Jump to content

Infection with tenga.a virus


Multibooter

Recommended Posts

About 3 weeks ago my laptop got the worst virus infection ever, with the tenga.a virus http://forum.kaspersky.com/lofiversion/index.php/t7172.html and http://www.f-secure.com/v-descs/tenga_a.shtml It was much worse than the infection I had 14 years ago with One-Half, which slowly but steadily encrypted cylinders of my HDD.

The tenga.a infection has shattered my mistaken belief that Win98 is not vulnerable to infection anymore, in 2010. Tenga.a came out around 2005 http://www.viruslist.com/en/weblog/167434325/Classical_viruses_ITW_never_say_die

Tenga.a infects most .exe files it can find. It has infected all FAT32-based Win98/2k/XP operating systems on my multi-booting laptop. Only one operating system/partition, an NTFS-WinXP rarely accessed, was not infected. The most serious damage was the infection of one 192GB partition of an external 1TB USB HDD, which contained about 100GB of software downloads + installable programs, many not backed up because it was a work disk.

I became aware of the tenga.a infection maybe after 5 hours, when I noticed that the disk access light kept showing activity, even when I was doing nothing on the laptop. But then it was too late, the infection had spread across operating systems/partitions, also to the attached USB HDD.

I still have no idea how I got the virus, with maybe a thousand .exe files infected. Maybe it was my bad habit of double-clicking even on suspicious files in a special test windows, and then restoring a clean test windows. Double-clicking on an infected file may have initiated the infection of a .exe on another partition, of another operating system, and started in this way an infection across operating systems.

Getting the laptop clean again was relatively easy, I had to restore all partitions/operating systems/directories from backup onto a clean virgin HDD. The major problem was to recover the infected installation sources on the USB HDD; some of them may have been lost for good.

Here some lessons I learnt from this infection:

1) Virus infection is still a real danger under Windows 98

2) The only defense against viruses like Tenga.a, if using only occasional on-demand scanning, is a very good backup and recovery procedure.

3) Don't rely on USB HDDs as a backup storage media of software because of their vulnerability to virus infections

4) Backing up installation sources onto write-once media (CD-R, DVD-R) is still an absolute must

5) Installation sources should always be backed up also into an additional .rar or .iso file, which are not as easily infected as .exe

6) It is very important to document the actual download locations of software, in case it has to be downloaded again

7) About 10% of my time with the computer is spent creating, archiving and deleting backups. This is time well spent and has saved my neck already a couple of times.

8) A spare blank HDD, of the same size as in the computer, also comes very handy if a complete HDD has to be restored from backup

9) Maybe I should look again into UDF-formatted HDDs, as supplementary backup devices which can be set to read-only and are therefore not vulnerable to virus infection.

Link to comment
Share on other sites


I'm sorry to hear of your system's infection. And glad to see you were able to recover fast.

I agree with most of the preventive measures you've just spelled out.

I wish to add just two or three more measures to the list:

I)Full disk dumb sector-by-sector current images of the current installation burnt to read-only optical media

(I use multi DVD+R DL images, and intend to move on to Blu-Ray soon), not older than two or three months, six in the worst case. Or that plus monthly dumb sector-by-sector current images of every partition, where feasible.

II)Up to date virus scanner on the XP partition, performing a daily scan of all the partitions (I use AVG 9).

and, if possible

III)A completely independent machine, with its installation backed up on optical media to use as a sandbox.

(I still don't have one, but that's my next move).

Link to comment
Share on other sites

glad to see you were able to recover fast.
Getting all operating systems back to work as before took about 5 hours, from a 4-week-old backup. I am away from the US currently, so I will be able to know for sure whether I lost data on the 1 TB USB HDD when I am back in the US in June. I may have made a backup of the 192GB work partition there, before my trip, but I am not sure, I usually make backups before leaving/entering the US, there are horror stories about confiscated laptops etc.
I wish to add just two or three more measures to the list:

I)Full disk dumb sector-by-sector current images of the current installation burnt to read-only optical media

(I use multi DVD+R DL images, and intend to move on to Blu-Ray soon), not older than two or three months, six in the worst case. Or that plus monthly dumb sector-by-sector current images of every partition, where feasible.

