Infection with tenga.a virus

[Multibooter]

The fact that he's running XP-SP2 with no additional updates or patches isin't what I'd call smart... I still say that win-98 was "hit" by this Tenga only because the system is occasionally booted with a horribly-vulnerable version of XP.

I beg to disagree. My feeling is that by updating with new patches I mainly update spyware and spyware-vulnerabilities to the newest state. My feeling is that not just a search engine, but many big corporations cooperate with the NSA. I view infections with NSA-induced spyware as dangerous, and infections with a virus like Tenga as an entertaining nuisance.

I am just choosing between the lesser of two evils, and am fully aware of the risks, which I try to reduce by very intensive backups, by using ex-Soviet malware detectors, by having the WLAN-card removed when using WinXP, by using WinXP as little as possible and by installing a minimum of closed-source US-software created after 11-Sept-2001.

So the system would be vulnerable to Tenga if it had a live (and non-nat'd) internet connection

The router had always NAT on. Tiny Personal Firewall v2.0.14 is always on under Win98 and WinXP and did not report any calling out.

I have checked the still-infected 1TB USB HDD, Tenga.a seems to be a very efficient little program: Tenga infected on one partition 5329 .exe files on the USB HDD on Feb-28 between 9:04 PM and 9:07 PM, i.e. about 1700 files per minutes, with my old 700MHz laptop.

On the infected internal HDD, now disinfected, I have found on C:\ a file DL.exe with the modification date of Mar-1 9:18AM. It was not an exe file, just a renamed ASCII file with the following content:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>301 Moved Permanently</title>

</head><body>

<h1>Moved Permanently</h1>

<p>The document has moved <a href="http://utenti.multimania.it/vx9/dl.exe">here</a>.</p>

</body></html>

The URL in my DL.exe differs from the URL listed in http://quickheal.co.in/alerts/archives/alerts-tenga-a.asp

[http://]utenti.lycos.it/[REMOVED]/dl.exe

[http://]utenti.lycos.it/[REMOVED]/CBACK.EXE

[http://]utenti.lycos.it/[REMOVED]/GAELICUM.EXE

When I tried to manually download dl.exe from multimania.it, I got a 404; multimania.it had the page title "Lycos Tripod".

I did not find cback.exe or gaelicum.exe on the formerly infected HDD. Maybe Tenga was unable to execute all its work on my laptop.

Here another observation: Just around the time the USB HDD was infected, I was in Win98 and then tried to boot into WinXP, but somehow couldn't, or WinXP didn't come up properly, I don't remember anymore. In any case, I modified boot.ini, and after the 2nd or 3rd attempt WinXP came up Ok again, no idea why. During my attempts to boot into WinXP I most likely had the infected USB HDD connected (but the old BIOS of my laptop does not see USB devices connected at boot time).

Most likely Tenga had started under Win98 and had then infected, under Win98, some critical system files on the FAT32 WinXP partition, so that WinXP had trouble starting up.

On my laptop the various operating systems have common access to standalone programs, i.e. there is a single instance of standalone programs, which are accessed under the various operating systems by creating a destop shortcut there. For example, I am using uptime.exe. I run it under Win98 and under WinXP via a desktop shortcut to C:\MiscUtil\uptime.exe. So if C:\MiscUtil\uptime.exe is infected, the infection will spread to other operating systems whenever I click on the shortcut to Uptime under that operating system. The original idea was to avoid duplicate copies of standalone programs, but this may actually be an unsafe practice in a multibooting environment.

One of my interests in this topic is to explore "How to prevent cross-operating system infections in a multibooting environment". A virus which could encrypt modern HDDs, similar to ancient One-Half http://www.csie.ntu.edu.tw/~wcchen/asm98/asm/proj/b85506050/ORIGIN/ONEHAL~1.HTM , which I mentioned in the introduction to this topic, could be just as much of a nuisance as Tenga. BTW, it would be interesting to know whether ancient One-Half can infect modern 1TB HDDs.

It would have taken user-assistance to execute Tenga on a Win-98 system, by way of running a file that was already infected.

