*2012* Malware Variants

Looks like an excellent well thought out article to me.

Should be well received by all.

Well done younghv

rpg & demazter -
Thank you for the comments and votes.
I appreciate them (and you).

Voted 'Yes!'

I love checklists... they're just so easy to follow.

That 1,2,3 process really sticks with you.

mbizup -
Thank you.

In my world, we call that Infantry Simple - and it works.
Semper Fi!

I love this line:
"no matter how expert you may be, well-designed check lists can improve outcomes"

How appropriate!

The Checklist Manifesto is a terrific book.  For that matter, so are Gawande's other ones, such as Complications and Better.  Heck, I'd probably read "The Collected Shopping Lists of Atul Gawande" if he ever got around to publishing it :)

Vic, first time I've seen this one. Good job!

Hey Dalton -
Thanks for the comment and the vote.

Stand by for my annual "Best Components for a New Custom Computer" question. I'm running out of time to beat the tax man this year.

Vic

Nice overview, any standout ee questions to read regarding this little slice of heaven?

First time I have seen this article. Its pretty good. +1 Youngv keep it up.

RV - thanks. I'm still monitoring your help on the zeroaccess problems.
Semper Fi!

@younghv:  Great job.  While I have been able to keep this out of my work environment so far (I am a state bank network manager) using proper tools, I still encounter this on many friends and family computers. Having this checklist is a great way to "remember" to do all the steps.

Thank you for the article.

I encountered this SOB for the first time Christmas Day (2011) on my mother's neighbor's system.  I was able to run programs with right mouse click and the start or run as admin menu items.  I had to start the Task Manager from the Ctrl+Alt+Del dialog.

After killing the virus processes in Task Mgr, I was able to get to the Lavasoft and MalwareBytes sites.  The neighbor had an old version of AVG and I suspect its virus definitions hadn't been updated in a while.

Due to the 2012 virus, the neighbor was still having trouble double-clicking on desktop program icons.  The shell thought it needed to associate a program with EXE files.  I found a .REG file posted by a Microsoft MVP that corrected this problem.

I took my time leaving after the second fix and he hasn't reported any more problems.

I wish I'd read this article before this weekend.  I would have been better prepared.

pony10us - Thank you. I appreciate the comments.

aikimark - Step #1 (FixNCR.reg) was written by an MS MVP also.
;)

Next year buy all your friends and family the Premium version of Malwarebytes - about 20 bucks a pop for a 10 pack of lifetime licenses - and you can spend the holiday drinking eggnog instead of fixing confusers.

This is an old Article, but the concepts still apply. Please share the link:
MALWARE - "An Ounce of Prevention..."

Nice idea.

The AVG caught this once it had been upgraded.  I use them as complementary AV protection.

AVG has had more than a few "False Postives" - and worse - problems over the past year or so, plus they are a "Suite" type of program. I long ago swore off the 'everything plus the kitchen sink' type of programs due to the interference with the basic Windows OS.

Other than MSE, I don't recommend any of the free AV programs.

younghv:

I had similar experiences with Avast having a lot of false positives. What do you think about PrevX? I tried using it for awhile and it did a lot to protect my system however it also has some issues that I didn't care for.

As long as Malwarebytes is kept up to date it does a great job. I run it at least once or twice a week just as a preventitive measure. I also have Spybot running all the time and keep it updated as well. This keeps my home system pretty clean.

What AV program do you recommend? (I know that is a personal prefference question) I have had issues with both Norton and McAffee in the past.

pony10us -

For home and small network enterprises, I still stand by the recommendations in MALWARE - "An Ounce of Prevention..."

Back when I was managing some fairly large enterprises, McAfee ePO was my weapon of choice - but that was many eons ago. I changed away from Norton/Symantec when it let the "Melissa" virus pass through and never considered using it again.

Thank you,  I am looking at that article now.  

These rogues can be easily removed with the tools mentioned here but sometimes the damaged done also needs to be fixed.
Some of the variants also delete services in the registry, the Base Filtering Engine (BFE), the Windows Firewall (mpssvc) and may also deletes Security Center (mscsvc) so you need to check these services and make sure they are running specially the Base Filtering Engine (BFE) since some services are dependent on that service.

rpggamergirl:
Thank you for the information.

I just saw your comments in http://www.experts-exchange.com/Q_27513892.html and will continue to monitor that question.

