PDA

View Full Version : AntiVirus2009 Morph


JohnG
12-12-2008, 04:38 PM
Had a customer yesterday who was infected with AV2009. I cleaned it, no problem, but while doing some manual forensic investigating I noticed a strange string in a cookie. So out of natural curiosity I left it alone and restarted the machine. Lo and behold, upon reboot AV had morphed and then began installing AV360! It is exactly the same infection patterns as AV2009 only a different interface. I was still able to remove it, but with one snag...smitfraud had no effect on it, combofix was the answer. Just a heads up if you see this particular infection and more info here. (http://blog.threatfire.com/)

RyanMeray
12-12-2008, 05:22 PM
I'd been meaning to add that blog to my reader, so thanks for the heads up on AV360 and for the reminder!

NYJimbo
12-12-2008, 09:04 PM
I noticed a strange string in a cookie. So out of natural curiosity I left it alone and restarted the machine. Lo and behold, upon reboot AV had morphed and then began installing AV360!


Are you saying that some string in a cookie somehow started to reload a virus simply on reboot?. Can you tell how the cookie was called, it could not have loaded itself. Cookies do not just activate, they need the browser to do anything. I could see an existing virus calling the cookie for "phone home" information but the cookie itself doing the damage seems bizarre.

JohnG
12-13-2008, 08:00 AM
Lol, very good NYJimbo...without going into too much detail, it had a string written into a cookie from the customers email site(customer receives a lot of spam, joke sites etc.)...if you are familiar with messenger progs, its simple to have a "hook" which when accessed, more or less details what type of behavior should occur when accessed. I found it interesting because it didn't need the browser to access a particular email or site, it activated when the browser had been launched, or in this case in prefetch, though nothing of the infection actually resided in the memory.