New Malware Simulates Hard Drive Failure

An anonymous reader writes "A nasty strain of malware goes beyond mere sensational alerts, it makes it seem the user's hard drive is failing. It moves files from All Users and the current Windows user's profile into a temporary location, making it appear as though problems with the hard drive are causing files to disappear. It also disables a user's ability to change wallpaper images and sets registry keys to hide certain icons — giving the impression that programs are going missing as well. Of course, it's all done in an attempt to get people to buy the software that will fix it."

Hey buddy!

[MrEricSir]

Nice computer you got there. Would be a shame if anything were to happen to it. My buddy Vinny here, he sells "protection" against these kinds of problems. You pay every week, and there ain't gonna be no problems, capiche?

Re:

[R3d M3rcury]

This reminds me of a funny trick to play on somebody from back in my mainframe days...

Create a directory with the same name as the home directory inside the user's home directory. Set a login script to place the user into that directory.

So they try to get to their files and there's nothing there. Everything looks normal. Usually, someone with half-a-clue can figure it out pretty quickly, but it does provide that brief moment of terror that gets the blood pumping in the morning.

Re:

[Anonymous Coward]

that reminds me of a trick I used to play back in my mainframe days too. I'd just delete everything a user had in their directory. Man you should have seen the look on their faces. I'll never forget the feeling over power I experienced either....

Re:

[geminidomino]

Here, you dropped this:

<clickety-click>

You Bastard.

Re:

[MstrFool]

There was a prank going around the Gateway 2000 tech centers that I found quite amusing. Do a screen-shot of the desk top, set it as the background, then move the icons to a folder. I found it really showed the clued from the clueless. Quite a few techs called for some one to fix their system. And no, i wasn't the one doing it, though I was the one to fix it many times.

Re:

[dragonturtle69]

Did that once, and once only. The butt of the joke hard booted thinking that his PC was non-responsive, fraking up his HKLU (silly registry, why?). "Last Known Working" was my friend that day....

Re:

[snemarch]

HKLU - the unholy bastard child of local machine and current user; making-of flesh movie coming to a theater near YOU!

Re:

[Oligonicella]

I never understood nor looked on with anything other than raw hate, fucking around with another person's work or personal machine. You're deciding for your personal, shallow jollies that someone else's property and time have no value other than to amuse you. Do that to mine and there will be definite and unavoidable physical violence. I will even get fired to do it.

Re:

[Aeternitas827]

Did this on HS with an admin account I found perusing the Active Directory. Except, instead of moving the icons, I used a VBScript-created error box that looked real bad, and wouldn't go away when clicked on (it was there in the screencap).

The freshmen and teachers panicked for a few minutes, and a day or two later, that admin account was gone. But not the other two, named Test2 and Test3.

Re:

[SheeEttin]

Yeah, that one's timeless. There's also a variant in which you set the desktop to a broken-LCD image (i.e. corruption, garbage) and hide the icons and taskbar.
Of course, the fact that the cursor still works would be a giveaway. (Unless you change that too--but that's a bit too much.)

Re:

[Isaac Remuant]

Be careful with this if you are not 100 % sure you'll be around to uncover the prank if it gets out of hand.

I played this once on a half computer tech, half sound tech and things went pretty bad. I hid and locked the taskbar and all the icons (on XP) and stored them in some other folder for easy recovery. But I didn't go to work the following day due to personal reasons. It turns out, this guy and an engineer went nuts over the problem and ended up going back to a recovery point.

I neglected to tell him t

Re:

[tlhIngan]

The best way to do this prank is to not move ALL the icons away. Leave a few of them there so they work. It'll puzzle the hell out of them as they can't seem to figure out why some icons work (consistently, too) but others just refuse.

You'll also find out who notices that the icons highlights.

Re:

[Fjandr]

I had a friend who wrote a small BASIC script that simulated a FORMAT prompt, which would proceed regardless of what the user selected. It then returned a prompt with an empty disk, complete with a bunch of basic, apparently functional commands.

That was amusing when it was run on a couple of the lab computers.

Re:Hey buddy!

[ozmanjusri]

what do you mean "Windows"?

"Windows" is a computer operating system used by many people, most often without the owner's permission.

Re:

[Aeternitas827]

God bless sudo.

