Thursday, December 25, 2008

Christmas On The Net

“I was sad about not having any shoes, until I met a man who had no feet.” Considering how many shoes I own, that maxim doesn’t really apply to me. But this one does: “I was sad about having to spend Christmas Eve disinstalling an annoying malware program from my computer, until I checked my blog stats and discovered there are people who spent their Christmas day doing Google searches for things like ‘octopus Japanese porn’ and ‘you porn tentacle.’ Even worse, instead of finding pictures of hot squid-on-chick action, these poor lonely souls were directed to one of my old blog posts instead.”

Anyway, I hope you had a Merry Christmas. Unless you’re the jackass who wrote that malware program, in which case I hope your tentacle shrivels up and falls off.

18 Comments:

Anonymous Anonymous said...

disinstalling an annoying malware program from my computer

Hm. Given the above I'd hazzard a guess that you didn't click on the link I posted to the comments section of your last blog post. 'Salright - it was only a Youtube video I found over on TWC's site.

So other than software sickness what else did you get for Christmas? Anything cool?

8:33 PM  
Anonymous Anonymous said...

Zlob or Virtumonde? I spent Xmas eve at the office clearing out a guy's computer that had it, came home, and had to clean out one of the home computers that had it. This was unfortunately after my 14 yr old daughter got slammed with a bunch of pop up porn ads.

I would love to have lunch with that person that wrote it. They need to amend deadly force laws to allow use thereof on people like that.

2:31 AM  
Anonymous Anonymous said...

Moose: It started with RemAdm, then repeated findings of Virtumonde, Smitfraud, and a fake explorer.exe.
They crippled AdAware and ate up so much CPU that Spybot kept failing.
Gambled on ComboFix, a registry hunter-killer. Downloaded it and let it run. Worked like a charm.

The man who authored or distributed the malware spent christmas whacking his knob as the totals for his latest cyber-surge flooded in. As he scratched his scrotum with fingers still greasy from two-day-old pizza, he imagined hordes of lingerie-clad vixens squealing his web-alias name and expressing how aroused they were by his prowess at this singularly unproductive art.
Rank, watery essence dribbled from him, mingling with the Mountain Dew that saturated his carpet, and he passed out.

He will never be loved.

7:26 AM  
Anonymous Anonymous said...

The man who authored or distributed the malware

Jeff, any particular reason to assume that it was a man instead of a woman? My opinion is these are usually just attempts at extortion, fraud, and theft.

10:25 AM  
Blogger Jennifer Abel said...

DAMMIT. Jeff, I think your "blame it on Hotmail" theory might be correct after all; when I sent off my column this morning (and of course used Hotmail to do it), damned if another one of those damned pop-ups didn't appear. This time I hit "alt-F4" rather than try clicking out of the box, and the ad went away rather than multiply itself, but the same pop-up appeared when I checked Hotmail again just now. Again I hit Alt-F4, and again the pop-up went away rather than spawn offspring, but ... grrrrr. Goddamned loser sociopath malware writers.

10:47 AM  
Anonymous Anonymous said...

Jeff-You must have gotten an older version. Combofix works amazingly well, I sent the guy $50 after the first time I went through the aggravation. The latest affliction that attacked my machine wouldn't let Combofix run until I renamed it, some random character strokes with ".exe" on the end. Once it started running, cleared it out. File that one for if you get the next iteration.

I don't know if it's a he or a she, but shooting is too quick an end for them. Something more along the lines of a small butane torch is more appropriate.

I used CCleaner also, in all cases, just to bat cleanup and run through the registry. Cleans out all the temp files and the like. Our contract IT guy was ready to remove the drive and use a USB shell before I came up with this combo, so it works pretty well when nothing else does.

11:34 AM  
Anonymous Anonymous said...

PS-Given the spyware findings, sounds more like Zlob than Virtumonde, though I think they share the same underlying structure (Vundo too).

11:36 AM  
Anonymous Anonymous said...

I don't know if it's a he or a she,

Perhaps it's a they.

11:54 AM  
Blogger Jennifer Abel said...

Damn. Jeff, I ran the Combofix program again, it did its thing and re-booted my computer, and as soon as I tried going online again ... another pop-up ad in an Explorer window. Another alt-F4.

Damn. I think a re-install or something might be necessary. As long as I can save all my Word documents and .pdf files first.

And I'm not going anywhere NEAR my Hotmail program today.

