A malware puzzle

I’ve been beating my head against an interesting infection. You’ve probably all had experience with the MyDoom worm, the one that modified the hosts file?

The effect of this one is similar, though through a different mechanism. The infection prevents contact with Microsoft.com or any antivirus or antimalware site that I’ve tried so far. It doesn’t touch the hosts file and removing same doesn’t help. Flushing the DNS cache doesn’t help. Neither does changing DNS servers. Nothing seems to detect or fix the malware.

The point of general interest is that many security applications insist on phoning home before they do anything else. Many of the antivirus downloads are just installers. They will try to download the rest of the application from their home web sites before they do anything else, and if they can’t make contact, they stop dead.

AVG and Avast! are both guilty of this. Malwarebytes’ Anti-Malware can’t update itself, and the “manual” downloaded data update uses a database in a different and incompatible format. You need the program update, not just the data update. MBAM gives a really lousy error message:

732(12007,0)

Hey, how helpful is THAT? And their forum treats this as the user’s fault, fiddling with a couple of useless settings that aren’t going to do anything.

I have access to a separate computer so have worked around this, but tye typical user, who probably does not, is just out of luck.

It’s a good attack, if that word can be applied. Most of the non-pirated antivirus software that isn’t purchased on physical disk, is going to be vulnerable. The software that IS on disk is vulnerable to the extent that it doesn’t include an update late enough to deal with this thing.

The security software can’t update itself, many can’t even install themselves, since all access to the home site is blocked. This needs to be a new consideration when evaluating security software, because it’s a huge vulnerability for most people. Every suite or application that you can get from (e.g.) download.com, but which relies on contacting a blocked server back home to complete the installation is now useless.

I could also use any ideas anyone might have about digging it out. MBAM, SuperAntiSpyware, NOD32, windows Defender. UnHackMe including Partizan rootkit, SpywareDoctor, SpywareHunter, AdAware, Spybot S&D, and reinstalling Windows (XP SP3) have all failed to cure this problem. Firefox and IE are both affected equally.

I can ping and nslookup the sites that are blocked. For www.avg.com I resolve to an address of 77.67.44.203 which is the same IP I get on the working machine. Trying to browse to that address gives me, “Firefox can’t find the server at www.avg.com”.

I can get to a stripped version (no graphics) of the site by adding a hosts record manually.

If anybody’s heard of this or has some ideas I’d like to hear from you. Meanwhile, think about what security software you’ve been recommending to others, and whether it’s vulnerable like this.

hey, thats a rather nasty infection you got there.

usually SAS and Mbam cure any infections on my PC, but lately ive tried MSE, and its been brilliant.

but i fear this would not help as you have to update once downloaded and in your case its not possible.

what is the exact virus detail? when you scan does it pick up on the virus, but cant remove it?

MSE refuses to install, with a numeric error code that (apparently) no-one at MS understands either. i’m going round with them on it currently, but so far the thing it’s looking really weak.

Kaspersky reported a curslib.dll infection, which it did cure, but this is only part of the problem. It also reported a really huge virut infection – hundreds of files including most of the OS, all of which it wanted to delete. It did at least find the infection, where ESET was still saying everything was fine. I tried the Russian entry, DrWeb (because their site wasn’t blocked). It neatly extracted and cured almost all of the virut infections. A few it couldn’t cure and had to quarantine/delete, but I could live with that. It’s not a smooth product, and has some rough edges but it certainly works well.

Virut has the charming quality of staying memory-resident and hiding, so a reboot isn’t sufficient. You need to fully power-off after a cleanup. It also spreads like crazy and will quickly infest a memory stick with innocent-seeming files – you simply know didn’t put them there.

At any rate, I’ve solved those two issues, but still haven’t figured the connectivity issue. I worked around it by putting manual entries in the hosts file, but that doesn’t work very well. On a few sites it lets me download tools like the Kaspersky cleaner – but I still can’t get an update.

Windows Defender sat and watched all of this happen, btw. So did Malwarebytes. (MAMB is firmly in the “gotta reformat, nothing else to do about Virut” camp.) I’m discommending both of them.

