Infection with tenga.a virus

[jaclaz]

IMO, by comparing an uninfected file with the same file after infection, using BeyondCompare Hex comparison without alignment, one ought to find the exact offset in the DOS stub where it places the ASCII "V", and if that's a constant offset, use it to quickly determine which files are infected.

Try reading Stanit instad of Tenga.A :

http://www.avira.com/en/threats/section/fulldetails/id_vir/2661/w32_stanit.html

W32/Stanit is a windows file infector that searches the computer for PE executable files. The search routine scans the hard drive recursively for .exe files. It appends its code at the end of the infected files, modifying the entry point in the file header in order to execute itself.

In order to prevent multiple infections of the same file, an infection marker is added to the modified files: the 50th byte in each infected file is modified to value 56 - ascii value "V".

@Multibooter

Sure, I thought that the probelm was ONLY when you run XP.

I am pretty sure there are similar tools fro W9x/Me.

jaclaz

Edited March 23, 2010 by jaclaz

[Multibooter]

an infection marker is added to the modified files: the 50th byte in each infected file is modified to value 56 - ascii value "V".

In my infected files the 51st, not the 50th, byte is modified to 56hex. 10 other bytes near the beginning are also modified, e.g. bytes 265-267, but with varying values. Since the URL in DL.exe which I have ("hxxp://utenti.multimania.it/vx9/dl.exe") also differs from the URL stated on all anti-virus sites, I assume that I've got an updated version of Tenga.

Tenga-infected .exe files are severely compromised. A good file, for example, install_flash_player_9.exe, was reduced from 1.502.808 bytes to just 68.808 bytes. I have a 4.4 GB DVD full with good installation source (recovered and from clean backup), and on the infected USB HDD still their Tenga-infected counterparts, exactly 527 good exes and 527 infected ones.

I don't know why Avira rates the damage potential of Tenga as "medium", Tenga is a real vicious one, once infected you can wipe your HDD. Avira also states that Tenga does not occur in the wild, which I would doubt. The old stuff I have been fiddling around with was pre-2002, so no chance that it contained Tenga, which came out in 2005.

http://www.avira.com/en/threats/section/fulldetails/id_vir/2661/w32_stanit.html

Here another observation: In posting #16 I wrote that just before I noticed the infection I had trouble booting into WinXP. This may be related to what is mentioned by Panda:

"It [Tenga] disables Windows File Protection, in order to be able to infect files belonging to the operating system. It does this by using an undocumented API function and injecting itself in the process winlogon.exe." http://www.pandasecurity.com/homeusers/security-info/82383/information/Tenga.A

Edited March 24, 2010 by Multibooter

[Multibooter]

The fact that he's running XP-SP2 with no additional updates or patches isin't what I'd call smart. SP2 is dated to August 2004 - which predates this Tenga virus. So the system would be vulnerable to Tenga if it had a live (and non-nat'd) internet connection.

Here is a report (in French) of somebody who got infected with Tenga under WinXP SP3 http://forum.malekal.com/infection-par-win32-stanit-t13162.html In posting #30 I had a link to a person with a Tenga infection under Vista 64-bit. I am not sure whether MS band-aids are of much use.

The report of the infection under WinXP SP3 made me a little concerned, the computer there was re-infected a month later. I still have the infected 1TB USB HDD connected to my laptop, with five or ten thousand little Tengas just waiting to jump at my laptop...

[Multibooter]

Infection by just visiting a website?

On the German webpage http://www.trojaner-board.de/40187-virus-win32-tenga-sehr-hartnaeckig-2.html somebody registered as Dracon123 on 30-Jan-2010, posted a link to a web page probably containing the Tenga virus (posting #12) and then disappeared into thin air. 90 minutes later the following warning was published in posting #13 there "Auf gar keinen Fall den Link oben anklicken, der id*** hat hier wirklich einen Link auf eine infizierte Datei reingesetzt. Es droht formatieren und neuinstallieren." and 1 hour later the site administrator removed the link (posting #14).

There may be a good possibility that one can get somehow infected with Tenga by just visiting a web page, even under Win98. The postings on the German page also state that a continuously running virus scanner doesn't help much because Tenga infects faster than Kaspersky can disinfect, also: "in den 20 Jahren in denen mich PC´s nerven, ist dieser Tenga.a der wirklich brutalste Störenfried der mir über den Weg lief."

Maybe the best defense is a forensic backup. With my clean backup I had no re-infection (yet), on the German website they report re-infections and that they can't get rid of the virus, after a while it comes back. Maybe I should turn Java and JavaScript off for a while.

[jaclaz]

Probably it's a misunderstanding between "offset 50" and 50th. (which of course is 51th ordinal if offset 0 is called 1st byte).