Yes, a forensic .gho image would be excellent, but storing it onto a USB HDD might be good enough, viruses probably don't infect .gho image files on re-writable media. The tenga.a virus did not infect .iso, .rar, only executable 32-bit .exe files. I have a good .gho image of my desktop in the US, but unfortunately not of my old Inspiron laptop, which got infected, so restoring the internal HDD took quite some time. Creating a .gho image of the recovered laptop is on the top of my list now.
II)Up to date virus scanner on the XP partition, performing a daily scan of all the partitions (I use AVG 9).
I have up-to-date Kaspersky AVP v6.0.2.621 under both Win98 and WinXP, but I only scan new downloads. The infection happened very quickly, maybe 5 hours before I noticed it and ran Kaspersky, so a daily scan might not have been timely enough. Also, it was a 5-year-old virus, so a current virus signature update was not needed to detect tenga.a. I just don't know how I got tenga.a, and I suspect that only a continuously running virus-scanner could have prevented the infection :w00t: .

Kaspersky is actually able to disinfect tenga-infected files. Unfortunately, the disinfected files are not identical to the original files. Some .exe files are completely destroyed by tenga, e.g. reduced from 2MB to 30kB, so the disinfected file is of no use. Other disinfected .exe files/archives differ from the original .exe, but extract the identical files as the original .exe.

III)A completely independent machine.
Yes. I had a 2nd identical Inspiron laptop with me, but only with a HDD which had older software on it, of about 2 years ago. I recovered the infected laptop with the help of this 2nd laptop: I partitioning a blank HDD in a USB enclosure connected to laptop #2, inserted the freshly partitioned HDD into laptop #1, installed DOS from a boot floppy, put the HDD back into the USB enclosure, extracted .rar partition backups (from the infected USB HDD, but the .rars were not infected!) onto the HDD, put the HDD back into laptop #1, re-installed System Commander (from a CD burnt on laptop #2 from a .iso on the infected USB HDD!) Without the 2nd laptop recovery of laptop #1 would have been much more difficult.
Link to comment
Share on other sites

Guest wsxedcrfv

Here some lessons I learnt from this infection:

1) Virus infection is still a real danger under Windows 98

You didn't say which OS was in use at the time of the infection, so unless you know that it was Win-98 then I don't think it's valid to say that win-98 is in "real danger" (practically speaking) from unassisted infection techniques.

You didn't say if you have an AV solution on the PC in question, nor what you used to identify the malware once you suspected something was wrong.

Did you make note of the time and date-stamp of the offending infector files? I would have submitted them to virus total and post the result URL here for us to see just which AV packages would have detected it.

If you made note of the time and date stamp of the offending files, then it would be a matter of simply searching the drive for any files created/modified around the same time to see what you were doing around the time of initial infection.

Just to add some additional information: Tenga spreads between systems by exploiting the RPC vulnerability described by MS03-026. Interestingly, Microsoft lists various NT-based OS's as being vulnerable, but only lists Windows ME as non-vulnerable. Microsoft says nothing about Windows 98 (even though this bulletin is dated July 2003).

So Windows 98 is not vulnerable to the worm-like method this virus uses to spread between systems. Either you intentionally ran the infector file by mistake, or your PC was running an NT-based OS that was not patched against MS03-026 (which would mean that you were infected via network connection, possibly from another machine on your own local lan, or from a non-firewalled WAN connection).

From what I read about Tenga, it only infects PE files (packed executable) and adds 3kb of additional code to the files. It should be relatively easy to remove those 3kb and restore the files to their pre-infection state. I've also read where it renames all .doc files to .scr.

