WTF??

Discussion in 'malware problems & news' started by HURST, Mar 25, 2008.

Thread Status:
Not open for further replies.
  1. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I got infected last night via an USB drive. I inserted it, copied a .doc and a .xls to my computer and removed it. I didn't opened the files. I have Autorun disabled. Next thing I know, my laptop is slow, as in SLOW. So I downloaded CureIt and it found the following:

    c:\windows\system32\amvo.exe
    c:\windows\system32\amvo0.dll
    c:\nlblkhq.com
    d:\nlblkhq.com
    z:\nlblkhq.com

    All identified as Win32.besso by CureIt.

    BTW, my friend, who owned the usb drive, was also infected, but the file was named help.exe, also win32.besso.

    after deleting the files, I wasn't able anymore to open any of the disks, when double-clicking or when trying to explore, it launched the list for choosing a program to open. So, time to go back in time with System Restore and it was solved. One last check with CureIt, one check with AVP tool and one check with SAS. All clean. Time for me to go to sleep.

    But my question is: how could this happen if I didn't executed anything and Autorun is disabled? Maybe there was another culprit I'm not aware of or can't remember? I blame the usb drive because both me and my friend where infected, I didn't installed or downloaded anything yesterday and I do all my browsing sandboxed.
    Would an app like AntiExecutable have helped in this case?
    Is it possible to open USB-drives sandboxed? Are there any problem if I do so?


    PS: NOD32 has let me down a bit to often lately...maybe time to move on...
     
    Last edited: Mar 25, 2008
  2. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    Do you have your hidden files and folders displayed? Choose to show them otherwise.

    Regarding this trojan you could have stop it from doing its thing by:

    1. Using a HIPS that monitors the processes in your system.

    2. Running in a restricted account and thereby have write/change permissions disabled for root, windows, programfiles and HKLM.

    It was presumably loaded into the explorer.exe process.

    /C.
     
    Last edited: Mar 25, 2008
  3. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yeah, probably a HIPS is the best way, but I don't feel I'm ready to safely use a HIPS. I know that eventually I'm going to click the wrong option and/or I'm going to get bored of the pop-ups... Almost 6 months now and still can't decide myself on trying a HIPS.
     
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    See here for a possible explanation:
    Code:
    [autorun]
    open=kwjkpww.exe
    shell\open=Open
    shell\open\Command=kwjkpww.exe
    shell\open\Default=1
    shell\explore=Explore
    shell\explore\Command=kwjkpww.exe
    
    Using TweakUI the right way
    Sure. Or a HIPS. Or a behav. blocker. Or LUA + SRP.
    I don't know about Sandboxie, but in GeSWall you can make custom rules to treat removable drives as always untrusted.
     
  5. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Thanks lucas..that was an interesting read...
    After this, I'm trying ThreatFire... let's see how it goes....
     
  6. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Anti-executable may have helped. I've noticed that if i insert a flashdrive containing exe files and go to view the contents i get pop ups from AE telling me those exe's have been blocked.
     
Thread Status:
Not open for further replies.