PDA

View Full Version : Google Hijacker that kills Regedit, Cmd, and BAT files


RyanMeray
03-31-2009, 04:29 AM
"Have you seen me yet?"

Just dealt with this puppy today. Malwarebytes couldn't get it, Avira couldn't get it, so I had to track it down. Thankfully, I'm not the alpha case, so I got some help from a post on bleeping computer. (http://www.bleepingcomputer.com/forums/topic211718.html)

The file that was buried in HKLM/Software/Microsoft/Windows NT/Currentversion/Drivers32 scored a 0/40 on virustotal.

http://www.virustotal.com/analisis/f330dacbcf6ad27bdc71b5704f517eb6

http://www.ctechsinc.com/images/ywol040.gif

I have a feeling we'll be seeing a lot more of these soon, if the PATHETIC detection of anti-malware software is any hint. I wonder if Threatfire would've stopped it?

l337
03-31-2009, 04:34 AM
submit files like that to eset and other sites itll help them build there protection software :P

RyanMeray
03-31-2009, 04:38 AM
submit files like that to eset and other sites itll help them build there protection software :P

I was under the impression that Virustotal sends the stuff out to all the security companies? I figured that was why they let them use their scanning engines, for access to a fresher set of unfound malware?

arrow_runner
03-31-2009, 01:00 PM
I think I did see that(or something very similar) late last week. It also closed CMD and regedit on me. It was causing Outlook 2007 to crash whenever the calendar was accessed.

I found it by skimming through Process Monitor and seeing a lot of processes referencing a file with a strange name. I don't recall exactly where in the registry I did find it, but the keyname was aux2, same as the one in the bleeping computer post.

EDIT: Avast! picked the file up as malware, but Trend (what was installed on the laptop), completely missed it.

RyanMeray
03-31-2009, 02:18 PM
Yep, that's the culprit. Aux2 on the infected system as well.

It just shocks me that the file was 0/40 because they had been infected since FRIDAY.

0/40 for a FOUR DAY OLD INFECTION.

That's ridiculous. These AV companies are f***ing sleeping.

arrow_runner
03-31-2009, 02:27 PM
Well, like I said, Avast! picked it up, so maybe virustotals didn't have their definitions up-to-date?

I'm not trying to argue that virus companies aren't far far behind, but I'd like for this post be a +1 for Avast! (even though I'm now trying out Avira)

Note: My Avast! definitions were probably from Thursday and the virus was found on Friday.

RyanMeray
03-31-2009, 02:31 PM
They might've come out with a new strain between your infection and mine. Did you submit yours to Virustotal?

arrow_runner
03-31-2009, 02:37 PM
That's absolutely possible that yours and mine were different variations, so perhaps my previous statement should be taken w/ a grain of salt, but as I mentioned, Trend, which was installed and up-to-date, completely missed it.

And no I did not submit mine to virus total. I pretty much knew from the activity I saw in Process Monitor that it was malicious and Avast! reaffirmed that belief.