12:09 PM  
Anonymous Anonymous said...

Damn. I think a re-install or something might be necessary. As long as I can save all my Word documents and .pdf files first.

That's what I had to do a few months ago. Fortunately it was on one of my other computers. It was a nice little something called "antispy xp 2008" and I think I picked it up on a Microsoft forum page where I was looking for the solution to something.

Y'all are probably much more savy about all this than I, but you might try moving the files you wish to save one at a time to a flash drive and then to another computer, scanning each with updated antivirus and antispy software on the other machine. Reformatting the hard drive is one nearly foolproof way to get rid of such things. Real pain in the ass, though. Sorry for your troubles.

12:49 PM  
Anonymous Anonymous said...

Jennifer-Get CCleaner, run that immediately after ComboFix. The beastie lives in the temp directories, in addition to the System32 directory. Using CCleaner will clear those out.

I'll email you the setup program for it.

3:26 PM  
Anonymous Anonymous said...

This is probably what you have, note the latest revision date:

http://www.symantec.com/security_response/writeup.jsp?docid=2005-042316-2917-99

4:14 PM  
Blogger Anne O'Neimaus said...

If you're going to reformat your drive anyway, why not rebuild the system with a built-in "Safety Net™"?

VM-Ware Server is free. I think MicroSoft's Virtual PC is free, too.

Put all your "normal" stuff in, as usual, but don't set up an InterNet connection. Install a virtual machine, with minimal stuff (the O/S and your favorite browser, perhaps Zone-Alarm and Ad-Aware or the like). Your virtual C: boot-drive file should be just big-enough to hold & run your system (I prefer 700M - fits on a CD).

Set this virtual machine to use/share/whatever a USB drive (or seperate partition) as it's main data-drive (D:), but don't give it access to your "real" C: or any other writeable drives & partitions (letting it see the CD/DVD drive is OK).

Make a copy of this VM boot-drive, and write-protect the original. Always work from a copy. With Microsoft Virtual-PC, you can actually specify a "differential" drive, that contains only the changes from a read-only reference drive. At any rate, also specify that your working VM drive should not retain changes (everything goes away when you turn of the VM).

Set up your InterNet connection on the Virtual Machine, and do all browsing, etc., from there. It will make a "virtual console" window, that looks just like your normal O/S desktop. You can just minimize that window when you're editing and doing other stuff, then restore the window to do Web stuff.

The shared drive (the Virtual Machine's D:) is how you pass files back and forth between the two environments. Nothing should ever be accessed from that drive without a thorough malware check. Some anti-virus/etc. programs can be configured so that certain drives or directories get "special attention" (more frequent automatic scanning, etc.).

Now, whenever your "Safety Net™" gets corrupted, you have several relatively-painless recovery options. First, just turning off the Virtual Machine, then restarting it, should reset any changes made to your working environment (boot-drive, browser configuration, etc.). If that doesn't work for some reason, just scrub the working-copy, and make a new one from your read-only original. Of course, all files in the shared drive have to be considered extremely suspect at this point, and subjected to some serious anti-malware treatment (like reformatting the drive).

2:59 AM  
Anonymous Anonymous said...

malwarebytes.org has a decent program also.

7:34 AM  
Blogger I Kahn O'Clast said...

Did I read that you are using Explorer? I have not used that vile browser in years (been on Firefox) and I don't know if that's all that I've needed (I also have the Panda Platinum stuff installed) but I have not had a malware or popup issue since switching.

6:56 AM  
Blogger Jennifer Abel said...

No, I use Firefox, though the damned malware ads were appearing in Explorer windows.

Moose, I got your e-mail, though Hotmail chose NOW of all times to be worried about viruses; the attachment was blocked "for my protection," and I couldn't even forward it to someone else. So we ended up downloading that and a few more programs, and Jeff eventually got my machine cleaned up. And stopped another viral attack in its tracks.

9:26 AM  
Anonymous Anonymous said...

Moose, I got your e-mail, though Hotmail chose NOW of all times to be worried about viruses

I was kinda worried about that. I'm glad you got it cleaned up, I had two more attacks in the office as an encore, but I'm getting quicker with dealing with them.

1:08 AM  
Blogger Jennifer Abel said...

Huh. Two more? Same here.

8:18 AM  

Post a Comment

<< Home

FREE hit counter and Internet traffic statistics from freestats.com