Allright, so I'm just looking at some forums and apparently an ad from "adxgate.net" loaded, which uses some kind of exploit for IE6 that apparently downloads and installs "yazzlebundle.exe" and lots of other nasty stuff..... NOD32 just popped up showing I had an infection, but it was too late. It had installed, and infected winlogon.exe, and somehow "mljhfgf.dll" is involved.... this is very nasty and I still can't find a way to get rid of it. Anyone have an idea???
For starters,
http://housecall.trendmicro.com/
Removing a trojan can be complicated, but isn't necessarily so. If you're not very familiar with how Windows is built, and how trojans bury themselves, you'll have a hard time with any instructions given.
Best thing you can do is protect the backups you made, make an additional backup of any and all data you need to save, and reformat your drive(s).
This time, reinstall your OS, turn on Automatic Updates for Windows, allow it to download, install, and reboot automatically at say 3:00 a.m. This way you will at least be protected from forgetting to patch known vulnerabilities.
After you've patched your machine, create a non-privileged user which doesn't have install permissions. Always browse the internet from this low privilege account. No matter what page you visit, it'll never have permission to install anything locally.
Live and learn.
Quote from: Grok on April 18, 2007, 07:45 PM
For starters,
http://housecall.trendmicro.com/
Removing a trojan can be complicated, but isn't necessarily so. If you're not very familiar with how Windows is built, and how trojans bury themselves, you'll have a hard time with any instructions given.
Best thing you can do is protect the backups you made, make an additional backup of any and all data you need to save, and reformat your drive(s).
This time, reinstall your OS, turn on Automatic Updates for Windows, allow it to download, install, and reboot automatically at say 3:00 a.m. This way you will at least be protected from forgetting to patch known vulnerabilities.
After you've patched your machine, create a non-privileged user which doesn't have install permissions. Always browse the internet from this low privilege account. No matter what page you visit, it'll never have permission to install anything locally.
Live and learn.
Switching to a low permission account every time one needs to browse the internet seems like a hassle. Also, low privliaged accounts are still able to run executable files, and it would just replace and restart an essential windows process being run as a system task, then would have system privilages (correct me if I'm wrong about that at all). What I should (really) do is just update my insecure Internet Explorer 6.
However I am quite concerned about just
how it was able to force my browser to download then run it, before my three (NOD32, AVG, Kaspersky) anti virus programs were able to do anything?
By the way, I don't really think what I got was a "trojan", but instead just adware. And I was able to just log into safe mode and delete those two dlls. Nothing seems to be happening now, and I haven't seen any foriegn addresses/programs when I netstat -abn to check.
I found this funny. Can we move it to the Fun forum?
Quote from: Invert on April 18, 2007, 09:08 PM
I found this funny. Can we move it to the Fun forum?
I second that...
Use something other than IE. Firefox, Opera, etc. If you can, use Lynx! Text-based browsing is the most secure there is.
Quote from: Invert on April 18, 2007, 09:08 PM
I found this funny. Can we move it to the Fun forum?
And I found THAT funny. Please do!
Quote from: Invert on April 18, 2007, 09:08 PM
I found this funny. Can we move it to the Fun forum?
lol I love you.
Quote from: Invert on April 18, 2007, 09:08 PM
I found this funny. Can we move it to the Fun forum?
<3
http://usa.kaspersky.com/products_services/internet-security.php
Quote from: Invert on April 18, 2007, 09:08 PM
I found this funny. Can we move it to the Fun forum?
You're so cute. Hey, why don't you go BROWSE a random internet site and all of a sudden have 30 notifications of an infected file being installed on your computer.
Back on topic:
Does anyone know how to Un-pack a PE32 file with UPX packers? I would love to reverse engineer this, and see if I missed cleaning up anything...
Quote from: brew on April 18, 2007, 07:03 PM
Allright, so I'm just looking at some forums and apparently an ad from "adxgate.net" loaded, which uses some kind of exploit for IE6 that apparently downloads and installs "yazzlebundle.exe" and lots of other nasty stuff..... NOD32 just popped up showing I had an infection, but it was too late. It had installed, and infected winlogon.exe, and somehow "mljhfgf.dll" is involved.... this is very nasty and I still can't find a way to get rid of it. Anyone have an idea???
Quote from: brew on April 19, 2007, 02:27 PM
Back on topic:
Does anyone know how to Un-pack a PE32 file with UPX packers?
On topic?
Quote from: brew on April 19, 2007, 02:27 PM
You're so cute. Hey, why don't you go BROWSE a random internet site and all of a sudden have 30 notifications of an infected file being installed on your computer.
Actually, I'm pretty sure he's happy NOT going to some random site and getting spyware.
