Mopquill
Active member
I'm no stranger to system security, and I know my way around both Windows 95 - 7, and CentOS/Debian Linux (I prefer Debian ). I've got ESET Nod32 on my computer, a secure firewall on my router, and I use EMET to keep would-be-vulnerable programs in check. I hadn't gotten a virus on my own computer in around six or seven years.
The night before last, NameCheap posted an interesting status about fancy CSS3 that can create functional widgets and things without the need for JavaScript. JavaScript can be great when done right, but it slows load and execution times, so, the less, when it can be helped, the better. I click their link, and the first thing I see is a slideshow. I click the source for that, and then click to view the live demo, and suddenly, Firefox, Chrome, and Opera were all closed. Yes, I was using all three. Confused, I try to open Task Manager with Ctrl + Shift + Esc. Nothing happens. I hit it a few more times, and then I try Ctrl + Alt + Delete. "Start Task Manager" was *missing* from my options. I tried starting it via run and cmd, nothing. I go to it directly and double-click it to get "Task Manager has been disabled by your system administrator." I try making sure it's enabled in the group policy manager, taking ownership, nada. I can't use it.
Anyhow, I open up Process Explorer, which I have for occasions such as this, or when an svchost.exe is acting oddly, and I find a gibberish exe running. For some reason, ESET didn't even notice this thing get in, and it somehow got in my temp folder, as a bunch of .tmp files, which then assembled themselves into an EXE. Somehow, the temp files themselves didn't show up as viruses, just the completed EXE, and even then, ESET didn't stop it or quarantine it. Confused, I kill it myself with Process Explorer, use Unlocker to close its open handles, and then have ESET manually quarantine it. I upload a sample to Virus Total to have it look, and only three of the things there even knew it was a virus (two of them MacAffee, which normally sucks, and the other was Panda). I still couldn't use Task Manager, so I downloaded and ran the latest Combofix, and as soon as it was running, I could open Task Manager again, and it found and cleaned some files from my system. I ran a system-wide scan with ESET that then removed a bunch of infected files from all over my computer (- it took like, 20 hours), and had virustotal rescan my sample. Then, 7 recognized it as a virus, still not ESET. I sent the sample (double rar-ed and passworded so Gmail would let me send it) to ESET's sample reception thing, and I got this reply:
Anyhow, it should be taken care of soon, but, this thing got past Firefox *and* ESET, which, don't get me wrong, is a fantastic anti-virus. Not a single thing has gotten past it before, and it's generally quite good about false positives. I *suspect* it used some exploit in Internet Download Manager, but I don't have any solid proof, only an error message I got from the second visit. I accidentally restored my tabs and opened the same page- I'm an idiot. XD I knew what it was going to do this time, though, and I was able to kill it before it was finished doing what it was doing, and ran Combofix to remove the traces. It still got in, though.
The virus total link is here, and as of this posting, someone other than me has updated it, and 12 antiviruses now recognize it as a virus. I can re-upload my sample to have them update it later on, if anyone is interested and no one else has.
Anyhow, the URI I visited, that I believe to be the source of the virus (possibly a rogue advertiser) is posted below, but I urge none of you to visit it unless you have a reliable sandbox set up. This virus isn't particularly devastating, but it is quite intrusive at present- but maybe that was just me with IDM? I'm not eager to test it at the moment. Anyhow, I just figured I'd warn everyone that there's something going around. I hope none of you catch it. =]
The night before last, NameCheap posted an interesting status about fancy CSS3 that can create functional widgets and things without the need for JavaScript. JavaScript can be great when done right, but it slows load and execution times, so, the less, when it can be helped, the better. I click their link, and the first thing I see is a slideshow. I click the source for that, and then click to view the live demo, and suddenly, Firefox, Chrome, and Opera were all closed. Yes, I was using all three. Confused, I try to open Task Manager with Ctrl + Shift + Esc. Nothing happens. I hit it a few more times, and then I try Ctrl + Alt + Delete. "Start Task Manager" was *missing* from my options. I tried starting it via run and cmd, nothing. I go to it directly and double-click it to get "Task Manager has been disabled by your system administrator." I try making sure it's enabled in the group policy manager, taking ownership, nada. I can't use it.
Anyhow, I open up Process Explorer, which I have for occasions such as this, or when an svchost.exe is acting oddly, and I find a gibberish exe running. For some reason, ESET didn't even notice this thing get in, and it somehow got in my temp folder, as a bunch of .tmp files, which then assembled themselves into an EXE. Somehow, the temp files themselves didn't show up as viruses, just the completed EXE, and even then, ESET didn't stop it or quarantine it. Confused, I kill it myself with Process Explorer, use Unlocker to close its open handles, and then have ESET manually quarantine it. I upload a sample to Virus Total to have it look, and only three of the things there even knew it was a virus (two of them MacAffee, which normally sucks, and the other was Panda). I still couldn't use Task Manager, so I downloaded and ran the latest Combofix, and as soon as it was running, I could open Task Manager again, and it found and cleaned some files from my system. I ran a system-wide scan with ESET that then removed a bunch of infected files from all over my computer (- it took like, 20 hours), and had virustotal rescan my sample. Then, 7 recognized it as a virus, still not ESET. I sent the sample (double rar-ed and passworded so Gmail would let me send it) to ESET's sample reception thing, and I got this reply:
Dear Mopsy,
Thank you for your submission.
The detection for this threat will be included in our next signature update.
mdfewq206085.exe - Win32/TrojanDownloader.Prodatect.BL trojan
mdfewq206085.rar - unknown
Regards,
ESET Malware Response Team
Anyhow, it should be taken care of soon, but, this thing got past Firefox *and* ESET, which, don't get me wrong, is a fantastic anti-virus. Not a single thing has gotten past it before, and it's generally quite good about false positives. I *suspect* it used some exploit in Internet Download Manager, but I don't have any solid proof, only an error message I got from the second visit. I accidentally restored my tabs and opened the same page- I'm an idiot. XD I knew what it was going to do this time, though, and I was able to kill it before it was finished doing what it was doing, and ran Combofix to remove the traces. It still got in, though.
The virus total link is here, and as of this posting, someone other than me has updated it, and 12 antiviruses now recognize it as a virus. I can re-upload my sample to have them update it later on, if anyone is interested and no one else has.
Anyhow, the URI I visited, that I believe to be the source of the virus (possibly a rogue advertiser) is posted below, but I urge none of you to visit it unless you have a reliable sandbox set up. This virus isn't particularly devastating, but it is quite intrusive at present- but maybe that was just me with IDM? I'm not eager to test it at the moment. Anyhow, I just figured I'd warn everyone that there's something going around. I hope none of you catch it. =]
DANGEROUS, POTENTIALLY INFECTED
http://www.gonzoblog.nl/2012/05/10-fresh-and-useful-pure-css3-tutorials-no-javascript/