning those that you can get by 'just visiting the site' but those are avoided by using mozilla ie firefox/seamonkey. Likewise if some guy is browsing a porn site and he gets a prompt to download or accept anything he should say no.

The most commonly used extensions by viruses tend to be the following. Although there are many other executable extensions these are the 6 most used.

.exe
.bat
.pif
.scr
.vbs
.com

At home I have never been infected with a virus in all my years of using a PC. NEVER. And I don't run antivirus software because I hate the resource usage and the annoyance factor. People would dare me to install an av suite and do a scan so I would and they always come up clean. I never get infected because I just use common sense and follow a few simple rules. The only time I've encountered pc viruses on my own system was in a work environment where IE was the standard which I would not have used otherwise.

seedubya
01-14-2009, 04:37 PM
Has anyone heard of the "Vote a Spammer" add-on for vBulletin? If we had it here I'd vote the previous poster a spammer. He does this just to get another link back. Pisses me right off.

Please consider banning him.

RyanMeray
01-14-2009, 06:43 PM
On my favorite fourms, we usually just shout out "REPORTED!" anytime anyone does that sorta thing.

TimeCode
01-16-2009, 01:17 AM
On my favorite fourms, we usually just shout out "REPORTED!" anytime anyone does that sorta thing.
Someone posting with links to iYogi has already been reported and had an entire thread removed here. Bryce, could we start offering merits and demerits?