Edited by wsxedcrfv
Link to comment
Share on other sites

I'm sorry to hear that you got hit but I am relieved to hear that you've realized that 98 is still vulnerable and not immune to attack. A good backup system for both system and data should be part of any system protection against both infection and hardware failure. That said, neither is any help against malware that steals passwords or logs keystrokes. The other problem with relying on backups is knowing when you're infected. Even on 98, malware is not always visible in process monitors. The only sure solution is default-deny and knowing every process that's allowed on your main system, and install new software on a separate test system first. It's a bit of a hassle, but much less so than cleaning up after an infection.

Link to comment
Share on other sites

You didn't say which OS was in use at the time of the infection, so unless you know that it was Win-98 then I don't think it's valid to say that win-98 is in "real danger" (practically speaking) from unassisted infection techniques.
I just don't know under which operating system I got infected. I am switching quite frequently between operating systems, but 90% of the time I am using Win98, 10% WinXP. I can definitely exclude that I got the tenga virus via a network under WinXP since I am currently outside of the US and have changed IP settings, passwords, etc only under Win98, not under WinXP; I have currently no network/internet access under WinXP. I have not installed any new software under WinXP since I made the last clean backup and in general don't test-install software under WinXP, only under a special test-Win98. So everything points in the direction of Win98 as the first infected operating system .

Also, a 2nd WinXP on an NTFS partition did not get infected at all, which is kind of a puzzle, maybe because I use this specific operating system selection only very rarely, or because the infection started under Win98 and tenga.a could not see the NTFS partition under Win98, or because I detected the infection early on, before the infected WinXP on the FAT32 partition could infect the not-yet infected WinXP on the NTFS partition.

This tenga.a seems to be an interesting little program. If you want to investigate whether or how Tenga.a infects under Win98, send me a PM, I have enough copies. :)

You didn't say if you have an AV solution on the PC in question, nor what you used to identify the malware once you suspected something was wrong.
I did have, and still have, Kaspersky AV v6 with a current signature on Win98. Tenga.a was specifically detected when I ran under Win98 an on-demand scan with Kaspersky of the whole computer (except for the WinXP on the NTFS partition, invisible under Win98).

Unfortunately I initially selected maybe the first 30 infected files to be deleted, instead of having them disinfected or skipping them, so the original culprit may have been deleted. After I got aware of the extent of the infection I selected disinfection, and after a while I just stopped. When I tried to reboot, none of my Win9x/Win2k/WinXP operating system selections worked anymore, too many critical .exe files had been deleted/disinfected, only the NTFS-based WinXP still worked.

I still have the infected internal HDD, now completely disinfected by Kaspersky, and the still-infected external USB HDD (1TB), where I did not let Kaspersky delete or disinfect files. It is very easy to know, without Kaspersky, which files on the external USB HDD are infected, by just looking at the modification date: all .exe files with a modification date between Feb-28 and Mar-3 on the USB HDD are infected with tenga.

Did you make note of the time and date-stamp of the offending infector files?
There must be more than a thousand infected .exe files on the infected internal HDD and on the infected USB HDD, so it's quite time consuming to find out which .exe file got infected first. What alo complicates matters is that when Kaspersky AV identifies an instance of tenga.a, it changes the modification date of the infected .exe to the current date, even if I selected "skip".

It was very easy to identify with Beyond Compare which .exe files were infected, they all had modification dates between Feb-28 and Mar-3 (Mar-3 was the last time I ran Kasperksy on the infected internal HDD and the external USB HDD, Feb-28 was probably the date of infection). In order to repair the infected installation sources on the USB HDD I first made a copy of them, then replaced on the copy the infected .exe files, as identified with their modification date, with the corresponding .exes from other backups/rars/isos. For about 90% of the infected installation sources I had on the USB HDD also an untainted .rar file containing the whole good installation source rared up as a 2nd instance, so recreating a good installation source from the rars was not a problem. About 10% of the infected installation sources, where I had no 2nd .rar instance, I had to download again from the Internet. This was relatively fast with FlashGet because I usually document the exact download URL (not just the html download page) of files downloaded. Maybe 10 installation sources, however, did not exist anymore under their original download URL, including software purchased from Digital River, and were lost for good, unless I can find backups when I am back in the US.

