WTF??

[HURST]

I got infected last night via an USB drive. I inserted it, copied a .doc and a .xls to my computer and removed it. I didn't opened the files. I have Autorun disabled. Next thing I know, my laptop is slow, as in SLOW. So I downloaded CureIt and it found the following:

c:\windows\system32\amvo.exe
c:\windows\system32\amvo0.dll
c:\nlblkhq.com
d:\nlblkhq.com
z:\nlblkhq.com

All identified as Win32.besso by CureIt.

BTW, my friend, who owned the usb drive, was also infected, but the file was named help.exe, also win32.besso.

after deleting the files, I wasn't able anymore to open any of the disks, when double-clicking or when trying to explore, it launched the list for choosing a program to open. So, time to go back in time with System Restore and it was solved. One last check with CureIt, one check with AVP tool and one check with SAS. All clean. Time for me to go to sleep.

But my question is: how could this happen if I didn't executed anything and Autorun is disabled? Maybe there was another culprit I'm not aware of or can't remember? I blame the usb drive because both me and my friend where infected, I didn't installed or downloaded anything yesterday and I do all my browsing sandboxed.
Would an app like AntiExecutable have helped in this case?
Is it possible to open USB-drives sandboxed? Are there any problem if I do so?


PS: NOD32 has let me down a bit to often lately...maybe time to move on...

[Cerxes]

Do you have your hidden files and folders displayed? Choose to show them otherwise.

Regarding this trojan you could have stop it from doing its thing by:

1. Using a HIPS that monitors the processes in your system.

2. Running in a restricted account and thereby have write/change permissions disabled for root, windows, programfiles and HKLM.

It was presumably loaded into the explorer.exe process.

/C.

[HURST]

Quote:

1. Using a HIPS that monitors the processes in your system.

Yeah, probably a HIPS is the best way, but I don't feel I'm ready to safely use a HIPS. I know that eventually I'm going to click the wrong option and/or I'm going to get bored of the pop-ups... Almost 6 months now and still can't decide myself on trying a HIPS.

[lucas1985]

Quote:

Originally Posted by HURST

how could this happen if I didn't executed anything and Autorun is disabled?

See here for a possible explanation:

Code:

[autorun]
open=kwjkpww.exe
shell\open=Open
shell\open\Command=kwjkpww.exe
shell\open\Default=1
shell\explore=Explore
shell\explore\Command=kwjkpww.exe

Quote:

Holding down the Shift Key will prevent the execution of the first line of the file, but the shell commands will be written to the Registry effectively overriding the 'Open' and 'Explore' actions on the right-click context menu, and the double-clicking of the drive icon to open the drive to view the contents. Any of those actions will launch the executable.

Using TweakUI the right way

Quote:

Originally Posted by HURST

Would an app like AntiExecutable have helped in this case?

Sure. Or a HIPS. Or a behav. blocker. Or LUA + SRP.

Quote:

Originally Posted by HURST

Is it possible to open USB-drives sandboxed? Are there any problem if I do so?

I don't know about Sandboxie, but in GeSWall you can make custom rules to treat removable drives as always untrusted.

[HURST]

Thanks lucas..that was an interesting read...
After this, I'm trying ThreatFire... let's see how it goes....

[farmerlee]

Anti-executable may have helped. I've noticed that if i insert a flashdrive containing exe files and go to view the contents i get pop ups from AE telling me those exe's have been blocked.