Quote from: Invert on April 18, 2007, 09:08 PM
I found this funny. Can we move it to the Fun forum?
Same, I think he's probably trojanned too
In general the way that I remove virii from people's computers is to set the Execute - Deny permission on the file, then restart. Then you go about your business of fixing all the shit it's done to your computer.
Do you think something like "Yazzle" is advanced enough to replace essential system files? (i.e. winlogon, explorer, smss) It injected some dll into winlogon, and attempted to create two registry keys every 1.5 seconds. Stopped when I killed that thread though... and if anything else is infected I always keep backups of them on my external hard drive (I use my own hexed version of explorer.exe & winlogon.exe)
If it was serious, it would have prevented me from going into safe mode (right?) I guess I can call this silly attempt "owned" even though it did exploit IE6, and execute.
No way to know for sure without reverse engineering the particular piece of malware in question. The standard assumption is to assume that everything the malware had access to has been compromised and cannot be trusted. Making assumptions about benign-ness of any given malware is dangerous; if something compromised a process with admin/system privileges, you need to blow away the box and start from scratch (or backups, if you can with certainty trace the starting point of the compromise, though this is typically difficult to be entirely certain about as well).
The funniest part is it happened to brew. heh heh heh.
Quote from: Skywing on April 20, 2007, 02:54 PM
No way to know for sure without reverse engineering the particular piece of malware in question.
Exactly why I am interested in reverse engineering this malware.
7 posts ago...
Quote
Does anyone know how to Un-pack a PE32 file with UPX packers? I would love to reverse engineer this, and see if I missed cleaning up anything...
Unpacking the "quarentined" files is what I should focus on first-- Then I would be able to disassemble and reverse engineer it.
First you should make sure UPX was the original packer. :P
I'm 100% confident it was UPX packed.
Then get UPX (upx.sf.net) and unpack it?
Quote from: Newby on April 20, 2007, 08:54 PM
Then get UPX (upx.sf.net) and unpack it?
That's too logical.
Quote from: rabbit on April 20, 2007, 10:44 PM
Quote from: Newby on April 20, 2007, 08:54 PM
Then get UPX (upx.sf.net) and unpack it?
That's too logical.
Shit, I forgot we were dealing with brew.
Quote from: MyndFyre[vL] on April 20, 2007, 12:43 PM
...virii...
Sorry to throw this even more off-topic, but....... the proper pluralization of virus is viruses, not virii: http://en.wikipedia.org/wiki/Plural_of_virus#Use_of_the_form_virii
That article is somewhat inaccurate:
Quote
The form viri might also be incorrect in Latin. The ending -i is normally used for masculine nouns, not neuter ones such as virus, although there are exceptions such as humus -"soil" which is feminine and vulgus -"crowd" which is neuter; moreover, viri (albeit with a short i in the first syllable) is the plural of vir, and means "men."
Uh... if virus was neuter, wouldn't it have the ending -um? Therefore it'd be virum. And the plural form of 2nd declention nom neuter nouns is "o", therefore the correct plural of "virum" would be "viro".
Although the romans apparently screwed up the ending of "virus", which is acually neuter, one may still note the nom. singular ending is "i", making the entire word "viri", which is translated as "toxins". "viri", as the article claims, would be the plural of "man", however this isn't so. "vir" is a word which does not exist in the latin language. Instead, the correct word for "man" is "vīr" (note the macron over the i) and thus, the plural of "man" is "vīri". (It is also notable that the gen. singular form ending of m/f second declention nouns is also -ī)
You're retarded. Stop trying to play smart.
Quote from: brew on April 18, 2007, 08:09 PM
Quote from: Grok on April 18, 2007, 07:45 PM
After you've patched your machine, create a non-privileged user which doesn't have install permissions. Always browse the internet from this low privilege account. No matter what page you visit, it'll never have permission to install anything locally.
Switching to a low permission account every time one needs to browse the internet seems like a hassle. Also, low privliaged accounts are still able to run executable files, and it would just replace and restart an essential windows process being run as a system task, then would have system privilages (correct me if I'm wrong about that at all).
So do not switch when you want to browse. Instead, run as an unprivileged user
except in those rare cases where you
need privilege (for example, installing a software update). This is better anyway, since then you are running unprivileged when interacting with your e-mail program, chat servers, etc.
Low privileged accounts can run executables, but if you are using XPPro, you could use a Software Restriction Policy to deny the ability to execute anything in the most likely places malware will land. You could also set a Deny Execute as Myndfyre suggested, but that would be part of a DACL that sufficiently advanced malware could change before it tries to execute a helper process.