BTW, I was very careful and did not get re-infected when I worked with the clean restored internal HDD on the attached infected USB HDD and on the infected internal HDD inserted into the right-bay HDD module of my laptop.

I would have submitted them to virus total and post the result URL here for us to see just which AV packages would have detected it.
Since tenga.a is an old virus, I would assume that all AV packages detect it.
Tenga spreads between systems by exploiting the RPC vulnerability described by MS03-026. Interestingly, Microsoft lists various NT-based OS's as being vulnerable, but only lists Windows ME as non-vulnerable. Microsoft says nothing about Windows 98 (even though this bulletin is dated July 2003).
When was Tenga detected for the first time? In 2003 or in 2005?
So Windows 98 is not vulnerable to the worm-like method this virus uses to spread between systems. Either you intentionally ran the infector file by mistake, or your PC was running an NT-based OS that was not patched against MS03-026 (which would mean that you were infected via network connection, possibly from another machine on your own local lan, or from a non-firewalled WAN connection).
I don't know. I usually only double-click on an unknown file after having checked it with Kaspersky, and only in a test-win98 which then gets wiped out + restored from a clean backup. I never use any MS patches, my gut feeling is that the cure is worse than the disease.

I remember having manually deleted a file dl.exe from \Win98\, possibly days before I noticed the tenga infection, because I hadn't seen it before in \Win98\. dl.exe is actually a part of tenga.a. Could it be that tenga.a contains a timer which starts to activate at the end of the month (Feb-28 = end of month), and that the actual infection occurred much earlier?

The infected laptop was connected via a peer-to-peer Win98 wireless network to another identical laptop running eMule under Win98. The eMule laptop was not infected, so the infection could not have come from the WLAN network or the eMule computer. I am using the Tiny Personal Firewall v2.0.14 on both laptops, and Tiny did not inform of any calling out from the infected laptop.

From what I read about Tenga, it only infects PE files (packed executable) and adds 3kb of additional code to the files. It should be relatively easy to remove those 3kb and restore the files to their pre-infection state. I've also read where it renames all .doc files to .scr.
I checked with Beyond Compare Hex Viewer, Tenga also makes minor changes in the initial part of the file. Kaspersky can disinfect a tenga-infected file, but the disinfected files always differed somewhere from the original uninfected files.

Usually the infected files were about 3kb bigger, with stuff mainly added at the end. Some infected .exe files, however, were really damaged (e.g. reduced from 2MB to 30kb), a few infected files were even a little smaller than the original uninfected file.

Link to comment
Share on other sites

I am relieved to hear that you've realized that 98 is still vulnerable and not immune to attack.
Vulnerable to old viruses like Tenga, but Win98 has probably a very low vulnerability to new malware.

I am still puzzled on how I got this Tenga infection. It's quite unlikely that such an old virus still exists in the wild. The last WildList if have seen which mentions Tenga.a is of March 2007 http://www.wildlist.org/WildList/200703.htm , with a stated date of Feb-2006.

I have been fiddling around during the past year with my old software archives, stuff from many years ago. Maybe I got the infection from old stuff in my archives, maybe some Jurassic-Park-type self-inflicted pain. Maybe I was not aware of the danger lurking in old software archives.

In any case this tenga infection shows that an old virus can still be a pain years later. I wonder whether Tenga runs under Vista/Win7. Because of its ability to infect USB HDDs and across operating systems it's still a very dangerous little program.

The only sure solution is default-deny and knowing every process that's allowed on your main system, and install new software on a separate test system first. It's a bit of a hassle, but much less so than cleaning up after an infection.
This will take a lot of time, and may be good on a system to which few new applications are added. My Win98 may eventually become such a system, but currently I am still installing a lot of new stuff under Win98.

I have budgeted about 5% of my time on the computer for virus-checking and virus-problems, so I view the Tenga infection just as an eventual use of previously budgeted time, and as an interesting intellectual exercise. The time lost getting the laptop back up again was not serious, in contrast to the time lost recovering data on the infected USB HDD.