The "10 bytes" at offset 26x are the re-mapping of the .exe to point to the Virus executable code, obviously they are different, in the exact same manner as the original .exe's were different in size.

http://www.avira.com/en/threats/section/fulldetails/id_vir/2661/w32_stanit.html

It appends its code at the end of the infected files, modifying the entry point in the file header in order to execute itself.

The resizing of files, like the install_flash_player_9.exe of your example, is atypical, but it may due to the particular structure of self-extracting/installer files (i.e. they may have a .exe "stub" with appended to it the actual compressed archive of data and the virus may only consider the executable filesize).

jaclaz

[Multibooter]

The resizing of files, like the install_flash_player_9.exe of your example, is atypical, but it may due to the particular structure of self-extracting/installer files (i.e. they may have a .exe "stub" with appended to it the actual compressed archive of data and the virus may only consider the executable filesize).

Yes, the severe truncation of installation source files is not the rule. I checked the recovered/repaired/re-downloaded stuff, which I burnt to a DVD, against the stuff on the Tenga-infected USB HDD: about 15% of the Tenga-infected .exe files are severely truncated, the infected installation source on the infected USB HDD is about 30% smaller (in MBs) than the source on the clean (recovered/repaired/re-downloaded) DVD.

The largest file cut down by Tenga on my infected 1TB USB HDD was ie60.exe (MS Internet Explorer v6.00.2600): on the clean DVD it has its original 80MB, but on the infected USB HDD it was cut down to 100kB. Two other large files (143MB and 316MB) were not infected by Tenga. Maybe 5-year-old Tenga cannot infect large .exes (> 128MB???), or the RAM on my old laptop (512MB) was not large enough.

Tenga-infected files disinfected by Kaspersky are still tainted, differ from their original, and still contain remnants of the attack by Tenga, although their dangerousness has been removed.

[Queue]

Infection by just visiting a website?

Well, the infection vector often isn't related to the malware in such a situation. To get infected simply by visiting a site, they'd be relying on exploiting a flaw in your browser or one of the plugins for your browser to run executable code, at which point they can infect you with whatever they want.

The argument that an anti-virus can't keep up with the infections is absurd; that's not how they work. An active scanner gets to scan an executable before it even runs a single byte of code. If a virus (or malware, as is far more common these days) bypasses an anti-virus, it's because the anti-virus failed to notice it was malicious when it was first run.

Queue

[dencorso]

The argument that an anti-virus can't keep up with the infections is absurd; that's not how they work. An active scanner gets to scan an executable before it even runs a single byte of code. If a virus (or malware, as is far more common these days) bypasses an anti-virus, it's because the anti-virus failed to notice it was malicious when it was first run.

Quite true. That's why I think real-time scanners are a must, and will keep my AVG 7.5 going even after updating the definitions becomes impossible (which may happen anytime, now). And AVG 9 for XP SP3.

[Multibooter]

The argument that an anti-virus can't keep up with the infections is absurd; that's not how they work.

In theory I would agree with you. But here is a posting of a person who had the following experience with Tenga: "Selbst wenn ein Antivirusprogramm aktiv ist kann man nur zusehen wie eine Datei nach der anderen infiziert (und desinfiziert wird) wird." [Translated: "Even if an antivirus program is active, one can only watch and see how one file after the other gets infected and then disinfected"] Posting #7 http://www.trojaner-board.de/40187-virus-win32-tenga-sehr-hartnaeckig.html'>http://www.trojaner-board.de/40187-virus-win32-tenga-sehr-hartnaeckig.html The people at that site did not use your objection, http://www.trojaner-board.de/ is a 10-year-old anti-malware site.

Possibly the cause of the infection is not properly identified by AV-software, only the output of the infection, the infected .exe files. "Auch Sophos und Kapersky haben nicht mehr als die infizierten *.exe Dateien gefunden", posting #1 [translated: "Also Sophos and Kaspersky have not found more than the infected .exe files"]. I was just reporting in posting #34 the experience of another person with Tenga, because it sounded interesting. In my posting #16 here I listed the content of DL.exe, which is part of Tenga and was NOT deleted, flagged or disinfected by Kaspersky, i.e. at least one component of Tenga was left by Kaspersky.

To have a definite answer, one would have to infect the system with Tenga, then activate the AV-software, and then see whether the experience described on the German site is repeated, i.e. whether the active AV-software is just running behind the infecting Tenga.

Edited March 25, 2010 by Multibooter

[Multibooter]

I think real-time scanners are a must, and will keep my AVG 7.5 going even after updating the definitions becomes impossible

I am a little paranoid when it comes to the security of my personal computer, but most likely I will not use real-time scanners on my own computer, there are arguments pro and con regarding real-time scanning.

