|
Posted by Klaatu01 on November 28, 2007, 9:32 am
If you were Registered and logged in, you could reply and use other advanced thread options
I pulled a laptop in with what appears to be the "Polynomial.Code"
exploit identified by Prevx and found the system was infected on
November 14th or 15th, and a couple of the things I did to remediate
this "issue" were:
Moving multiple "suspect" .EXE files from the following directory:
C:\Documents and Settings\%username%\Local Settings\Temp
camg-77798.exe
218253.exe - Created 11/15 @ 7:20 PM
260584.exe - Created 11/15 @ 7:13 PM
171977.exe - Created 11/15 @ 6:47 PM
laofpmpo.exe
fxatuuqs.exe
ngihrzmh.exe
To a quarantine location, attempted to rename the files ".OLD" and
also mark all file Properties as "Deny"; this was in order to show the
client what actions were accomplished.
The other seemingly obvious signs this system had been compromised
were "C:\Program Files" subdirectories of:
\Lhutrpyu
\Toirtrwg
\Wnmdungf
The following additional directories appeared to have contamination as
well:
C:\Program Files\Microsoft.NET - by "qukebil77798.exe'
C:\WINDOWS - by "mrofina27.exe $"
C:\WINDOWS\system32 - by "kernelwind32.exe"
C:\WINDOWS\system32 - by "newmaxxsv234.exe"
C:\WINDOWS\Temp - by "startdev.exe" - http://www.startdev.com/index.htm
Finally I booted the system using Winternals' ERD Commander 2005 and
removed known (or obvious) HKLM\SOFTWARE\MICROSOFT\WINDOWS
\CURRENTVERSION\RUN entries including:
qukebil
qukebil77798.exe
ctfmona
ctfomona.exe
mrofina27
mrofina27.exe
However, the system remains contaminated and when I attemped to use
the "System Restore" utility from the local "Administrator" account, I
got:
"System Restore points will not protect your computer. Please reboot
your computer and try using System Restore again."
I could almost hear someone saying, "Mmwuhaaahaaahaaa" creepily in the
background when this popped up.
A poorly worded (suspect) pop-up that seems to indicate removing this
malware or virus from the system will be more complicted than is worth
the effort. I have placed this job on stand-by until I get
confirmation from the client no files are needed from the system.
I remain of the opinion that a NEXT GENERATION system integrity
checker and built-in 'Registry Defender' would be SO VERY HELPFUL in
preventing unauthorized programs from making entries in msconfig's
"Startup" group and things such as that! Beyond using a "firewall" to
prevent unwanted programs from getting into the system, there should
be a fully integrated (and easily demonstrated) method preventing ANY
executable (.EXE) file from being copied from removable media or
downloaded through Internet Explorer.
If we can put a man on the moon, we should be able to (at least) block
most types of system hijacking methods! It is not rocket science
people!
| 
XML site map