I am not yet sure how my experience with Tenga will change my precautionary measures against future malware infections; maybe I'll just have to make more frequent backups of new, not-yet-processed downloads stored on my USB HDDs.

Edited by Multibooter
Link to comment
Share on other sites

[far away offtopic]

Multibooter, since you have many SDHC cards, you might find interesting this SATA II SDHC RAID:

Sharkoon's Flexi-Drive S2S

[/far away offtopic]

@dencorso, [off topic]I had built myself a similar device a year and a half ago, as an "eMule download station", using a multi-card reader cum hub + 3 SDHC cards. I had used it for about 6 months, then rejected it, because eMule took about 10 minutes to start up and 10 minutes to shut down with it, my download list had between 1000-1500 files, my SDHC cards were just slow (fine during download, even at 200kB/s, but slow during startup and shut down of eMule). A 2nd HDD in the right-bay module of my laptop is much superior, also the regular internal HDD.[/off topic]

BTW, not that far away offtopic, since files damaged by tenga on the USB HDD were on such a device. In the back of my mind I have been pondering whether tenga may have been planted recently onto eMule, to destroy extracted downloads. Some people may have been loading eMule with malware, about 90% of the downloads are now infected, especially shareware stuff, maybe intentionally as a malguided defensive measure.

Link to comment
Share on other sites

Guest wsxedcrfv

I'm sorry to hear that you got hit but I am relieved to hear that you've realized that 98 is still vulnerable and not immune to attack.

In this particular case, Windows 98 is/was immune to direct infection. Tenga leverages a fault in the RPC service to spread between systems. Win9x/me does not have any such service to exploit. There have been many RPC vulnerabilities discovered in the NT-based family of Windows over the past 10 years.

How exactly the original infector file got onto Multibooter's system is not clear, but there can be only two ways: (1) A desirable file was obtained by Multibooter from the internet (torrent, shareware, freeware, etc) and this file was already infected with Tenga. (2) Multibooter was running some NT-based OS on his system (win-2k or XP) - and the OS was not patched for this RPC exploit. The PC would have needed to be connected to the internet - but no web-browsing or any user-directed web-activity would have been required. The exploit would have penetrated the NT-OS and installed itself (perhaps in the autoexec, or the win.ini files of his win-98 system files). Multibooter claims that he doesn't use his XP-side for web-surfing, but he doesn't say if he disconnects the network cable from his PC while he's using XP.

Link to comment
Share on other sites

Guest wsxedcrfv

I am still puzzled on how I got this Tenga infection. It's quite unlikely that such an old virus still exists in the wild.

If you had an Anti-virus application running during the acquisition and execution of this virus, then it should have been detected immediately during the initial acquisition / downloading of the infected file, or as the virus was active and writing itself to your existing .exe files.

Most antivirus programs (as far as I know) have the ability to intercept all instances of file-creation or file-opening events and automatically scan new files or files that are being opened by applications. This includes web-cached files, etc.

Is it possible that your system was booted into DOS, and you first ran the infected file from that OS - and not windows?

The initial infection event must have occurred soon after you acquired some new file or files or moved/copied some new file(s) to your PC - perhaps from external media (CD, floppy disk, etc) or from an internet download, or via lan connection to another local PC, or via RPC exploit while running XP. If you remember coping some files to your PC from an external source just prior to the infection starting, then you should perform an on-demand scan of that source.