Re:

[arth1]

Yes, cause it seriously needs it.

Using sudo to do the job of chmod, chown and setfacl is like using "kill -9" as your standard way of stopping processes, or like changing the DPI to get larger text. It gets the job done, much the same way as using a sledgehammer to swat flies; you risk doing a lot of damage and there are better suited tools available.

Re:

[Aeternitas827]

You're right, those are all examples of overkill.

However, it is about the only way to get the woman in your life--mom or significant other--to make you a goddam sandwich.

Re:

[superdave80]

But he's not racist, since Italian is not a race. So he CAN define the semantics of his demonization. See, it all works out!

Re:Hey buddy!

[PCM2]

Actually I think the word you both are looking for is "straw man."

Re:

[geminidomino]

Well he did say (or rather, misspelled) "capisce," which is an Italian word...

The Game of Catchup

[MightyMartian]

Had this one get on one the computers I administer. Managed to poison the profile and for a brief while I thought the files had been deleted. Of course, I got the inevitable "isn't your AV and anti-malware software up to date", to which I responded "As much as can be, the user is relied upon not to be a simpering moron who clicks on every possible link."

Oh, and by the way, Microsoft, your fucking browser still sucks and is still atrociously insecure. Shape up, Redmond.

Re:

[Moryath]

This is also why end-users shouldn't have install rights. Period.

Re:

[The Dawn Of Time]

"it's like a computer, only useless."

Re:

[Moryath]

Nothing, really.

Especially in the days when a simple Remote Help session to take screen control and approve/deny the program is all that's needed.

If you're going to have end-users running with install rights, you're going to have orders of magnitude more infections. Partly because they are going to reflexively "click yes" on every single thing they see, partly because you're going to have a defined population of users who are the kind of morons who install every "ooh look it's free" widget from Bonzi Buddy

Re:

[MightyMartian]

As I said, the user could not install the malware on the system, but they had execution rights to their own folders, so it poisoned their profile. I was going to implement a GPO-based SEP, only to find out it's trivial to bypass.

Re:

[19thNervousBreakdown]

Anything I want to use less than two weeks from now.

Re:

[h4rr4r]

My IT dept is happy to do such a thing. You just have to sign a little form that lets you know under that setup no troubleshooting nor assistance can be given and the only support in case of issues is to reimage the machine. In reality support is given, but not to the degree a regular user gets and if you lose data TFB.

Re:The Game of Catchup

[mrnobo1024]

That's all well and good in a corporate environment, but do you really expect every home user to have his own personal IT department?

Re:The Game of Catchup

[Bacon Bits]

My relatives certainly seem to think they do.

Re:

[Ihmhi]

Here's what works for me. "If I were a plumber, I sure as hell wouldn't unplug your toilet for free. That's my livelihood, and the only person who gets a blank check in my business is my mom."

Re:

[Moryath]

No, but why should they be running as superuser just to open their email client?

Re:

[snemarch]

No, but why should they be running as superuser just to open their email client?

Beats me, that's why I have them run Vista (SP1 or later) or Win7.

The people who are going to ignore warnings and click yes on the UAC prompts wouldn't be any safer off on other operating systems, they'd happily type in their user credentials and get their fresh copy of Mac Defender or whatever.

Re:The Game of Catchup

[gad_zuki!]

>Oh, and by the way, Microsoft, your fucking browser still sucks and is still atrociously insecure. Shape up, Redmond.

Really? Care to point to some statistics showing me big holes in IE9 that are actively used by malware?

Not much out there. Oh, there's no shortage of Java, Flash, and Adobe Reader holes, and according to stats lifted from crimepacks those are the ones used.

I just looked at that stats on my website. 90% of those users have Java installed. How many of those are the latest version? Maybe 50% Most of the flash installs are not the latest version. Who knows what version of Reader they have.

Plugin security is a nightmare right now. Blame Sun and Adobe for not having autoupdaters like Chrome does for Flash. Joe User has no idea what he's doing with a computer. Blaming MS isn't really helping him.

Re:

[whoever57]

Plugin security is a nightmare right now. Blame Sun and Adobe for not having autoupdaters like Chrome does for Flash

I do blame MS. Not for vulnerabilities in Flash, Java and other plugins, but for not providing an API that would allow third party programs to plug into Windows update to automatically download (which could be from the vendor's site) and install the update.

