New
#1
DHL tracking number emails contain malware (Troj/Bckdr-QSL)
DHL tracking number emails contain malware | Graham Cluley's bloghttp://www.sophos.com/blogs/gc/g/2009/03/23/dhl/ said:
My sister got hit with this via email in a 0-day attack - she was infected as of 8 AM on Monday, 23 March. Symantec did not find anything, at first, until she had already run the executable inside the ZIP file, and it started downloading known viruses. This is a pretty generic Trojan that downloads other trojans and backdoors and viruses to the system and begins a systematic onslaught on the machine, starting with adding proxy settings to IE redirecting it to a local 'server' running on port 7171, and going from there.
The bad news is that when it hoses IE, it also hoses MBAM's ability to update - but fortunately, Sophos has already added it to their definition collection (called IDEs) and you can follow the instructions at Sophos - Removing Trojans including the downloading of the IDEs from Sophos - Download latest virus identity (IDE) files to get rid of most of the infections. Once this is done you can then reset IE to default settings (or, as I walked her through, manually check all your settings (a painstaking 1 hour 25 minute process - We checked *everything* and I had he change some settings that would make her IE a little bit safer) and then you can update MBAM and run a full scan to find the rest of the little buggers and clean yer system.
Her explorer.exe may still be hosed, we'll see - all of this is performed in Safe Mode.
Just to give you and idea - she first called me at 9:56 PM yesterday - and it is now 3:10 AM....
EDIT: Added the following:
Also, Sophos found 1 item corrupt (word doc), 1 was PW protected (a legitimate PW protected Excel spreadshhet - she's a mortgage officer), and a third that it was unable to remove (Major malware) - and it removed 3 viruses.
Then, MBAM comes back and finds *all* of these:
Code:Malwarebytes' Anti-Malware 1.34 Database version: 1890 Windows 5.1.2600 Service Pack 3 3/24/2009 3:53:10 AM mbam-log-2009-03-24 (03-53-10).txt Scan type: Full Scan (C:\|) Objects scanned: 207109 Time elapsed: 49 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 9 Registry Values Infected: 1 Registry Data Items Infected: 3 Folders Infected: 1 Files Infected: 6 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{c24d7016-d00f-41ef-9781-984b6b5ff38f} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{ec88fcd0-2ed5-4d65-9b4c-71d146b43a2e} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{e532cfb1-5edd-4663-8c22-bcd67b5e5bd4} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{500798ec-60e8-4654-9014-20698652f9db} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500798ec-60e8-4654-9014-20698652f9db} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a11ff88f-09dd-46e3-a75c-e608d9a30186} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a11ff88f-09dd-46e3-a75c-e608d9a30186} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a11ff88f-09dd-46e3-a75c-e608d9a30186} (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\ConTest.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully. Folders Infected: C:\WINDOWS\system32\lowsec (Spyware.StolenData) -> Delete on reboot. Files Infected: C:\WINDOWS\system32\ConTest.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully. C:\WINDOWS\system32\lowsec\local.ds (Spyware.StolenData) -> Delete on reboot. C:\WINDOWS\system32\lowsec\user.ds (Spyware.StolenData) -> Delete on reboot. C:\WINDOWS\system32\lowsec\user.ds.lll (Spyware.StolenData) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mfc42locac.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.