Link to comment
Share on other sites

If you had an Anti-virus application running during the acquisition and execution of this virus...
No, I only make ooccasional on-demand scans, I don't have a virus checker running all the time.
Is it possible that your system was booted into DOS, and you first ran the infected file from that OS - and not windows?
No, I had not booted into DOS around Feb-28.
The initial infection event must have occurred soon after you acquired some new file or files or moved/copied some new file(s) to your PC - perhaps from external media (CD, floppy disk, etc) or from an internet download, or via lan connection to another local PC, or via RPC exploit while running XP. If you remember coping some files to your PC from an external source just prior to the infection starting, then you should perform an on-demand scan of that source.
On Feb-28 I had moved downloaded files via WLAN under Win98 from the eMule laptop (it's a dedicated laptop running only eMule under Win98, WinXP is hardly ever used there) to the later infected laptop (Win98)
Link to comment
Share on other sites

In this particular case, Windows 98 is/was immune to direct infection. Tenga leverages a fault in the RPC service to spread between systems. Win9x/me does not have any such service to exploit.
Win98 was not immune to infection. At Win98 startup 2 files infected with tenga were run via the Win98 registry. By infecting most .exe files, and thereby also by chance those which are run thru the Win98 registry at startup, Tenga was active every time Win98 was loaded. I assume the same happened under WinXP and Win2k.
How exactly the original infector file got onto Multibooter's system is not clear, but there can be only two ways: (1) A desirable file was obtained by Multibooter from the internet (torrent, shareware, freeware, etc) and this file was already infected with Tenga.
Yes. It may also have come from my old software archive on CDs, DVD, HDDs on which I was working around that time. Maybe I had archived stuff years ago, at a time when Kaspersky didn't detect Tenga yet. Eventually I will find out. It may also have come out of some old infected email boxes, which I had tried to clean before archiving, around Feb-28, see my posting
(2) Multibooter was running some NT-based OS on his system (win-2k or XP) - and the OS was not patched for this RPC exploit. The PC would have needed to be connected to the internet - but no web-browsing or any user-directed web-activity would have been required. The exploit would have penetrated the NT-OS and installed itself (perhaps in the autoexec, or the win.ini files of his win-98 system files). Multibooter claims that he doesn't use his XP-side for web-surfing, but he doesn't say if he disconnects the network cable from his PC while he's using XP.
My WinXP is SP2, without any patches added. WinXP was definitely not connected to the Internet, nor was the infected laptop connected to the WLAN router via cable. I am currently away from the US, were most of my computer tools and resources are located, so I always eject the USB 2.0 WLAN card before running WinXP (my old laptop has no built-in WLAN card), to make sure that there is no Internet or network connection under WinXP which could infect WinXP.

The Tenga infection cannot have occurred earlier under WinXP in the US, where the laptop does have internet access under WinXP, because the system backup I made just before leaving was clean.

Edited by Multibooter
Link to comment
Share on other sites

I've got two comments:

[ot]The Sharkoon's Flexi-Drive S2S is a true hardware RAID, so it's bound to be fast, if used with the right SDHC cards... I had those SanDisk Extreme III SDHC 16GiB, which are the so called 30 MB/s edition, and that under real world conditions really attain sequential reads of just over 20 MB/s... Under RAID0 that would be 6x times faster, bordering on the limits of the SATA I connection you'd have to use for 98SE to be able to recognize it. Then again, the MTBF would be about 500,000 h, i. e.: 1/6 of that of the individual cards (>3,000,000 h, according to SanDisk).[/ot]

You should consider adding SP3 to your XP. I'm using it since about one month after release, and it's very stable and trouble-free.

Link to comment
Share on other sites

Guest wsxedcrfv

You should consider adding SP3 to your XP. I'm using it since about one month after release, and it's very stable and trouble-free.

The fact that he's running XP-SP2 with no additional updates or patches isin't what I'd call smart. SP2 is dated to August 2004 - which predates this Tenga virus. So the system would be vulnerable to Tenga if it had a live (and non-nat'd) internet connection.

With regard to SP2, I've never understood what the difference is between an SP2 system that's been kept up-to date with all available patches vs an SP3 system in a similar update state. I'm under the impression that both systems would be equally patched or equally protected from all known exploits.

I still say that win-98 was "hit" by this Tenga only because the system is occasionally booted with a horribly-vulnerable version of XP. Any system that is single-booted only into Win-98 would not have been vulnerable to Tenga just by virtue of having a live internet connection. It would have taken user-assistance to execute Tenga on a Win-98 system, by way of running a file that was already infected.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...