Andy's Blog

Don't worry. It's just me.
Andy Pedisich Tags 3DFlick Admin2008 Admin2008 Europe Admin2009 Admin2010 AdminBootCamp09 AdminCamp Birthday Bluescreen Client du jour Cloud DAOS Dell Demos Domino Admin Expertise wanted Fail Farming FixPacks Food Funny Geekishness Help Holiday coming IBM iNotes iPhone Java loopback LotusKnows Lotusphere 09 Lotusphere 2008 Lotusphere 2008 OnLine Lotusphere 2009 LS10 Mac Malware Meh Microsoft Movies MS Patches Music ND 8 ND8 ND8 Blog Template ND85 ND851 ND852 Newbiebess Notes NotesJobs Philosophical Roaming Sametime Science Security Shmicrosoft Silly Snow Stupidity Symphony technoid Technorati Technotics TheFear Traveler Upgrade Seminar Users Vista VMWare VPN Weather Worms XKCD Links Andy on Twitter Technotics Chris Miller Mary Beth Raven Susan Bulloch The Brillinator Wild Bill’s Blog Kevin Kanarski assonos Blog Paul Mooney Denny Russell Planet Lotus Ted Hardenburgh Bruce Elgort Jamie Magee Rocky Oliver Mike Kinder http://www.xkcd.com	Andy's Blog Malware My laptop was hijacked by bad guys - but I’m still alive and well Andy Pedisich July 1 2009 10:23:33 AM Let's cut to the chase. Yes, I have anti-viral software. McAfee. Yes, it was up to date as of yesterday afternoon around noon. Yesterday at 3:50 PM I was finishing up a project and decided to take a break and catch up on the news. I was curious about what South Carolina Gov. Mark Sanford saw in his Argentine girlfriend and decided to do a image search on Google, which immediately brought up a handful of thumbnails. Nothing racy, mind you. All were news-type sites. I clicked to read the accompanying text and received a message from McAfee indicating that the site was trying to download a file called install[1].exe to a temp folder in my Windows XP profile, but that it was identified as a trojan and was blocked. I thought I was done. I wasn't. Here's what happened. Behind my back a couple of items were added to the registry. It made an unsuccessful attempt to change my hosts file. But it did not ask about either of the previous changes. At the time, I did not know about the successful changes, only about the blocked one. I still had a warm fuzzy going on. I exited the browser and about two minutes later saw this hovering over the systray exactly where McAfee would put it. Which was followed by this smack dab in the middle of the screen. Same color and style as McAfee, but I didn't fall for it. Since I do not have Antivirus System Pro on my system, I knew right away that I was screwed, and was very careful to take screenshots and lots of notes. I disconnected from the Internet on my laptop and did the research on my desktop. I found I had picked up the FakeAlert virus. Apparently it was a new strain. Research later in the day proved this correct. The original strain showed up in early May, then there were lots of other versions of this vermin. The variant I caught was brand new, released on June 30th, and not yet documented, released just in time for me not to have the signatures. One telltale sign - the addition of C:\windows\sysguard.exe to my system. Then my IE browser started to activate on it's own. Mind you, FireFox is my default browser, but the code activated IE. This varied between the above, V1agra.com, and Adu1t.com and came up about every two minutes. Disconnected from the Internet I saw nothing. Connected to the Internet... well my mom would have blushed and activated Antivirus System Pro, which is a well known piece of crap. A scan of my system using Mcafee with the latest DAT files I could get revealed NOTHING! After two full hours of scanning and screwing around, I decided that I had indeed caught a recent variation and threw in the towel. I engaged McAfee's service to remove the damn thing. My sister's system got one of these things and in the end she had hundreds of crawly bits, necessitating a full blow-away and rebuild of her OS. Since I hadn't clicked Yes to anything I felt I was in the early stages. McAfee's service cost $89.90. The guy connected remotely and knew what he was looking for. He identified 4 files that made up the infection and a couple of registry entries. It required safe mode and the turning of off the system restore function to clear everything out. He cleared a lot of other crap from my system which now has more disk space and is appreciably faster than before. I know what you're thinking. Why should I pay for a service when it should have caught it. For one, I just wanted to have my laptop back. Secondly, I wanted to watch and see what's involved in removing a piece of crap like this. All in all, it was a close one that cost me some dough and a couple of hours. Part of the healing process was deleting all history, so I don't even know where it came from. I suspect that some site was compromised. I put this out here for your entertainment and your edification. An attack like this has never occurred before in my 25 years in IT. Amazing, isn't it? - Andy Comments 10:23:33 AM July 1 2009	Feeds Content Feed Comment Feed Recent Entries News Flash! IBM to release pub Downgraded server for time bei SMTP spike in CPU - Domino 8.5 More information on SMTP spike New technote on an SMTP proces Recent Comments Beijing madness Beijing madness Beijing madness Archives September 2010 (1) August 2010 (8) July 2010 (5) June 2010 (2) May 2010 (9) April 2010 (7) March 2010 (5) February 2010 (4) January 2010 (14) December 2009 (1) November 2009 (7) October 2009 (12) September 2009 (3) August 2009 (3) July 2009 (5) June 2009 (5) May 2009 (2) April 2009 (5) March 2009 (11) February 2009 (9) January 2009 (22) December 2008 (10) November 2008 (5) October 2008 (9) September 2008 (8) August 2008 (15) July 2008 (4) June 2008 (7) May 2008 (5) April 2008 (14) March 2008 (12) February 2008 (29) January 2008 (18) December 2007 (12) November 2007 (10) October 2007 (12) September 2007 (11) August 2007 (10) Andy's Twitter Resources About Me Contact Me