How many different updaters does a system need? Then, there are updaters that simply don't work unless you are logged in with admin

Re:

[snemarch]

If Microsoft opened up Windows Update for 3rd-party applications, how many do you reckon would actually use it?

Yup, it would be sweet to have one central updating facility, and it's one of the few *u*x things I miss in Windows; I just don't see it ever going to work in the Windows ecosystem (an Appstore for phone/tablet might, but that wouldn't cover desktops and legacy software).

Re:

[snemarch]

They aren't full-auto, though, and check for updates relatively seldom. And when Joe User sees a "please shutdown your browser to install update" right in the middle of his browsing session, he's going to click "nah, postpone" and forget all about it. Until next time the prompt pops up... in the middle of his browsing session. The Flash updater is notoriously lame, not offering a "retry" button.

Re:The Game of Catchup

[MobileTatsu-NJG]

This is why the only solution is a GNU/Linux solution..

I'd love to see your MRI scan while you tell people this.

Re:

[PsychoSlashDot]

This is why the only solution is a GNU/Linux solution. You tell people two simple things. Click the update button when the updates happen and don't download ANYTHING. If you want a program click the Ubuntu Software center and search for it. Everything else is going to potentially infect you.

That's cute, but if users were inclined to obey exactly those instructions, Windows would be fine.

Re:The Game of Catchup

[Attila Dimedici]

Except that Windows does not have anything like the Ubuntu Software center, or whatever the repository is called in other distributions.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Attila Dimedici]

That is certainly a possibility. However, the repository model does certainly provide for much greater security, especially when it contains such a large range of free software as most current Linux distributions. Considering that the Apple IOS app store model is the same sort of distribution model it seems likely that it scales.

Re:

[Attila Dimedici]

If you think that is the same, you have not worked with Linux.

Re:

[Attila Dimedici]

No, MS Update is nothing like the Ubuntu Software center (or the software repositories on other distros). You cannot get software from Windows Update.
You apparently misunderstand my point. I am not saying that Ubuntu (or Linux in any form) is the end all and be all. My point is that the original poster had a point. The Linux model of software repositories of safe, free software for just about every conceivable purpose means that if I want software to do something that isn't important enough to spend money

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[inflex]

Agreed. Even if the ABI over time supports less and less of the available functionality at least it's -something- that's stable. The fact that linux does have as many drivers as it does is testament to the persistence of the masochists out there. I appreciate what Linus is trying to avoid but at the same time we're getting to the point where the kernel needs to offer an olive branch to people who have more to do in their lives than just update their driver code every time the kernel twists and turns.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:The Game of Catchup

[h4rr4r]

Which drivers?
Name some specifics you troll.

Also 1 in 14 downloads on windows is malware, that is sure going to be breaking machines more than every 6 months.

Windows will be usable when it has lsof, can replace in use files, and in general starts acting like a multi-user OS.

Re:The Game of Catchup

[jimicus]

The problem you describe isn't exclusive to the Linux kernel by any means. I have seen more-or-less the same sequence appear in all sorts of places - OpenLDAP's done it with multimaster replication (and still is doing it with server-side sorts), FreeBSD has done it with journalled filesystems, The Gimp is doing it with CMYK support and I don't doubt there are other pieces of software doing the same thing.

The sequence of events generally goes something like this:

1. A specific F/OSS product is missing a particular feature. It may or may not be particularly important, but it's missing for whatever reason.
2. That feature starts to appear in other software. Maybe commercial software, maybe other free software. In any case, it starts to appear. The person(s) behind the product being discussed don't think it's particularly important and make the conscious decision to ignore it.
3. It becomes apparent that the feature in question is actually quite useful. But it still doesn't get implemented because that would mean the person who made the original decision not to would have to admit they were wrong - something that many people find very difficult. Anyone questioning this is told "submit a patch" - but it's far more likely they'll just use something else, something that does meet their needs.
4. It becomes apparent that the feature in question is not useful, it's essential. Still it doesn't get implemented - if anything, the person who decided not to implement it will become ever more vocal in their criticism of the feature. I have actually seen people put together stonking great essays on how the feature is unnecessary - maybe even harmful - to back up this view. It's far too late, of course - by this time it's crystal clear to any impartial observer that the original decision was poor, and anyone still defending it is deluded.
5. A patch to implement the feature is accepted and the feature is announced with much fanfare at the next major release. No mention of the previous view is made.

