Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
Yep, as mentioned before so-called extortion or ransom-ware type infections do not act like a virus, they do not damage or replace any system files so they literally slip pass any AV scanner. Not even Enterprise level TrendMicro or Symantec catches them.
<snip>
From a little research I have done, there are mainly 2 types of ransom wares I encountered:
1) Type A: Single executable .....
2) Type B: Once active, the ransom-ware simply changes file associations to most file types .....
Anyhow, I wrote a batch script that seemed to have had success with both types with no derogatory effects. .....
If anyone is interested (it should be ready soon), I will create a thread at the other forum where I am a Mod so I can upload it and turn it into a sticky and share the link to it.
If anyone encountered another type please provide detailed info so I might do some research on that type as well.
That's really great work. Based on your research, would you agree that there is no practical way to block the Fake AV from getting in?
Yep, as mentioned before so-called extortion or ransom-ware type infections do not act like a virus, they do not damage or replace any system files so they literally slip pass any AV scanner. Not even Enterprise level TrendMicro or Symantec catches them.
I'm routinely running into various malware payloads being delivered by a rootkit, and ZeroAccess and Aleuron both replace system files and get real nasty. In fact, it seems like almost every infection I've handled over the past five months that wasn't MyWeb has been one trojan or another bundled with ZeroAccess or TDSS4.
I think these companies need to significantly increase their rootkit prevention abilities. They keep slipping past everything without any problems what-so-ever.
Quote:
1) Type A: Single executable that when active, intercepts all system calls to open any of the executable file types it monitors (.exe, .com, .bat, etc.) and immediately shuts it down and runs itself and pretends the file/program that was being launched was infected. This infection does create and modify some of the registry keys. Executable is active from the moment system loads. Booting in Safe Mode and cleaning up all temp file directories along with the common location the executable typically copies itself to "%userprofile%\Local Settings\Application Data". In normal mode, the only way to take control is to forcefully terminate the executable but since the user cannot even run any programs Windows based or 3rd party, it becomes a catch-22.
I don't think I've had to handle one that infected a COM extension. As a result, RKILL has been fantastic in helping clean these up, and they often don't run in safe-mode anyway, so it's easy enough to remove them without it.
Quote:
2) Type B: Once active, the ransom-ware simply changes file associations to most file types, then the executable itself is no longer running in the background. You actually will not notice this executable unless you try to open one of the file types it associates itself with. Even for an experienced user or IT pro, taking control and accessing registry or running an executable to fix this would be quite challenging to say the least. For a novice home user, I can only imagine the frustration.
This fella only makes changes to Windows registry. it has no startup entry points since it waits for an associated file type to be launched.
Are you referring to the ones that change the .exe class in the registry? I've had tremendous luck fixing these with these reg scripts.
Quote:
Both types also have residue in the Temp locations which need to be emptied out. When they are active, cleaning up the system is pretty much impossible.
As a note, I've been getting a lot of computers with "SystemFix" and "2012 Security Pro" (among other names), where it hides all of your files, deletes your start menu, etc. This particular brand of mal-ware creates a temp directory in %temp% called "smtmp." It houses all of your start-menu and taskbar shortcuts, which is great, because otherwise you would delete them when you wipe the temp.
Quote:
Anyhow, I wrote a batch script that seemed to have had success with both types with no derogatory effects. I tested it both under a standard user profile and the Admin profile on a virtual machine, it worked. I have to fine tune it a bit more and also make it Win 7 compatible. Of course, it is impossible to predict how it would do with every system but I believe it would be worth a shot.
For type A, script looks for the common location for all executables where normally there should be none. It lists the executable it finds. User is prompted to enter the full file name (khq.exe), the included process killer kills the executable and then deletes it along with all common temp file locations and internet cache. User at this point has full control of the system. Further scans and cleaning might be useful.
For type B, cleans up all common temp file locations which should take care of the malicious executable but it also prompts for registry patching to correct file associations. Afterwards, user have full system control but further scans to clean and correct leftovers might be necessary.
If anyone is interested (it should be ready soon), I will create a thread at the other forum where I am a Mod so I can upload it and turn it into a sticky and share the link to it.
If anyone encountered another type please provide detailed info so I might do some research on that type as well.
I'd love to see it! Might even be able to field test it.
That's really great work. Based on your research, would you agree that there is no practical way to block the Fake AV from getting in?
Thanks. As I mentioned in the DM, I am in the process of updating one of my stickies on the other site where I will provide more detailed info but in a nutshell, yes there is a practical way to block those and all other known (aka reported) bad domains. The keyword being "known" and because of that there is no 100% protection or guarantee as you already knew I am sure.
Anyhow, as mentioned by me and others, best method is a secure browser with must-have security add-ons, like Firefox with the following ones:
- NoScript
- WOT (Web of Trust) or BrowserDefender (both work with FF and IE)
- Flashblock
- Adblock Plus
The top 2 are definite must-haves for Firefox users and either WOT or BrowserDefender for IE users imho.