This is also what I suspect, that I must have double-clicked on an infected file. But this is absolutely against my practices, to which I strictly adhere: I ALWAYS check downloads or stuff from my archive with Kaspersky before running it, and Kaspersky does detect Tenga. It is still a puzzle how I got this virus, under which operating system Tenga started and how it spread from one operating system to the next.

[jaclaz]

I beg to disagree. My feeling is that by updating with new patches I mainly update spyware and spyware-vulnerabilities to the newest state. My feeling is that not just a search engine, but many big corporations cooperate with the NSA. I view infections with NSA-induced spyware as dangerous, and infections with a virus like Tenga as an entertaining nuisance.

Do I smell some good ol' conspiracy theory?

There may be "good" and "bad" companies:

http://yro.slashdot.org/article.pl?sid=07/07/18/1434229

http://yro.slashdot.org/article.pl?sid=07/07/17/199223&tid=158

http://news.cnet.com/Will-security-firms-detect-police-spyware/2100-7348_3-6197020.html

http://news.cnet.com/Security-firms-on-police-spyware,-in-their-own-words/2100-7348_3-6196990.html

jaclaz

[Multibooter]

Do I smell some good ol' conspiracy theory?

http://www.mondoraro.org/2010/03/03/google-irani-il-motore-di-ricerca-targato-regime/

Maybe the Iranian and Chinese governments are not only for censorship, but also want to stop Poodle's data gathering. Paranoid concerns with national sovereignty, seeing data-gathering arms of the NFA everywhere?

BTW, http://news.cnet.com/Security-firms-on-police-spyware is 404

Although I don't think it's likely, I have also been considering whether the Tenga infection was a targeted installation. ISPs seem to be able to access connected computers with relative ease, I assume a connected computer is just a client in the ISP's network. I am not sure how much Win98 protects against a snooping ISP.

[jaclaz]

BTW, http://news.cnet.com/Security-firms-on-police-spyware is 404

Sure it is.

The makers of the Board software expressly made their parser for posted URL's in such a way as to break them at commas, in order to prevent users from reading pages like:

hxxp://news.cnet.com/Security-firms-on-police-spyware,-in-their-own-words/2100-7348_3-6196990.html

(or maybe it was FBI or NSA forcing CNET to use these malformed URLs? )

Let's see if they got to TinyUrl too:

http://tinyurl.com/cnc3d3

Good , they missed it.

jaclaz

[Multibooter]

Maybe the Iranian and Chinese governments are not only for censorship, but also want to stop Poodle's data gathering.

Huh, what a typo , I surely didn't want to allude to Mao's "the imperialists and their running dogs" http://www.marxists.org/reference/archive/mao/works/red-book/ch05.htm. I just came by chance across this news from the bbc: "Google provided US intelligence agencies with a record of its search engine results, the state-run news agency Xinhua said." http://news.bbc.co.uk/2/hi/business/8581393.stm

"On Sunday, state media in China attacked Google for what they described as the company's "intricate ties" with the US government." http://news.bbc.co.uk/2/hi/asia-pacific/8582233.stm

Edited March 23, 2010 by Multibooter

[Queue]

...and how it spread from one operating system to the next.

This is the easiest part of the puzzle: tenga is a real, classic virus, where it searches for all executables on the computer and copies itself into them. It infected files that were related to the other versions of Windows on the same machine; they were executables so it infected them.

It's also no mystery why it didn't infect the NTFS partition: the initial mass spreading occured when you were booted into Win98 and Win98 had no way to interact with the NTFS partition as a file system.

What could be a mystery is if you successfully booted into an infected WinNT environment, why the NTFS partition wasn't infected then. The virus may only search for executables to infect under certain circumstances which failed to occur.

---

As for how you were infected initially: you could have downloaded and run a program that wasn't detected as malicious by your anti-virus, which then downloaded a tenga-infected executable and ran it. Just a possibility, but I am inclined to think the wound was self-inflicted (as in, you ran a program that led to the infection), due to how tenga spreads (over a network) and how you handle WinXP (in regards to the internet).

