When Malware Attacks Malware 135
PetManimal writes "Researchers say that the Storm Trojan/Peacomm worm has been tweaked to spread via IM programs and attack rival malware. Symantec sounded the alarm, and says that the exploit launches in AOL, Google Talk, and Yahoo Messenger windows that are already open, making it appear to be a legitimate message from a known user. The worm has modified the code from last year's Nuwar worm, and when activated, enables a DDoS attack against any site, including antispam services and servers supporting rival malware: 'Systems hijacked by Peacomm have also conducted DDoS attacks against at least five domains used by the creators of the noted Warezov (or Stration) worm. After a busy September and October, Warezov was credited by some analysts as the genesis of 2006's massive fourth-quarter spike in spam volume.'"
Re:Stronger malware (Score:2, Informative)
Re:It begins (Score:2, Informative)
The stuff in yogurt is Lactobacillus acidophilus [wikipedia.org].
The stuff you DON'T want in your (upper) GI is Escherichia coli [wikipedia.org].
Re:If they'd just fix each other... (Score:5, Informative)
I recently had to fix a machine that was declared 100% clean by Spybot, Hijackthis, Windows Defender, etc. - and still kept throwing up random porn popups*. Turns out it was a virtumundo variant... the checker (forget the name) recommended by the hijackthis people could see it, but wanted money to remove it - eventually found an app that does it by doing some clever stuff and forces a bluescreen to stop it reinstalling itself (which it does in realtime.. you *can't* delete it manually). That's now in my machine fixing arsenal for the next time I see it.
Makes me wonder how many of the bleats that 'my machine is clean therefore it must be blizzard being hacked' posts on the Wow forums have variants of similar crapware on there.. and they've fallen into the trap of believing the scanners despite the overwhelming evidence to the contrary.
* And that was a machine without IE on it and fully patched.. the thing apparently got on in a trojanned version of Acrobat Reader.
Re:If they'd just fix each other... (Score:5, Informative)
net stop wuauserv
Start -> Run -> gpedit.msc -> Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update -> Re-prompt for restart with scheduled installations. They hid it well but it's there
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate\AU]
"RebootRelaunchTimeoutEnabled"=dword:00000000
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer
NoDevMgrUpdate value to 0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ WindowsFirewall
Set these to "not configured"
* Windows Firewall: Protect all network connections
* Windows Firewall: Do not allow exceptions
* Windows Firewall: Define program exceptions
* Windows Firewall: Allow local program exceptions
* Windows Firewall: Allow remote administration exception
* Windows Firewall: Allow file and printer sharing exception
* Windows Firewall: Allow ICMP exceptions
* Windows Firewall: Allow Remote Desktop exception
* Windows Firewall: Allow UPnP framework exception
* Windows Firewall: Prohibit notifications
* Windows Firewall: Allow logging
* Windows Firewall: Prohibit unicast response to multicast or broadcast requests
* Windows Firewall: Define port exceptions
* Windows Firewall: Allow local port exceptions
http://sourceforge.net/docman/display_doc.php?doci d=28367&group_id=105508 [sourceforge.net]
Preparation
Start by installing the latest version of ClamWin, and download the latest virus definitions. See the ClamWin manual for full details on how to do this. Note that, if you are going to create a CD, you will not be able to update the virus definitions without creating a new CD, since a CD is read-only.
Copy Folders
Create a working folder in a convenient location to hold the files that are to be copied onto CD/USB, eg C:\ClamWin-CD.
In the working folder, create a folder named ClamWin.
Copy the contents of the ClamWin program folder into C:\ClamWin-CD\ClamWin. By default, the ClamWin program folder is installed to C:\Program Files\ClamWin
Create folders named log, db and quara
Re:If they'd just fix each other... (Score:3, Informative)
What, install by force a package without a realtime scanner 'cause the user can't be bothered, and then think they'll bother doing manual scans? Methinks you've suffered an oversight...
I've taken to suggesting AVG to all of my friends and family. Free, autoupdates, realtime scanner, scheduled daily full scan. Routinely outperforms both Norton and McAfee in lab catch tests. Otherwise, I'm all for your list.
Re:If they'd just fix each other... (Score:3, Informative)
Spybot regularly updates both signatures and detection methods. No, it's not perfect, but I've yet to meet the perfect scanner. I find that a combined dose of Spybot, AdAware, and a good AV program does a very good job of keeping Windows systems clean.
Re:If they'd just fix each other... (Score:3, Informative)
I'll give you this advice for free: rename HijackThis. You'll see your Virtumundo in the O2 and O20s. In fact, that's good advice any time you want to see what's on a system. Rename it to a random name, most malware look for a specific executable name and hide themselves.
Also, you can remove Vundo manually w/o a BSOD; you just have to know a few tricks and it's not trivial. There are free tools out there that will do this automatically after you know what the load points are.