Webroot Spysweeper seems to have a much better detector for malware, so I am commending it though I am still uncertain about their antivirus product.

The big surprise to me in all of this, is how completely let-down I feel by Malwarebytes. Add their really annoying new site-block popup, and I have no use for the product at all anymore.

okey dokey, im sure you have tried this but if you reboot into safe mode with networking and then “try” connect, does this work?

have you done the scans in Safe mode, mbam works best in normal mode, but SAS i think has more scanning potential in safe mode.

have you tried autoruns? and delete the infected .dll files from the startup, it helped me a couple times.

I’ve been in and out of safe mode so often they’re trying to give me a medal. Alas, yes, I’ve tried this with MBAM, SAS, Spybot, Eset, AdAware.

They’ve found a few problems and fixed them, but nothing saw or touched the real problems. Autoruns is helpful only if you have some idea of what’s infected, otherwise safe mode pretty much obviates this.

I do have it mostly in hand now, still trying to get rid of the last traces of Virut. I can get to Microsoft and the antivirus sites. I’m still liking DrWeb in spite of a couple of incredibly obnoxious flaws.

You could always try a live CD, http://en.wikipedia.org/wiki/Knoppix

Also, have you tried ClamWin?

@ Dark_Shroud: Is it possible to disinfect Windows files from a booted Linux OS?

I have a couple of flavors of LiveCD, but it’s a bigger problem to find an effective antivirus that runs under Linux too. I hadn’t heard of ClamWin, but my understanding is that I have to agree to have it install an ASK search bar.

@ Dark_Shroud: Is it possible to disinfect Windows files from a booted Linux OS?

From what I’ve been told it is supposed to be possible.

I have a couple of flavors of LiveCD, but it’s a bigger problem to find an effective antivirus that runs under Linux too. I hadn’t heard of ClamWin, but my understanding is that I have to agree to have it install an ASK search bar.

You can install it without the toolbar, I just did a few days ago checking out the new version. Just check the boxes No, there is one for the toolbar and one for your search engine.

But are there Anti-malware applications which are written/compiled for *nix and are able to scan/disinfect Windows executables from a booted *nix OS?

I mean, it would have to be written specifically for this purpose (run on Linux and disinfect Windows files) or to be a hybrid app, rihgt?

Or is it supposed to run under an emulator like Wine?

I am having the exact same problem. Took me hours to find this post. Have you found a fix for it yet?? Just wondering

The free DrWeb CureIt took care of most of the issues, but it is not a program-plus-updates, it’s a wholistic thing. You must download the entire package, very recently in order to “update”.

Second, don’t plan on doing anything else at all with the computer. Be patient, roll with it. It’s inexcusably slow, and not terribly intuitive. WHenever you start it up, or re-start it, it’s going to do what it calls a preliminary scan just to check its environment. Go get a cup of coffee. At Starbucks. Sip it slowly.

By the time you get back, this preliminary scan should be over and you can set it up to start a complete scan. Take your time with setting this up, and think about the choices it offers == because if you realize that one of them was wrong, you need to stop it and start over, you’re going to get another quick preliminary scan.

Only its effectiveness excuses this.

You want to set it to do as much as possible during the scan, simply because it does take so bloody long. You don’t want to have to go over it AGAIN. When you choose what to do in each case, may your guideline not to have to have DrWeb scan again. Delete, move to quarantine &c NOW, not later.

If anything is left in a log to examine later, HANDLE THE ENTIRE LOG NOW. Do not clean up part of it and then rescan to see what you have left, because a rescan will again take hours.

I created a hosts file on another machine, which has entries for the current resolutions of microsoft.com &c., and the major anti-malware sites, which allowed me to reach them and look for answers, but that was mostly for background information, not because their products worked.

So basically, SpySweeper and DR.Web, plus rebooting every time you get a chunk of your disk cleared. Remember this is Virut, and if it gets into memory it will start infecting executables again. Good luck!