---

As for the conspiracy theories, namely about ISPs, unless you have Windows configured poorly, they would have no more power to force files onto your computer than any random person on the internet.

You are welcome to conspiracy theories, though I think you're just shooting yourself in the foot. But that's what freedom's about: you can shoot yourself in the foot if you want to, and I can think that you shouldn't if I want to.

And, thank you for sharing your experience with us, it's always encouraging to hear when people's backup schemes DO prove worth it, and what you went through.

Queue

P.S. - I bleeping hate the new forum style, particularly when using it from IE6.

[Multibooter]

Note by dencorso: The contents of this post have been lost. The two snippets of text below are all we have left at the moment, from its original content.

[...]I am using Firefox v2.0.0.20 and Opera v9.64... If you turn off Java + JavaScript, msfn.org comes up really fast, without ads, though I am not sure whether you can post when they are off.[...]

[...]Are there any files created by Windows which contain lists of recently accessed files? It might be useful to delete such files, for preventing the spread of potential infections with other malware. I would doubt that Tenga can search the registry or index.dat.[...]

Edited March 27, 2010 by dencorso

[jaclaz]

Are there any files created by Windows which contain lists of recently accessed files? It might be useful to delete such files, for preventing the spread of potential infections with other malware. I would doubt that Tenga can search the registry or index.dat.

You cannot say.

MRU is in Registry.

NTFS normally updates last accessed time in the filesystem.

Use this - in case you feel dangerously exposed :

http://www.nirsoft.net/utils/clean_after_me.html

jaclaz

[Multibooter]

Tenga spreads between systems by exploiting the RPC vulnerability described by MS03-026. Interestingly, Microsoft lists various NT-based OS's as being vulnerable, but only lists Windows ME as non-vulnerable. Microsoft says nothing about Windows 98 (even though this bulletin is dated July 2003). So Windows 98 is not vulnerable to the worm-like method this virus uses to spread between systems.

Here is Panda's opinion:

"Affected platforms: Windows XP/2000/NT/ME/98/95 [NOTE: WinME is specifically included here!]

First detected on: July 14, 2005"

"Tenga.A shows a very a complex infection routine, which it uses in order to infect all the executable files on the computer, excepting NTOSKRNL.EXE. It is even capable of infecting files belonging to the operating system, as it disables the characteristic known as Windows File Protection.

Tenga.A spreads by attacking IP addresses, in which it tries to exploit the vulnerability RPC DCOM. Additionally, as Tenga.A infects files, it could also reach computers when the infected files are distributed through any of the typical means of tranmission, which include, among others, floppy disks, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer file sharing programs (P2P), etc."

http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?idvirus=82383&sind=0&sitepanda=particulares

Tenga.a seems indeed an interesting little program, but I haven't found info yet on how exactly it picks the files to be infected. Panda is wrong here because Tenga did not infect all the .exe files on my computer, only some of them.

P.S.: excellent info here on how Tenga infects files (the best I found so far):

http://www.pandasecurity.com/homeusers/security-info/82383/information/Tenga.A

Also, panda updated their info page about Tenga.a yesterday, so this virus seems to be still of current interest.

Edited March 23, 2010 by Multibooter

[jaclaz]

Tenga.a seems indeed an interesting little program, but I haven't found info yet on how exactly it picks the files to be infected. Panda is wrong here because Tenga did not infect all the .exe files on my computer, only some of them.

Maybe it had not enough time, it may well have a "list of priorities" and only infect a few files per session, for all we know.

jaclaz

[dencorso]

Here's some noteworthy info from the selfsame links Multibooter posted on the 1st post.

From the viruslist entry "Virus.Win32.Tenga.a":

Technical details

Tenga infects PE exe files. The virus can also act as a Network-Worm on machines with an unpatched DCOM RPC vulnerability. Microsoft Security Bulletin MX03-026 details the vulnerability. After launch, Tenga checks if the domain vx9.users.freebsd is available and attempts to dowload Trojan-Downloader.Win32.Small.bdc from hxxp://**nt*.lycos.it/v**/dl.exe Tenga is a classic appending virus that increases the size of infected files by 3 KB.