(WTF slashdot? No ordered lists?)

Re:

[CrankyFool]

Actually, you've got some good ideas, but once they're implemented, you no longer need GNU/Linux.

My life's been far better since I rebuilt my parents' computer with Windows 7 and then made it so they were not admins/power users, so they couldn't install anything.

Re:

[jimicus]

Windows actually has most of the features necessary to make it a lot more secure. The problem is that very few people use them (hell, many people don't even know they exist) because of the inconvenience such features would incur. To make life easier, Microsoft even released a tool for XP and Vista called SteadyState.

Windows 7 has most of the same features baked in but I reckon it's a step back because SteadyState provided a nice, unified, idiotproof GUI for setting the system up in this fashion that didn'

Re:

[RobbieThe1st]

Except that it won't: The user'd have to:
1. Click on the fake link.
2. Accept the file download(FF at least asks you to save or cancel with any download)
3. Right-click the saved file, click properties, and check the 'make excecutable' button.
4. Double click on the application, and then enter your password.

I think that'd take some doing to convince the user to do all that, especially when the user's used to clicking on the Main Menu -> System -> Update or w/e.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[RobbieThe1st]

Ah, but there's a few problems with that:
1. No universal package. So, you can guess deb and be right for that 50 percent(at best) of the Linux using population, but still... You've halved the number of potentially infectable systems.
2. Some distributions don't have such a GUI method; Debian for example. Which limits your malware's influence even further.
3. Gdebi, at least, comes up with a big red warning if you try to install an unverified package, which should provide /some/ security.

4. Any multi-user syst

Re:

[RobbieThe1st]

I might add to this that in the case of lusers who can't and won't learn, we have the solution also: A Chromebook. Impossible to screw up, and it runs Linux also.

Re:

[LurkerXXX]

Bah, I'm at a major research hospital. The inept IT department has us all on IE6.

Re:

[snemarch]

People are quick to slam IE, but in fact most malware goes in through Flash, Java or Acrobat Reader. Internet Explorer certainly isn't perfect, but security-wise it's come a long way; IE8 or IE9 combined with Vista/Win7 on proper UAC'ed accounts is actually pretty decent these days, and the sandboxing helps a fair amount against exploits for the aforementioned three pieces of crapware.

That said, I run FireFox even though it's technically less secure - I prefer the higher HTML standards compliance and addons

False alert

[lucm]

A little while ago I was sure I had this malware on my computer. However the actual problem was worse: I had a Seagate hard drive.

There is an upside with Seagate products: they taught me the importance of using RAID and/or backups.

Re:False alert

[LurkerXXX]

AND BACKUPS! *AND BACKUPS*!!!

RAID is *NOT* a substitution for backups. Delete a file on the RAID and it's gone. Someone takes the machine, and it's gone.

Backup your computer to offline media, and make sure to keep a (hopefully encrypted) copy of it at some remote location (like a family members house, work, wherever)

RAID IS NOT A SUBSTITUTION FOR BACKUPS!

Re:

[adolf]

Seconded, and furthered:

RAID would do nothing to protect against the thing described in TFA.

RAID only protects against hardware failure, and even then only if the failure is actually detected instead of just silently munging data.

This is not to say that RAID is not useful: It can be a performance boost in some applications. It can provide a clever way to combine many smaller disks into one larger volume, which can also be useful in some instances. To be sure, some of the things RAID does do can be very c

Re:

[WuphonsReach]

Do you check that all your files are there before taking a backup? Probably not. Even if you have a very complex strategy of nested backup with grandfather and his whole family, odds are that once you notice that the said file is gone, it is also gone on your backup.

rdiff-backup

The backup directory has a pristine copy of the current data, with the outdated content stored as incrementals going back as far as you want. (We do 13 months.)

Any sort of delta/snapshot style backup strategy handles this jus

Re:

[lucm]

> The backup directory has a pristine copy of the current data, with the outdated content stored as incrementals going back as far as you want. (We do 13 months.)

