Stolen.data

[mjf]

Malwarebytes has just detected and quarantined "stolen.data" on my computer. A Trojan I believe.
Location: c:\programdata\carbon

NIS2011 with current update missed it.

Has anyone experience with this or advice?

 

[Maguscreed]

Hmm I haven't suggested this in awhile

SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Apparently it only really fell out of favor because it didn't have win 7 support until some time after it's release. It does now though.

As for this specific malware

Without a file path there is no way to give much info .

Stolen.Data are static paths to files where known spyware stores stolen credentials .

I think that sums it up best.

 

[Golden]

Hi,

Did a bit of research and found that it is considered by some to be a variant of Trojan-Spy.Win32.Zbot.

See this link : Endpoint protected machine compromised CASE# 411-396-061 | Symantec Connect Community

Perhaps you could contact Jacee and/or Corinne for more info?

Regards,
Golden

 

[Corrine]

Hi, mjf.

Based on the information in the link provided by Golden, if this is indeed a password-stealing trojan, I strongly recommend that you go to a clean computer and change your passwords. Keep a close eye on any banking and credit card accounts.

It would be a good idea to do an online scan by another vendor. Please go here to run an on-line scan from ESET.

• Note: It is easiest if you use Internet explorer for this scan. (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish -- it may take quite a while.

 

[SIW2]

Good luck with that mjf.

I have ESET online scanner on all my pe3 media. (smart installer is only a couple of mb )

Never needed to use it myself - but friends have used it with great success.

 

[mjf]

Thanks for the replies (I need to learn more!!)

I ran the ESET online scan after Quarantining the malware with Malwarebytes. After 4+ hours it detected no threats. Fortunately I don't store or use transaction passwords or account numbers on my computer.

I've changed other passwords. Is there anything else to be done?

---------------------------------------
Interestingly, it appears only the most recent Malwarebytes update detected this threat. Yet by going back to a 2 month old image the threat was present and both Malwarebytes and NIS2011 have been kept current between then and now.

 

[Corrine]

Definitions are updated regularly, mjf, but until the vendor becomes aware of the threat it cannot be submitted. We can speculate about what changed that resulted in the addition, but that won't provide answers.

I suggest creating a fresh restore point and then clearing all the old, infected points using Disk Cleanup. For Windows Vista and Windows 7:

• Click start, type Disk Cleanup in the search box
• Right-Click Disk Cleanup and select "Run as Administrator" and accept the UAC elevation prompt.
• Select the drive where Windows is installed (if you have more than one drive) and click "OK".
• When the scan completes, check/uncheck desired boxes.
• Next, please click the More Options tab at the top.
• Click the "Clean up..." button under the "System Restore and Shadow Copies" section at the bottom.
• Click Delete in response to the question "Are you sure you want to delete all but the most recent restore point?", click OK and answer Yes again.
• The disk clean up utility will remove the selected items. When it completes, please restart the computer to properly record the changes made to the hard disk.

 

[Cr00zng]

Since you guys use ESET regularly, you did actually agree to these...

2. Forwarding of infiltrations and information to the Provider.
The Information may contain data (including personal data*) about the End User and/or other users of the computer on which the Software is installed, information about the computer and operating system, suspicious files from the computer on which the Software is installed and files affected by the Infiltration and any information about such files.

*-Emphasis mine...

22. Governing Law.
The End User and the Provider agree that conflict provisions of the governing law and United Nations Convention on Contracts for the International Sale of Goods shall not apply. You expressly agree that exclusive jurisdiction for any claim or dispute with the Provider or relating in any way to Your use of the Software resides in District Court Bratislava I., Slovakia and you further agree and expressly consent to the exercise of the personal jurisdiction in the District Court Bratislava I. in connection with any such dispute or claim.

Based on these, the scan results with personal data will end up in former Yugoslavia that has jurisdiction for any of the conflicts that may arise.

While the service provided might be good, there are plenty of other malware detection tools that can run locally instead of over the Internet; there's no need for possibly disclosing personal data with Internet based tools...

 

[DBone]

I would also run a scan with HitMan Pro. I doesn't need to be installed on your machine, and is a great multi vendor scanner. Home - SurfRight

 

[Corrine]

Since you guys use ESET regularly, you did actually agree to these...

