Does anyone recognize these three infections? Google doesn't

c:\users\rusty\appdata\local\ojimocin.dll

c:\users\rusty\appdata\local\ehevurijanoxoz.dll

c:\users\rusty\appdata\local\ayimeqaguvi.dll

The last one got caught by NIS when I booted this morning. The other two got caught together a week ago. After the first incident I did full scans with Malwarebytes and Super Antispyware. Only one non threatening tracking cookie was picked up by Super. Norton has run full scans since the first incident and come up clean too.

The usual 54 services are listed in Process explorer.

My best guess is a polymorphic virus. These can be very difficult to identify and stubborn to eradicate. I would try using a live Linux disk (or USB) such as Puppy Linux then install one of many AV programs and run it against your hard disk.

Regards,
GEWB

I agree with Golden on what you should do. Having said that appdata\local is one of the folders where applications store their local machine only settings. Appdata\Roaming is used by default by most apps, Local only stores settings that are volatile or easily regenerated, AFAIK. So theoretically it should be safe to delete anything under Appdata\local. You can try backup these dlls to external media, then delete them from the hard disk and wait for a disaster to happen. If it does, you can restore the files.

Thanks everybody. I'll investigate it more this evening. If i get too worried about it I have a two week old Acronis image of the whole system ready to go. That's probably the most sure fire fix. If I format my drive before I run the backup, is there anything else I can do to make sure the bugs are vaporized? I remember back in the old days, I used to power down in the middle of a format to make sure they weren't hiding im RAM waiting to jump back on after the format was done. Any reason to do that these days?

I'm very vigilant against this kind of thing, but I moderate a forum and sometimes I have to click links I wouldn't otherwise follow. Right after I opened one is when the first of these showed up. Since then the other two have been caught. I'll post back if I turn up any useful information.

Sounds like it could be Conflicker, varient C, D or E (associated with the Waledac family of malware and its Storm botnet). "E" was discovered the beginning of this month whereas "C" and "D" have been around for a while.

Also note that a new tool to rewrite viruses as polymorphic (and running in memory) has been in the wild for several months. This has made it fairly easy to recyle older code into new threats very quickly.


Symantec published this in their July analysis:

This month’s analysis reveals a significant increase in activity related to what may be described as a aggressive and rapidly changing form of generic polymorphic1 malware. With one in 280.9 emails identified as malicious in July, the rise accounted for 23.7 percent of all email-borne malware intercepted in July; more than double the same figure six months ago, indicating a much more aggressive strategy on the part of the cyber criminals responsible.

The report shows that the malware is frequently contained inside an executable within the attached ZIP archive file, and often disguised as a PDF file or an office document, for example. “This new aggressive approach to distributing generic polymorphic malware on such a scale should be concerning for many businesses, particularly for those who rely solely on more traditional security countermeasures, which this type of malware is designed to evade. One example of this technique involves changing the startup code in almost every version of the malware; subtly changing the structure of the code and making it harder for emulators built-in to many anti-virus products to identify the code as malicious.”

“Polymorphic malware is a way for malware writers to write their malware so that each particular malware is different from the last. So, although the malicious code does the same thing – infect your computer – each program that the malware writer is producing is acting in a slightly different way”, explained Lee, senior software engineer at Symantec.cloud.

For example, when varient C is executed, the worm will copy itself as a randomly named DLL and copies itself to:

[System]\randomname (preferred location) or

[Program Files]\Internet Explorer\randomname or
[Program Files]\Movie Maker\randomname (50% chance of each), or

[Application Data]\randomname, or

[Temp]\randomname

(Sounds familiar, doesn't it?)

Some GENERAL notes about current polymorphics:

> Can be memory resident (which is why I use a Live Linux disk for removal)
> New threats are created very quickly (i.e., zero-day exploits)
> P2P systems and email attachments are popular attack vectors

Regards,
GEWB

RknRusty said:

I'm very vigilant against this kind of thing, but I moderate a forum and sometimes I have to click links I wouldn't otherwise follow. Right after I opened one is when the first of these showed up.

Can you use a live bootable OS to moderate your forum or is a Microsoft OS required? Just a thought...

Regards,
GEWB

That's a good idea. I can use Ubuntu on a flash drive. It has Mozilla which will work fine. Never thought of it, thanks for the tip.