Which is awesome. Having 13 months of deltas that are absolute garbage if you lose the backup directory means that every time you run your backup you play russian roulette with your deltas (and with 12.96 months of backup history). You might feel like you have a bullet-proof system but actually my aunt who runs NTBackup every once in a while is

When web apps...

[3vi1]

When web apps pop up a realistic looking XP or Win7 windows claiming virus infection... or the need to run an 'exe' to install a missing codec, it's a good day to be running Linux or OS X. Nothing tells you fraud so much as something that's been polished to a fine point to fool the Windows users.

Re:

[rtaylor]

True, but there is nothing here that couldn't be done just as easily on OSX and Linux.

Remove users files in standard Gnome/KDE places and futz with the .bashrc or .profile file to make the login wonky.

Re:

[3vi1]

>> True, but there is nothing here that couldn't be done just as easily on OSX and Linux.

And tell us how you would do that? How would you make a web page that convinces the user that they should click 'okay' on your installer instead of going to the system app center / repositories?

People that were conditioned to Windows might fall for it, but people that 'learned' Linux would know it's BS.

How would you convince someone to give you the admin ID when they didn't launch an installer or app that needs a

Re:

[Pentium100]

How would you make a web page that convinces the user that they should click 'okay' on your installer instead of going to the system app center / repositories?

There are a lot of people who are used to Windows, so if they switch, especially after hearing that Linux has no viruses/malware they might feel safe clicking on anything.
Also, in my experience not all programs and drivers are in the default repositories, for example, drivers for Canon multifunction devices (the scanner part) are available as a .deb file from canon web site, but not on any Debian Linux repository. Which means that I (or someone else) actually have to sometimes download and run a file to ins

Re:

[miknix]

Next step.. Modify the malware to prompt the user to install Linux?

Re:

[somersault]

Good reason to change the default theme in Windows too.

Re:

[adolf]

While I believe your advice is well-intentioned, it's really no good.

This only works if the malware isn't using existing Windows widgets for its displays.

If I were I Windows programmer (I'm not) and I were writing malware (good heavens!), I'd use the native toolkit for all of my dealings...just like most other software does. It's easier, that way.

And then: Changing themes, for properly-implemented malware, would also change the look of that ill program to match.

Re:

[adolf]

If that's "most" of them, as you say, then I've never had to cure "most" infections because they never happened to begin with.

TFA is about a program, running on the local computer, which proclaims quite persuasively to be part of Windows. Changing themes will do fuck-all to help folks see the difference.

Re:

[amliebsch]

Most infections START that way. Pop up a browser window with fake widgets and a virus scanner, animate the scrollbar and scare the user with a fake virus alert. The user doesn't realize this is just a browser window and everything in it is faked. Then the scared user clicks the "Clean now" button, voluntarily runs the software, and it's game over. NOW the software can do whatever it wants.

Re:

[Archangel Michael]

Why is this even allowed (widget impersonation) is beyond me. The reason being, clicking the big X in the upper right should do one thing only, close a window, not install Super Deluxe Antivirus 2011, Doomsday Edition.

And wasn't anti-popup technology supposed to fix this?

Re:

[WuphonsReach]

Why is this even allowed (widget impersonation) is beyond me. The reason being, clicking the big X in the upper right should do one thing only, close a window, not install Super Deluxe Antivirus 2011, Doomsday Edition.

And wasn't anti-popup technology supposed to fix this?

a) Web browsers serve text and images. They do not (yet) monitor what the content of those images look like. It's very easy to create a web page that looks a lot like an operating system warning, you just have to keep it within the b

Re:

[pz]

When web apps pop up a realistic looking XP or Win7 windows claiming virus infection... or the need to run an 'exe' to install a missing codec, it's a good day to be running Linux or OS X. Nothing tells you fraud so much as something that's been polished to a fine point to fool the Windows users.

Good reason to not have the default color scheme on your windows box. Makes it easy to spot the fake popups.

Re:

[vlueboy]

Thanks for the Java reminder --I got a this new PC the other day and had meant to ensure the OEM had NOT bundled it. I had a recent Java-initiated spyware on the Vista laptop earlier in the week.

I'd forgotten to dump the Java runtime since I used to play with the SDK. Because enterprise Java has grown ever complex and acronym-ridden, I simply stopped minding it about 2 years ago and forgot to remove its inconvenient attack vector even though I've been hit through it more than once.