An invader can only replace a system process if that process runs one or more files that are modifiable by the invader. If you are running as an unprivileged user, there
should not be any such processes that you can modify. Since the invader will be running as you (barring use of a privilege escalation exploit), it should be similarly curbed.
Could low privlaged accounts inject dlls into system processes? I'm using XP Home Edition 2600.
And by the way, thank you for the intelligent post.
Quote
You're retarded. Stop trying to play smart.
Immature. Please quit trolling.
That wasn't a troll, it was a direct response to your "I know Latin" rant (which you're wrong about, there was no macron in the Latin lingual system).
Rabbit, I took a few years of latin in high school,and it is vīr, not vir.
I also took 4 years of Latin. The macron is used in teaching Latin because it helps forming sounds, but ancient Latin didn't have a macron, or even a lower case, actually. Anyway, my point is, it's vir, a regular 3rd declension masculine noun, and virus, a regular 2nd declension masculine noun.
There is no macron in latin, it's a little thing added to help with the sounds (long vs short letters)
Quote from: rabbit on April 21, 2007, 04:20 PM
I also took 4 years of Latin. The macron is used in teaching Latin because it helps forming sounds, but ancient Latin didn't have a macron, or even a lower case, actually. Anyway, my point is, it's vir, a regular 3rd declension masculine noun, and virus, a regular 2nd declension masculine noun.
Rabbit, you're an idiot. We call it a macron-- they didn't call it anything. It's just a "long vowel". And if you look at ancient roman ruins you would see, they DO use macrons in their text. One more thing-- vir is NOT a 3rd declention noun, it's 2nd. Go look anywhere, puh-lease. Stop trying to outsmart me, especially in Latin. I am a three time ACL/NJCL National Latin Exam Summa cum laude winner (gold metal). So really, sum possum dicere Latinum perfectum. Et tu?
EDIT*** Also, you're wrong. Virus is neuter.
Quote from: brew on April 21, 2007, 03:20 PM
Could low privlaged accounts inject dlls into system processes? I'm using XP Home Edition 2600.
2600? That's pretty far off into the future. Internal leak?
Quote from: Newby on April 21, 2007, 04:30 PM
Quote from: brew on April 21, 2007, 03:20 PM
Could low privlaged accounts inject dlls into system processes? I'm using XP Home Edition 2600.
2600? That's pretty far off into the future. Internal leak?
...5.1.2600.
... Did you seriously call Windows XP by its build number? Moron.
You can inject code into things no matter what. Modular coding is basically injecting a DLL into a running EXE and calling a function out of it.
Quote from: brew on April 21, 2007, 03:20 PM
Could low privlaged accounts inject dlls into system processes? I'm using XP Home Edition 2600.
There would not be much point in having the concept of privilege if low privileged users could tamper with highly privileged processes. That said, I have read that XPHome skips security checks, so it might allow the behavior you are worried about. I know that XPPro does not allow it. Hopefully, someone will report whether XPHome enforces the relevant checks.
Quote from: RεalityRipplε on April 21, 2007, 07:56 PM
You can inject code into things no matter what. Modular coding is basically injecting a DLL into a running EXE and calling a function out of it.
A properly secured DACL on the injectee will grant the would-be injector either no rights or read-only rights. It is possible that there would be a privileged process with an insecure DACL, but I think all the services in a base install are OK.
Quote from: Kp on April 21, 2007, 08:10 PM
Quote from: RεalityRipplε on April 21, 2007, 07:56 PM
You can inject code into things no matter what. Modular coding is basically injecting a DLL into a running EXE and calling a function out of it.
A properly secured DACL on the injectee will grant the would-be injector either no rights or read-only rights. It is possible that there would be a privileged process with an insecure DACL, but I think all the services in a base install are OK.
In which case you overwrite the original file (rename the original to something else, create a copy) and disable the DACL protection, use the SetEntriesInAcl and SetSecurityInfo APIs, and then inject the DLL :) .
Quote from: Warrior on April 21, 2007, 07:45 PM
... Did you seriously call Windows XP by its build number? Moron.
Why wouldn't he, if he's discussing a trojan for a specific build of Windows?
By the way, if you read anything other than the 2600, you'd realize that he said he's using Windows XP Home Edition. Nice try at being whitty but it ultimately failed.
Quote from: Joex86] link=topic=16626.msg168251#msg168251 date=1177263258]
Quote from: Warrior on April 21, 2007, 07:45 PM
... Did you seriously call Windows XP by its build number? Moron.
Why wouldn't he, if he's discussing a trojan for a specific build of Windows?
By the way, if you read anything other than the 2600, you'd realize that he said he's using Windows XP Home Edition. Nice try at being whitty but it ultimately failed.
