Worm that wipes out your data!

Discussion in 'malware problems & news' started by Jonnas_tan, Jan 25, 2010.

Thread Status:
Not open for further replies.
  1. Jonnas_tan

    Jonnas_tan Registered Member

    Joined:
    Aug 5, 2009
    Posts:
    14
    Check this out! the worm is disguised as an IQ Test, very unique..
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    That´s why apps should always first be executed in a virtual environment, I´ve read that besides Sandboxie, KAV/KIS and the new Avast 5 offer this feature. Of course running it in a true virtual machine like Vmware is probably a bit safer.

    But I think it´s really disappointing that M$ (with billions on the bank) still hasn´t build a virtualization feature (for security) into Windows, we really need have container-based virtualization, something like iCore Virtual Accounts, for example. Actually, I think it´s a damn shame. :rolleyes:
     
  3. Jav

    Jav Guest

    Yeah, But Microsoft already did great job.
    You can easily prevent this worm by just using either LUA or 64-bit OS.
    So Microsoft already defended users from this threat, it's just users who don't want follow recommendations.

    1. As you can see 64-bit OS digitally-signed driver requirement blocks it.

    2. And worm needs to write into HKEY_Local_machine registry and Program files folder. Both of them denied under LUA.

    EDIT: By the way OP named Thread incorrectly.
    worm doesn't wipe out your data.
     
    Last edited by a moderator: Jan 25, 2010
  4. alinb

    alinb Registered Member

    Joined:
    Sep 8, 2009
    Posts:
    4
     
  5. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Over the years they thought about it many times, os, server, application and ie sandboxing and of course there is App-V, VPC and ie8.

    A recent interview called Inside Windows 7: The Mark Russinovich Interview by Paul Thurrott talks a little of this :
    The rest of the article gives some insight into 7 and maybe worth a read.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    This is part of the Win Vista/7 "Patch Guard" feature, I guess? I must admit, it is a good idea to secure the kernel, a lot of attacks will be stopped by this alone, but it also means that some security tools won´t be able to deliver the same protection as on XP. :cautious:

    Keep in mind, without admin rights you can not install certain tools. And if you did give it admin rights, it would probably still be able to overwrite the Master Boot Record and do other stuff.

    It´s not the same, I´m talking about process virtualization, not heuristics. Btw, I´ve read that the sandbox in Avast 5 sucks bigtime.

    Thanks for the info, nice to know that they are at least thinking about it, perhaps we can expect it in Windows 8? But seriously, they really need to add this feature ASAP, I mean they got the money and brainpower I assume, and this really can become a big selling point, they can promote container-based virtualization as THE new big security solution, now that would be cool. :thumb:
     
  7. wat0114

    wat0114 Guest

    Of course we must not overlook Bitdefender's age old advice conveyed by all these antimalware vendors for the perfect tonic:

    :D
     
  8. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    This worm seems to still be making its rounds. I got a junk email today asking me to take an IQ test, I have a high feeling it was this worm. I see no reason for a IQ testing company to use a shortened URL unless they are hiding something.
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Can you post the contents of the email message w/o the URL?

    thanks,

    rich
     
  10. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    All I remember is that is said are you smarter than this person, click on this shortened URL to find out. What made me suspicious was is that I received it on my webs.com account, the user I got it from was a new user and had a name that was trying to look like a official webs.com staff member, but no where on the profile it said staff it just said new member that just joined.
     
  11. 0peratorX

    0peratorX Registered Member

    Joined:
    Feb 17, 2010
    Posts:
    16
    I think that the "thing" on my machine is related to this.

    Having had to rebuild the MFT on one of my drives already. And the fact that my wife's computer acted as if the ghost I put on it was infected (couldn't be? - burned to disk ~2 yrs ago...) resulting in me raw writing the drive randomly as part of the way I put it out.

    Also, my MBR has changed since last time I saved it...

    So, hope it doesn't reboot. :blink:

    I'm doing the best I can to get the rest of these files moved somewhere else...

    (ext3 sounds 'bout right)
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I tried it on Win7 VM( executed as Admin). It did not work to destroy MBR as I can,t trigger its MBR destrying action, it,s something related to a specific date n time.
     
  13. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    Try setting your PC Clock 10+ days into the future and then rebooting.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmmm.... Ok, will try that later.

    Thanks
     
Loading...
Thread Status:
Not open for further replies.