On the color schemes, I us

Re:

[SheeEttin]

Or, seeing the XP-styled attempts on Windows 7... that's nice too.

Re:

[Black Parrot]

Actually, the summary reads like an April Fool's joke about Windows95.

I saw this today

[CmdrPorno]

It certainly takes it a step further than "your system is infected." Ironically, the system actually does appear to have a bad hard drive (bad blocks marked by CHKDSK). Customer had paid someone else to replace the hard disk a little over a month ago and showed me the receipt, but the hard disk in the machine was the same capacity as the OEM disk and had a date code indicating that it was likely not a new drive, but the one that was factory installed.

They're just going to replace the machine since the "in

Ah

[jav1231]

Windows...move along.

Ugh

[ModernGeek]

I'm so confused. Why do the antivirus / anti-malware packages out there not detect and delete these stupid things?

I know that the stupid XP Antivirus even sets a key in the registry that marks .EXE files as "safe file"

I assume that means that IE will then open and execute any .EXE that heads it's way.

It seems that removing these infections involves the tedious process of booting the hard drive from another machine, and manually picking it all clean.

Only then, does the registry have to be picked thr

Re:

[NJRoadfan]

Malwarebytes has been picking up the changed registry keys on recent definitions updates. The major AV packages from Symantec and McAfee aren't effective against any of the most common malware attacks. Its quite sad to read their support forums where people conplain they paid big $$$ for an endpoint protection client site license from the big vendors and the malware still goes undetected. One GOOD thing is 64-bit versions of Windows are immune from most of the nasty stuff for the time being (32-bit dlls can

Re:

[WuphonsReach]

I'm so confused. Why do the antivirus / anti-malware packages out there not detect and delete these stupid things?

Because anti-virus and anti-malware tools are reactive.

There will always be a lead time between when the malware hits the wild and when anti-virus and anti-malware vendors update their signature databases. That time period can range from hours to months.

(Yet another reason to browse in a way that only whitelisted sites are allowed to do fancy things. It may be a PITA, but it drives down

Legal action?

[morikahnx]

If the company in question is linked to the trojan, can we take legal action taken against them? It looks like an open and shut case.

Ridiculously stupid

[Arancaytar]

There was a virus a while back that used an extortion scheme that was similar: Encrypt the data, wipe the original, then outright sell the key. That one's kind of scary. A simple disinfection wouldn't undo the damage, and since it wouldn't depend on permanent infection it might affect any platform. This one is less upfront about it, but won't fool anyone who has any clue about computers or hard drives.

On the other hand, maybe a lot of users are too clueless to be affected. "Help, there are all these error m

Administrative Access?

[theamarand]

Operating systems are still running user applications as an administrative user? I sign into my systems as a regular user, and I execute applications as a regular user. Administrative privileges should be for approved installation and removal of applications. On the other hand, It's silly to think that in this day and age, malicious behavior isn't automatically detected by the operating system and squashed - and I don't mean by an anti-virus or anti-malware application that one needs to purchase. Operating

How the fuck!

[FlyingGuy]

How can this still be happening!

I run FF 4.x on a OpenSuse 11.x box and on a windows XP box. I have actually experimented, both FF installs are default. On the Linux box the same stupid screen comes up, "scanning your hard drive you have 99 million viruses clock OK to get rid of them.".

FF on the Linux box you click ok and FF prompts you that such and such a site wants to do some shit with some executable file, tell it no, close the tab and you are ok.

FF on the XP box you click ok and you are off to the r

Re:

[WuphonsReach]

Can someone explain why the ability for for Drive By's can happen AT ALL an how come the code that allows this sort of shit to happen has not been ripped out with extreme prejudice after the very first occurrence of this behavior?

Because you're letting random websites run code (Javascript, Flash, PDF, Java) on your computer. And even though that code is sandboxed (by Flash or Java or JavaScript or Adobe PDF Reader) there are flaws in those sandboxes that allow for arbitrary execution of code. Which the

What a scam!

[CrazyJim1]

If your hardrive is failing, software won't fix it. This could be as funny as creating a virus to say your computer's flux capacitor is overheating and you'll need to buy a replacement through exmechanicgoneonlinescammer.com

Re:

[MightyMartian]

Well, in my case, the most it could do is fuck with the files that the user had permissions to fuck with. The system itself, other than the profile, was fine. I was thinking about putting in some software execution policies, only to find out that they're pretty well useless.