2. Forwarding of infiltrations and information to the Provider.
The Information may contain data (including personal data*) about the End User and/or other users of the computer on which the Software is installed, information about the computer and operating system, suspicious files from the computer on which the Software is installed and files affected by the Infiltration and any information about such files.

*-Emphasis mine...

22. Governing Law.
The End User and the Provider agree that conflict provisions of the governing law and United Nations Convention on Contracts for the International Sale of Goods shall not apply. You expressly agree that exclusive jurisdiction for any claim or dispute with the Provider or relating in any way to Your use of the Software resides in District Court Bratislava I., Slovakia and you further agree and expressly consent to the exercise of the personal jurisdiction in the District Court Bratislava I. in connection with any such dispute or claim.

Based on these, the scan results with personal data will end up in former Yugoslavia that has jurisdiction for any of the conflicts that may arise.

While the service provided might be good, there are plenty of other malware detection tools that can run locally instead of over the Internet; there's no need for possibly disclosing personal data with Internet based tools...

You are basing your comments on very outdated information. See ESET Online Scanner End User License and Service Agreement.

 

[Cr00zng]

You are basing your comments on very outdated information. See ESET Online Scanner End User License and Service Agreement.

Alright, quote from the referenced page:

2. Scope of the Software.
The Software contains a function, which serves to collect samples of new computer viruses or other similar harmful computer programs (the “Infiltration”) and the subsequent dispatch thereof to the Licensor. This includes, for example, information about the computer and/or platform on which the Software is installed (the “Information”). The Information may contain data (including personal data) about the Licensee and/or other users of the computer on which the Software is installed, information about the computer and operating system, suspicious files from the computer on which the Software is installed, and files affected by the Infiltration and any information about such files.

And while the jurisdiction has been changed to San Diego, CA, did you notice this?

14. Notices.
All notices intended for the Licensor must be delivered to Attn: Chief Legal Officer, ESET, spol. s.r.o., Svoradova 1, 811 03 Bratislava, Slovak Republic.

Would you be surprised, if:

1. The letter needs to be in some sort Slavic language
2. The Slovak court still would be the only venue

And by the way, my initial reading of the term of agreement came from this link (IE only) today. Other browsers need to download smart installer...

 

[Corrine]

Ok, your eyes are better than mine. The information about the jurisdiction was a hot topic at Wilders a year or so go but ended up being heavily moderated.

The Information may contain data (including personal data) about the Licensee and/or other users of the computer on which the Software is installed,

As you see, I elected to bold different words. Including the words may contain is not saying the information will contain. In my opinion, its a basic CYA statement. Computer names and IP address are frequently included in logs I review. Both could be construed personal data about the users of the computer.

As to the language, no, I would not expect that if I were to send a letter to the ESET Chief Legal Officer that it would need to be in Slovak or Hungarian. Why someone using the online scanner would need to send such a letter is another question.

Although I cannot imagine what legal proceedings you would anticipate based on using an antivirus vendor's on-line scanner. However, re-read "12. Dispute Resolution."

 

[Cr00zng]

Neither does it say that it will not include personal data....

At least HitPro, while it is an Internet based service, does state clearly what it will transfer. Quote from the HitPro term of agreement... [FONT=&quot]
[/FONT]

[FONT=&quot]
4. Internet-based Services[/FONT]
[FONT=&quot]SurfRight provides Internet-based Services with the Software. It may change or cancel them at any time.[/FONT]
[FONT=&quot]a. Consent for Internet-Based Services[/FONT][FONT=&quot] The Software feature described below connects to SurfRight or service provider computer systems over the Internet. In some cases, you will not receive a separate notice when they connect. By using this feature, you consent to the transmission of this information. SurfRight does not use the information to identify or contact you.[/FONT]
[FONT=&quot]i. Computer Information[/FONT][FONT=&quot] The following feature uses Internet protocols, which send to the appropriate systems computer information, such as your Internet protocol address, the type of operating system, browser and name and version of the security software you are using on the device where you installed the Software. SurfRight uses this information to make the Internet-based service available to you.[/FONT]
[FONT=&quot]● Malicious Software Removal[/FONT][FONT=&quot] When the Software checks your device for Malware, information to identify Malware could be sent to the SurfRight Services. No information included in these reports will be used to identify or contact you.[/FONT]

I prefer tools that do not call home, such as the Sysinternals Suite, MalwareBytes, etc., and perform their function on the local PC. No, I am not posting term of agreement language for these... :shock: