Jump to content
Sign in to follow this  
Spiff59

Someone has been naughty

Recommended Posts

Spiff59

This morning, I'm off searching far and wide for a specific application...

And I'm starting to jump into sites with Chinese and Arabic fonts, and sites with .pl and .ru suffixes.

I'm know I'm tempting fate. I do have my "panic button" next to the clock that switches me to a basic startup profile (via msconfig), launches rkill.exe, and disables the internet.

Half the time I'm able to clean the garbage off without a reboot. Some of the ransomware infects faster than my guards go up, but my default user account is not an administrator, and coming back in as Administrator has worked with all of the fake FBI crap.  Worst case scenario, I just pull the drive and hang it off another PC as the D: drive and give it a cleaning.

Anyway, I was loading some site, there's a freeze, then boom, Firefox windows start popping up like crazy.  I killed the whole browser group, disabled my Local Area Connection and started looking around.  Looking at running processes "winvnc86.exe" has red flags all over it as I've become very familiar with what belongs in the process list. I killed winvnc86 and things seeming safe enabled my connection, , started updating combofix and malwarebytes to their latest versions and then googled the winvnc86 filename.  I clicked on the first few relevant sites to open in separate tabs and then my pc slowed, I got redirected, popups started again.

I locked up and ran the cleaning programs.  The popups were due to a couple executables stuck in my "user/local settings/temp" folder, and my 14KB svchost.exe had blossomed to 300KB.

It's the other virus that caught my eye, a fairly new variant I guess. It's the one with the winvnc86.exe process, and it had downloaded 3 files to my system32 folder and was getting me setup to mine for bitcoin or litecoin.  What I found interesting was that the driver/installer for it all, that had been parked in my "startup" folder, was a bound Autoit 3.3.8.1 executable, 571KB in size, called initsrv.exe. 

It's actions are well-described here: http://www.tgsoft.it/english/news_archivio_eng.asp?id=562

I found it a wierd mix of both shock and amusement that something malicious, with such an origin, would ever find it's way to my desktop.

post-35754-0-03231700-1383777150_thumb.j

Edited by Spiff59

Share this post


Link to post
Share on other sites
lordofthestrings

if you're surfing websites that add functionality to your computer (like spyware) I suggest creating a virtual bubble to capture all software changes and remove that bubble when no longer needed. the 2 best options for this is Microsoft's App-V (formerly known as softgrid) or altiris svs (http://download.cnet.com/Software-Virtualization-Solution-SVS/3000-2651_4-10516806.html) and it's simple to use, create a new layer, browse the world wide web, install all the crap that you don't need, close the layer and remove it from the application and all installed spyware/virusses is removed from your computer. check it out :)

 

Kind regards,

Dimitri


Share this post


Link to post
Share on other sites
Spiff59

Thank you. I truly will look into those. I had some sort of sandbox software set up years ago and it was a pain-in-the-rear.   I recall extra drive partitions, multi-boot .ini files, and a lot of rebooting during use.  Hopefully the more modern ones don't have such requirements. 

Is there any sort of data stored in this executable that would be helpful in identifying the author? Any secret bits of info tucked in here or there?  Am embedded IP, MAC Address, Hard drive serial number, etc? I guess if a dev told me, it wouldn't be secret anymore ;)  Neither PE Explorer nor WinHex found any "Kilroy was here" strings left by the author.

Share this post


Link to post
Share on other sites
nitekram

Very interesting...I will also be looking at these!


All by me:

"Sometimes you have to go back to where you started, to get to where you want to go." 

"Everybody catches up with everyone, eventually" 

"As you teach others, you are really teaching yourself."

From my dad

"Do not worry about yesterday, as the only thing that you can control is tomorrow."

 

WindowsError.gif

WIKI | Tabs; | Arrays; | Strings | Wiki Arrays | How to ask a Question | Forum Search | FAQ | Tutorials | Original FAQ | ONLINE HELP | UDF's Wiki | AutoIt PDF

AutoIt Snippets | Multple Guis | Interrupting a running function | Another Send

StringRegExp | StringRegExp Help | RegEXTester | REG TUTOR | Reg TUTOT 2

AutoItSetOption | Macros | AutoIt Snippets | Wrapper | Autoit  Docs

SCITE | SciteJump | BB | MyTopics | Programming | UDFs | AutoIt 123 | UDFs Form | UDF

Learning to script | Tutorials | Documentation | IE.AU3 | Games? | FreeSoftware | Path_Online | Core Language

Programming Tips

Excel Changes

ControlHover.UDF

GDI_Plus

Draw_On_Screen

GDI Basics

GDI_More_Basics

GDI Rotate

GDI Graph

GDI  CheckExistingItems

GDI Trajectory

Replace $ghGDIPDll with $__g_hGDIPDll

DLL 101?

Array via Object

GDI Swimlane

GDI Plus French 101 Site

GDI Examples UEZ

GDI Basic Clock

GDI Detection

Ternary operator

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×