From the f-secure docs on Tenga.A:

The virus uses CRC matching to search for the required APIs it needs to do its malicious tasks. It avoids infecting ntoskrnl.exe and marks each infected executable files with the character `V´ in the old DOS stub header. The marking of the infected files prevents re-infection attempts.Tenga.A also elevates its privileges and disables Windows File Protection.

IMO, by comparing an uninfected file with the same file after infection, using BeyondCompare Hex comparison without alignment, one ought to find the exact offset in the DOS stub where it places the ASCII "V", and if that's a constant offset, use it to quickly determine which files are infected.

[Multibooter]

Maybe it had not enough time, it may well have a "list of priorities" and only infect a few files per session, for all we know.

My estimate somewhere above was that Tenga infects about 1.700 .exe files per minute. Panda writes: "Due to that technique, Tenga.A achieves a large number of infections in a very small time without users noticing".

http://www.pandasecurity.com/homeusers/security-info/82383/information/Tenga.A

I had noticed the infection by the unusual blinking of the disk activity light. If I remember right I even pulled the plug of the computer to stop this unusual disk activity, instead of shutting down. This also shows the advantage of a laptop over a desktop: a desktop is usually under the desk and one doesn't look at the disk activity light very often, while with a laptop the disk activity light is perfectly visible.

This blinking disk activity light may have contributed to Tenga not being able to complete its destructive path on my 1TB USB HDD. A less sophisticated user, with no good back up and with no 2nd computer, probably might just as well have thrown his infected computer against the wall. Tenga is really a mean little thing, eventually I re-use the infected internal HDD, but only after a complete wipe.

Also, as I noted somewhere above, huge .exe files don't seem to get infected by Tenga.

[dencorso]

Tenga is really a mean little thing, eventually I re-use the infected internal HDD, but only after a complete wipe.

Since I know you have it, I strongly recommend GDISK (under DOS) for this task. It's not fast, but it is thorough.

[Multibooter]

comparing an uninfected file with the same file after infection...

Hi dencorso,

Once I knew that I had a Tenga infection, it was very easy to identify the thousands of infected .exe files, just by searching with Find for all .exe files with a very recent modification date, e.g. between Feb-28 and Mar-3. Unfortunately when Kasperksy finds a Tenga-infected file, Kaspersky sets the modification date of the infected file to the current date, even if I select to "Skip" the infected file. Any .exe file on the USB HDD with a modification date of Feb-28 and later is most likely Tenga-infected.

The difficulty with Tenga is not that it is hard to find, but that it can infect so many .exe files so fast. If a responsible member of this forum wants to analyze Tenga in a controlled environment, send me a PM. This virus with its 3,666 bytes does look interesting, I've been wading in dark waters for a long time, and this was the first time I got hit since Jan-2004, when I got Trojan.Win32.Spooner.c (sp.exe).

[Multibooter]

Use this - in case you feel dangerously exposed : http://www.nirsoft.net/utils/clean_after_me.html

Doesn't seem to be for Win98.

An interesting question may be: How does Tenga identify the next file to be infected? Panda states:

"It creates another thread to search for executable files to infect. It looks in all the system drives, excepting A:, which is usually the floppy drive." http://www.pandasecurity.com/homeusers/security-info/82383/information/Tenga.A

Tenga in any case also found the removable USB HDD and did its work there. The infection of the USB HDD took place most likely under WinXP, not under Win98, since I do file copying etc with the external 1TB USB HDD usually under WinXP, not under Win98. So most likely the infection had the following chronology:

infection of Win98 -> infection of WinXP -> infection of USB HDD attached under WinXP

It would be interesting to know whether Tenga could have infected an attached USB HDD directly under Win98. Also, whether the infection of the USB HDD would have occurred under Win98 with a manufacturer-provided USB 2.0 driver (I am using nusb 3.3 under Win98).

P.S.: Here is another story of somebody's Vista 64-bit getting hit by Tenga:

http://www.bleepingcomputer.com/forums/topic172167.html

This person wound up with 3871 infected .exe files

Edited March 23, 2010 by Multibooter