Replicating Trojan on misdirect/WMF-related?
Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: Replicating Trojan on misdirect/WMF-related?

  1. #1
    Junior Member
    Join Date
    Jan 2006
    Posts
    12

    Replicating Trojan on misdirect/WMF-related?

    OK, I'm a bit sketchy on a bit of the details. I was getting ready for work early in the AM wednesday morning doing some morning surfing from the news. I was misdirected to another site and I believe I sufferred from the WMF exploit. I have WIndows Home XP SP2 fully updated. I am running Symantec anti-virus professional with live update, it is also fully updated. I run AdAware and Adwatch v1.05, again fully up to date.

    Symantec caught the Trojan, and said that it could not quarantine, but did deny access. After shutting my browser, I opened Symantec and found two files in c:\documentsandsettings\myuserfolder\temp. I right clicked on one of them and right clicked and chose "Delete". So far so good. Except it did not delete just one file. The counter for files deleted quickly climbed into the thousands. I quickly stopped the process and rebooted in safe mode. I ran a scan and found nothing in safe mode. I checked the log files and found that every file was in fact deleted. I ran an Adaware scan again in safe mode and found nothing. Stupidy, I ran CCleaner but allowed it to wipe the logs so I can't give you more info on the Trojan--However, as I remember it did not specify the type of Trojan; only that it was a trojan. The infected files were a series of alphanumeric characters, but I don't recall the extension--it was very early and I was rushed.

    Anybody see this behavior before? I'm puzzled, please advise.

    ... and damn! I should have downloaded the latest patch.
    SP

  2. #2
    Junior Member
    Join Date
    Jan 2006
    Posts
    12

    Replicating Trojan on misdirect/WMF-related?

    OK, I'm a bit sketchy on a bit of the details. I was getting ready for work early in the AM wednesday morning doing some morning surfing from the news. I was misdirected to another site and I believe I sufferred from the WMF exploit. I have WIndows Home XP SP2 fully updated. I am running Symantec anti-virus professional with live update, it is also fully updated. I run AdAware and Adwatch v1.05, again fully up to date.

    Symantec caught the Trojan, and said that it could not quarantine, but did deny access. After shutting my browser, I opened Symantec and found two files in c:\documentsandsettings\myuserfolder\temp. I right clicked on one of them and right clicked and chose "Delete". So far so good. Except it did not delete just one file. The counter for files deleted quickly climbed into the thousands. I quickly stopped the process and rebooted in safe mode. I ran a scan and found nothing in safe mode. I checked the log files and found that every file was in fact deleted. I ran an Adaware scan again in safe mode and found nothing. Stupidy, I ran CCleaner but allowed it to wipe the logs so I can't give you more info on the Trojan--However, as I remember it did not specify the type of Trojan; only that it was a trojan. The infected files were a series of alphanumeric characters, but I don't recall the extension--it was very early and I was rushed.

    Anybody see this behavior before? I'm puzzled, please advise.

    ... and damn! I should have downloaded the latest patch.
    SP

  3. #3
    Banned
    Join Date
    Apr 2003
    Posts
    1,146
    If your XP is fully patched?

    Are you also running Office and Outlook? If so, you should update those as well. There is a wmf-related patch for Outlook.

    I'd also update your Symantec, from safe-mode with networking, just to make sure you aren't being blocked and have the current stuff.

    Then scan.

  4. #4
    Banned
    Join Date
    Apr 2003
    Posts
    1,146
    If your XP is fully patched?

    Are you also running Office and Outlook? If so, you should update those as well. There is a wmf-related patch for Outlook.

    I'd also update your Symantec, from safe-mode with networking, just to make sure you aren't being blocked and have the current stuff.

    Then scan.

  5. #5
    Junior Member
    Join Date
    Jan 2006
    Posts
    12
    Actually just checked that out: I was fully patched including the WMF patches. All seems fine, however that was really weird what happened. Any similar experiences out there? All scans are clean--which I find somewhat relieving, but that was really strange behavior.
    SP

  6. #6
    Junior Member
    Join Date
    Jan 2006
    Posts
    12
    Actually just checked that out: I was fully patched including the WMF patches. All seems fine, however that was really weird what happened. Any similar experiences out there? All scans are clean--which I find somewhat relieving, but that was really strange behavior.
    SP

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Just because scans tell you that you are clean doesn't mean you are. They rely upon signatures.... That means that the malicious code you _might_ have on your system has to be recognizable by the scanning system. If there is no signature then there is no detection. If there has been some kind of rootkit installed you probably won't be able to detect it for yourself either.

    Take a look around here and see what you can do for yourself. If there seems to be nothing you can and you are convinced that there is an issue then think about a reformat and re-install...

    PS: don't forget to backup your _data_ files first...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Just because scans tell you that you are clean doesn't mean you are. They rely upon signatures.... That means that the malicious code you _might_ have on your system has to be recognizable by the scanning system. If there is no signature then there is no detection. If there has been some kind of rootkit installed you probably won't be able to detect it for yourself either.

    Take a look around here and see what you can do for yourself. If there seems to be nothing you can and you are convinced that there is an issue then think about a reformat and re-install...

    PS: don't forget to backup your _data_ files first...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hmmm,

    Symantec caught the Trojan, and said that it could not quarantine,
    I have seen that sort of behaviour with Javascript trojans. Some AVs cannot delete from archived files.

    Try downloading, updating and running these in safe mode

    http://www.ewido.net/en/
    http://www.emsisoft.com.en/software/free/

    The last one (A-Squared) is a specialist dialler and trojan killer

    I would then be tempted to run an online AV scan such as "Housecall" from PC-Cillin or the Panda one.


  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hmmm,

    Symantec caught the Trojan, and said that it could not quarantine,
    I have seen that sort of behaviour with Javascript trojans. Some AVs cannot delete from archived files.

    Try downloading, updating and running these in safe mode

    http://www.ewido.net/en/
    http://www.emsisoft.com.en/software/free/

    The last one (A-Squared) is a specialist dialler and trojan killer

    I would then be tempted to run an online AV scan such as "Housecall" from PC-Cillin or the Panda one.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •