Nasty new parasite discovered (f/SI Newsletter)

"An Israeli programmer who hangs out in SpywareInfo's chat room has been tearing apart a new parasite recently. I don't know very many details about it but this is a very nasty little bugger.

There are two files loaded into memory and a third element involved which I don't want to discuss publicly. It is nearly impossible to force these files out of memory. If you remove any one or two elements, one of the other two will reload them into memory. While you can see these files running with a process manager, somehow they hide their files and parent directory from the operating system, making it difficult to find them on the hard drive.

If the infected computer is using the FAT32 file system, you can use a DOS window to enter the directory and find the files. Unfortunately, you cannot remove the parent directory (c:windowssystem32f0r0r) and the files are reinstalled as soon as the computer reboots.

The parasite might be capable of installing a backdoor server that could enable a remote attacker to use it to launch a SYN attack or to send spam. It also might operate as an IRC proxy, allowing someone to use it to hide their IP address while connecting to an IRC server. It also might include an RPC scanner to sniff for insecure and unpatched Windows machines.

This is a very clever piece of programming that someone spent a significant amount of time working on. It is nearly impossible to detect and nearly impossible to remove. How it installs is a mystery, for the moment. Possibly it infects unpatched Windows machines through one of the RPC flaws discovered recently in Microsoft Windows.

You can tell if your machine is infected if you can change to c:windowssystem32f0r0r in a DOS or CMD window with this command: cd c:windowssystem32f0r0r (that's a zero, not an "o"). If your hard drive is FAT32, you can boot into MS-DOS and delete the directory from outside of Windows and that should remove the infection (no guarantees here). To my knowledge, no antivirus or antispyware products detects this parasite.

If anything new is discovered, I'll let you know."

 

Damn, that thing sounds ugly. How does it spread? Has it been installed onto any websites? (That's how I managed to get the Enterprise trojan.)