Re:Sounds Like System/Windows Recovery

[adolf]

I just cleaned this off of a computer two days ago.

It set some registry entries values meant for maximum fuckery, marked every file on the disk that it could access as being hidden (thus even "dir" from a command line would result in "File not found,") and nuked the contents of the start menu, and did some other mean stuff.

Malwarebytes removed it but left the registry broken (which is arguably correct behavior). I changed the registry entries by hand, and I restored the start menu from an earlier copy.

After that, things were happy...except for a lingering, and possibly unrelated, issue with links from Google being redirected to spam. This turned out to be an infected Windows DLL, which "sfc /scannow" couldn't/didn't bother to fix. I was just about to give up on the machine for a happy time of nuke/reinstall, and another half-dozen hours of putting the machine back how it was... but then I tried combofix and the redirect problem went away, too.

All said: While I am a little richer having fixed these problems, money is poor compensation for this sort of pain.

I welcome the day when an affordable online service* can do incremental backups that can be used for a simple, bare-metal restore. Bandwidth isn't the issue anymore, and spinning storage is cheap; where is it?

*: Yes, online. If it's offline, that means that folks will have to think about it on a regular basis, and it won't be done.

Re:

[amliebsch]

If this is Win7, it doesn't have to be online. Just attach an external USB disk and tell it to back up there. It will automatically do an image+incrementals, auto-delete the oldest images when the disk is getting full, and can be bare-metal restored booting from the Windows DVD. It's actually pretty sweet.

Also: if the registry is hosed, system restore should be able to help you out.

Re:

[adolf]

If the malware takes control of the PC (which it does, in the context of the FA), then having a single, locally-attached backup disk isn't necessarily a good answer: It can destroy/disrupt the backup just as easily as it can anything else on that PC.

A well-thought-out rotation of backup media would help, but that's no good because it involves humans who simply won't do it.

This wouldn't be a problem, so much, with good online storage: Even Dropbox does a good job of keeping old copies of your data intact f

Re:

[Mashiki]

That one, and the new TSS variants floating around are...painful. Nuking the machine from orbit and restoring from a clean backup is almost easier than removing them. The last machine I cleaned from one of the new TSS variants took nearly 5 hours. The infection point was some bloody facebook page.

The stupid it burns sometimes.

Re:

[pspahn]

Oblig. Friendface [youtube.com]

Re:

[kvvbassboy]

It's been a long time since there was malware in my computer. How exactly do these things get inside, in the first place?

Once they get installed into a computer, do they spread throughout the local network?

Re:

[somersault]

In our world, that word doesn't mean what you think it means. You should say "malware" and not "bugs". Bugs are mistakes in the design or creation or a computer program.

Malware can finds its way into your system via bugs, but viruses and other types of malware are not bugs.

Re:

[Mashiki]

Well normal windows behavior means that under a LUA, you can't do squat. I mean, you are using LUA's right? So, how often do you see hive collapses? I can count them on one hand, over the last 10 years. However malware behaving like this has been off-on again for the last 5ish years.

Re:My end users say it was coming from MSNBC.com

[Mashiki]

And sites complain when people block ads. This is of course why anyone with a brain blocks ads.

Re:

[Archangel Michael]

If Malware is coming from Ads on websites, the someone ought to so the websites for the infections they are causing. Maybe if we hold the intermediaries accountable for the crap people are seeing while visiting their sites then we can slow it down.

Re:

[FlyingGuy]

Wouldn't a simpler way be, every time IT touches a machine is to get a backup of the registry ( a clean one ) or better yet simply have a default registry on hand. Pop the install CD, go into repair mode and restore the registry to your company defaults.

Another way would be to perhaps take the infected registry and then compare it to the infected registry and you will find every trace of the damn thing, yes?

Re:

[Aeternitas827]

I think the point that's being made is that people need to be a little more educated on shit like this (or, alternately, that people aren't paying attention to or are too dumb to comprehend the reliable information out there).

I think most of us understand that this is meant to prey on those who are a little less wise with their systems. Any good scam targets the idiots, because a successful scam generally depends on the target not seeing that 1 and 1 aren't making 2 any longer.