I haven't seen that problem yet in any of the computers I've worked on. Is there anything else (other than the instructions you posted) that needs to be added here?

Just a warning. I've had a few test samples that actually deleted windows firewall and/or security center. BFE changes are also noted. Other items to add here are.
Userprofile areas
%appdata%\<random chars>.<3 letter> rot13 encrypted file
%appdata%\<random chars> folder and/or files
%userprofile%\Startmenu\<varient antivirus name>
Windows directory
%windir%\<random chars>.dat / <random chars>.dll
%sytemroot%\<random chars>.dat / <random chars>.dll
Files dropped in temp
%temp%\<random chars>.<3 letter>
%temp%\<around 26 random chars>.exe

Also noticed removal of startmenu items and moving into %temp% or flat out removal. Earlier versions just changed file attributes. Seen a few experts here giving advice on using system cleaners.... Big no no.... Might want to include that in this article too.

Rootkit agents are definitely attaching to TDI group drivers like Afd.sys and patching the LSP chain redirecting network traffic through rootkit's TDI driver for filtering. To restore network connectivity on some of these boxes effected after removal of this malware. You will need to find your main network adapter, check for tampering with device manager, uninstall damaged devices(Make sure you have the driver backup installation or new updated driver from manufacture. Reinstall can go wrong!), redownload the driver(Unless already done), remove NIC, install new network adapter driver, replace drivers in driver group listed as "group: TDI" using sc.exe "sc qc <driver>". You can use the dll cache located in the windows system32 folder to copy the backup driver and write over the existing TDI drivers in drivers folder or expand drivers from install cd using recovery console. You also need to check for dependency's on the TDI drivers: DHPC, TCPIP, etc. To make sure there running properly. The service query will tell you this information. Once the TDI driver is replaced and the network driver is reinstalled with a new one, either do a network diagnostic check or netsh Winsock reset catalog. Before doing this make sure you note what LSP's are already in the chain. "Netsh winsock show catalog>c:\lsp.txt". Previous LSP providers will be damaged by winsock catalog reset, so please double check LSP settings before continuing so you know what software needs to be reinstalled.

Software you can use to check LSP:
 Adware SE  has a LSP pluggin called LSPExplorer.
 Powertool ARK
 Xuetr ARK  known as "XT".
 Wsyscheck ARK
 There are a few more slipping my mind for the moment.

Causes for  infection are exploits specifically targeted for these software: Java, Adobe, media player (including 3rd party  codec pluggins), and flash. User education or removal of these software platforms helps remove target vectors. Combining both is good if possible. Finding URL history is privacy intrusive to the user (possibly embarrassing), but! It also allows you find out what sites are being used as a drive-by and allow you to collect information for blacklisting these domains.

There is always more to add. They never stop "Inventing".

Russell - Thank you for the detailed comments. I am going to put a pointer to them up at the end of the article.

With the level of "Inventing" going on, we (EE) are in serious need of some higher level articles discussing the techniques needed for a full repair. The various automated tools just aren't up to getting the job done.

Thanks,
Vic

Aye, We will continue the other discussion as soon as Tygzy is back.

I think I might have to take early retirement and go ride my Harley.  I'm getting to old to keep up with all of this "inventing".   After almost 34 years working with computers and still something new everyday.   :)

Thanks guys for all the hard work with the articles. They really do help.

"...and go ride my Harley."

'Bout time for a re-make of "Easy Rider" - I'll be Billy.

Kudos to younghv, for dedicating time and effort into investigating and analyzing malicious code. Congratulations on being the Author of the Year!

rrjmin0 -
Thank you for saying that.

In all honesty, it was a more than a little embarrassing. My articles reflect the efforts of a whole bunch of good guys who create the tools that help us fight malware - not my own work. I'm a pretty good mechanic, but they are the engineers.

The articles are popular because malware is ubiquitous and we have so many EE Members looking for help on the topic.

For really technical advice, follow the posts of rpggamergirl and Russell_Venable

Thank you again. I do appreciate the compliment.

You have done pretty well yourself, Youngv! Good motivation along with good intentions go a long way. The contributions you make are invaluable. Never forget this.

Oops, sorry mate I didn't mean to embarass you, and I'm well aware of the efforts of Russel Venable and rpggamergirls excellent contributions.
I've been out of the industry for a couple of years and its refreshing to come back to well documented information that is relevent to these current issues. I was impressed as it has helped me to get back up to speed in a relatively short time.