The trojan was specific to his build of Windows? This is incredible. Now they're writing trojans for specific operating systems written hundreds of years in the future. What will malware writers do next? Write trojans for people's clothing?
I also don't get the "try at being witty" comment.
Quote from: Joex86] link=topic=16626.msg168251#msg168251 date=1177263258]
Quote from: Warrior on April 21, 2007, 07:45 PM
... Did you seriously call Windows XP by its build number? Moron.
Why wouldn't he, if he's discussing a trojan for a specific build of Windows?
By the way, if you read anything other than the 2600, you'd realize that he said he's using Windows XP Home Edition. Nice try at being whitty but it ultimately failed.
Because unless you're using a Beta version of XP, the RTM build number is 2600. It can be assumed that 99.9% of the Computers running XP are running build 2600. It's really retarded to call it anything else. It's Windows XP and nothing fundementally changes build to build if (and only if) there so happens to be a build revision in the near future.
Quote from: RεalityRipplε on April 21, 2007, 09:10 PMQuote from: Kp on April 21, 2007, 08:10 PMQuote from: RεalityRipplε on April 21, 2007, 07:56 PMYou can inject code into things no matter what. Modular coding is basically injecting a DLL into a running EXE and calling a function out of it.
A properly secured DACL on the injectee will grant the would-be injector either no rights or read-only rights. It is possible that there would be a privileged process with an insecure DACL, but I think all the services in a base install are OK.
In which case you overwrite the original file (rename the original to something else, create a copy) and disable the DACL protection, use the SetEntriesInAcl and SetSecurityInfo APIs, and then inject the DLL :) .
Doing that would require an insecure DACL on the files and/or directories used by the target process. Although possible, it would be rather silly to see a process where someone managed to get the process DACL right, but left the file DACLs insecure.
Quote from: Kp on April 22, 2007, 02:32 PM
Quote from: RεalityRipplε on April 21, 2007, 09:10 PMQuote from: Kp on April 21, 2007, 08:10 PMQuote from: RεalityRipplε on April 21, 2007, 07:56 PMYou can inject code into things no matter what. Modular coding is basically injecting a DLL into a running EXE and calling a function out of it.
A properly secured DACL on the injectee will grant the would-be injector either no rights or read-only rights. It is possible that there would be a privileged process with an insecure DACL, but I think all the services in a base install are OK.
In which case you overwrite the original file (rename the original to something else, create a copy) and disable the DACL protection, use the SetEntriesInAcl and SetSecurityInfo APIs, and then inject the DLL :) .
Doing that would require an insecure DACL on the files and/or directories used by the target process. Although possible, it would be rather silly to see a process where someone managed to get the process DACL right, but left the file DACLs insecure.
I've never found a program I can't make a copy of and edit.
Quote from: brew on April 20, 2007, 08:01 PM
Quote from: Skywing on April 20, 2007, 02:54 PM
No way to know for sure without reverse engineering the particular piece of malware in question.
Exactly why I am interested in reverse engineering this malware.
You're probably not interested in reverse engineering it. If you don't, and nobody else has (with verification that the code on your box is identical), then you should wipe the system clean.
Quote from: RεalityRipplε on April 22, 2007, 03:00 PM
I've never found a program I can't make a copy of and edit.
That doesn't really get you anything. You'll have no way to place the modified version of the binary where it will be run, assuming file ACLs are set properly and the lack of a security hole allowing an unprivileged user to convince a privileged process to load a binary from an untrusted location.
If you run the modified version of the binary yourself, it will be executing with the privileges of your (unprivileged) account and thus will not be able to perform things outside the sandbox of that user account.
I use the following method for my media player's self-update system. It renames itself from LLMP.exe to LLMP.old. It then downloads the new LLMP.exe to the same location. It runs the new EXE and closes itself. The new copy deletes the old one now that it's no longer running. Doesn't the same ability apply to any program you can make?
Only if the user account with which you are doing that operation from has write access to the file/directory.
If you placed your program in a location under, say, %ProgramFiles% (with the default ACL) and attempted the process running it as a limited user, it will fail.
* Note: If you are using filesystem virtualization for Vista, the virtualization minifilter may make a shadow copy under your %userprofile% tree, with redirection in place to make it appear as the operation succeeded, despite the fact that the original in %ProgramFiles% is unchanged. If you accessed the program from a different user account, it would see the original in %ProgramFiles% and not the "modified" one.
@Newby, Warrior: Quit trying to be asses. Simple as that.
EDIT -
BreW, if you upload it I'll take a swing at reverse engineering it and seeing what's up.
I deleted it. (lost interest) But thanks anyways.