Additionally, for all users Spybot Search and Destroy's SD Helper feature is a really good thing to have on.
First the "Advanced Mode" needs to be turned on then it can be seen under Tools > Resident section:
It simply created a new CLSID (apartment thread) in the registry which functions as a typical BHO (Browser Helper Object):
Also Spybot S&D's Immunize feature or SpywareBlaster is very effective protection against known bad sites and malicious ActiveX content. It is even possible to have both. Both of them modifies Hosts file along with adding known bad domains to "Zones" section in the registry.
And that said, it brings me to my final recommendation which is patching Hosts file for the most practical and effective prevention of even opening the known bad sites. A co-worker created a script which connects to MDL and gets the most updated list of bad domains and adds them to the Hosts file after it makes a backup copy of it for un-doing the changes for any reason. I will also share this script (.zip file) for anyone interested to download and use.
I'm routinely running into various malware payloads being delivered by a rootkit, and ZeroAccess and Aleuron both replace system files and get real nasty. In fact, it seems like almost every infection I've handled over the past five months that wasn't MyWeb has been one trojan or another bundled with ZeroAccess or TDSS4.
I think these companies need to significantly increase their rootkit prevention abilities. They keep slipping past everything without any problems what-so-ever.
Well, I used to enjoy spending hours researching this to help people on this other site I used to help out as a moderator/admin but I got burned and the site traffic went to Hell thanks to Google filtering. Anyhow, I don't mess around with it any more so I really am not following the current threats. I am not aware of the above ones you mentioned. I mainly researched the Fake AV type but if I have time, I might mess around with the Trojan installing sites to see if I encounter anything alike.
Quote:
I don't think I've had to handle one that infected a COM extension. As a result, RKILL has been fantastic in helping clean these up, and they often don't run in safe-mode anyway, so it's easy enough to remove them without it.
The simplicity yet effectiveness of the ransom-ware is quite amazing to be honest and it was challenging a bit like a puzzle, it intrigued and got me all pumped up but like you mentioned, I quickly realized in Safe Mode it was dead in the water. Especially, the Type B left .bat and .com extensions alone which you found too. That was a big mistake, I was able to run my script even without booting in the Safe Mode and kill it.
Quote:
Are you referring to the ones that change the .exe class in the registry? I've had tremendous luck fixing these with these reg scripts.
Yes, I believe the registry patches I used in my script were downloaded from there. I am in the process of comparing them to Windows 7 to see if they are different or not. If they are identical, then the script should be ready even sooner.
Quote:
As a note, I've been getting a lot of computers with "SystemFix" and "2012 Security Pro" (among other names), where it hides all of your files, deletes your start menu, etc. This particular brand of mal-ware creates a temp directory in %temp% called "smtmp." It houses all of your start-menu and taskbar shortcuts, which is great, because otherwise you would delete them when you wipe the temp.
I'd love to see it! Might even be able to field test it.
Wow, what does it exactly dump in the %temp%\smtmp directory? That is the Temp folder for the currently logged in user. If it dumps all user data there then that sucks because most everyone will first empty out their %temp% folder. Even my script does that but then again so would all other Temp/Junk file cleaners such as ATF-Cleaner, CCleaner and FCleaner that people commonly use.
If it includes important user data and you are certain about the folder name "smtmp" then I will include that in my script so if it sees a folder with that name in the %temp% location, it will not empty out the %temp% folder but rule of thumb with using specialized malware cleanup scripts is that you use the related script if it is applicable. These type of scripts are not "fix all-cure all" where you can run them on PC with a different kind of active infection.
Back in my spyware fighting days, my #1 rule was always identifying the baddie before taking any action. Observe, obtain information, take detailed notes, etc. That is why I never liked using automated scanners regardless of how reputable they might be because time-to-time I would see people ending up re-imaging their system due to the collateral damage caused by one or more of the scanners.
So, I think, instead of telling people to run this or that to automagically clean the infection, we should instead start telling people to download and run HijackThis or RunScanner type programs to have those programs create logs which then they could attach to their next post so we could get a much better idea and give more accurate, effective instructions on how to eradicate the issue.
Is it your expectation that the registry entry fixes for Windows 7 are also valid for Vista?
I strongly believe so since I used mainly variables for file deletion and also since the XP registry files very same with 7 for the most part, I believe the script will work for Vista as well but I'd still like to hear about your and other users' feedback. The script will create a backup copy of all file types it will be patching just in case. The modified registry files would also shed more light on the infection by providing detailed info about it, file names, locations, etc.
Here is the link to the post where the script and related info is. The download link is at the very bottom.
Let me know what you think and how it fares dealing with related infections. I would also appreciate the feedback on how it does on Vista.
Thanks.
CleanFAV?
Please register to post and access all features of our very popular forum. It is free and quick. Over $68,000 in prizes has already been given out to active posters on our forum. Additional giveaways are planned.
Detailed information about all U.S. cities, counties, and zip codes on our site: City-data.com.
Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