On the computer of my young son, however, who uses only WinXP, I may set continuous virus checking when I am back in the US in June, depending on the size of the zoo on his computer. Before I went on my trip, I made a backup of a clean instance of his WinXP and showed him how to use the WinXP restore feature, WinXP restore is really an excellent virus recovery tool. In any case, I made a forensic .gho image of his HDD before I went on my trip, so restarting shouldn't be difficult, most likely he has installed a lot of stuff in the meantime, which he wasn't supposed to.

The damage by Tenga to my computer was not that serious because I make a LOT of backups. The Tenga infection is interesting to me because it was the first time in a long while that I got hit, and it took me less time to recover from Tenga than to write about it in this forum.

The Tenga infection, however, has caught me at the wrong time, while I am away from home for a while. I didn't take a backup of the 1TB USB HDD on my trip, although I had same stuff backed up to another partition on this 1TB USB HDD. BTW, using partitions on the USB HDD seems to have limited the damage done by Tenga: apparently only 1 partition plus a small part of a 2nd partition (out of 4 partitions) on the USB HDD was infected by Tenga, but I am still checking, 1TB is a lot of stuff to be virus-checked with an old 700Mhz laptop.

Edited March 25, 2010 by Multibooter

[Queue]

Possibly the cause of the infection is not properly identified by AV-software, only the output of the infection, the infected .exe files.

That's one of two possibilities I've thought up; the other would be that the exploit code itself includes tenga's exe-modifying code and begins clobbering executables, but that would be extremely unusual. Exploit code is usually as compact as possible and meant to, usually, simply download and execute a file (where the bulk of the malicious code is).

Also, I found the cause of my woes with MSFN's new forum; their PNG transparency fix for IE6 sucks hard. I just blocked their javascript file containing said fix (it had .htc as an extension for some reason) and the site is nice and quick again.

Queue

[dencorso]

Also, I found the cause of my woes with MSFN's new forum; their PNG transparency fix for IE6 sucks hard. I just blocked their javascript file containing said fix (it had .htc as an extension for some reason) and the site is nice and quick again.

How did you block it exactly, Queue? That should be described in detail, since it can help most users here.

[Queue]

How did you block it exactly, Queue? That should be described in detail, since it can help most users here.

Custom built Proxy Auto-Configuration file that I have set up to let me filter URLs based on whatever factors I want. I just set up any *.js or *.htc files from .msfn.org to be blocked. It's a handy way to filter based on URLs since if you set it up under IE, Opera will automatically use the same PAC file.

Queue

Edit - If you've never used a PAC file before, here's a basic one that would work for MSFN's javascript files.

First, in IE go to Tools, Internet Options, Security, Local intranet, Sites button, UNCHECK ''Include all sites that bypass the proxy filter''

Save the following as proxy.pac (or any file name you want, extension doesn't matter), then in IE go to Tools, Internet Options, Connections, LAN Settings, check ''Use automatic configuration script'' and designate the file like:

file://c:/windows/proxy.pac

var normal = "DIRECT";
var blackhole = "PROXY 0.0.0.0:80";
var isActive = 1;
function FindProxyForURL(url, host)
{
	if (shExpMatch(host, "proxy.pac"))
	{
		if (shExpMatch(url, "*/on*"))
		{
			isActive = 1;
		}
		else if (shExpMatch(url, "*/off*"))
		{
			isActive = 0;
		}
		return blackhole;
	}
	if (!isActive)
	{
		return normal;
	}
	url = url.toLowerCase();
	host = host.toLowerCase();
	if (0
|| (dnsDomainIs(host, ".msfn.org") && (shExpMatch(url, "*.js") || shExpMatch(url, "*.htc")))
|| dnsDomainIs(host, ".intellitxt.com")
	) {
		return blackhole;
	}
	else
	{
		return normal;
	}
}

Based loosely on no-ads PAC file.

Edited March 26, 2010 by Queue

[Multibooter]

@dencorso: By mistake I just wiped out my posting #22 here, is it possible to restore it? (wiped out, not because I was running without JavaScript/Java, it was just a mistake ). It looks like the posting is NOT cached by Google or Bing either!!!! The following quote was a quote from my posting #22

I am using Firefox v2.0.0.20 and Opera v9.64... If you turn off Java + JavaScript, msfn.org comes up really fast, without ads, though I am not sure whether you can post when they are off.

From my previous posting #22 here. I have made this current posting with Firefox v2.0.0.20 under Win98, with JavaScript and Java off. So the simplest way may be to turn off JavaScript and Java, which is also a safer way to use the internet. Again, msfn.org does seem to work currently with JavaScript and Java OFF.

Since some sites do require Java and JavaScript (e.g. for the posting of comments at www.nzz.ch), maybe a practical workaround would be to have the main browser set with JavaScript/Java OFF (e.g. Opera), and another browser (e.g. Firefox, or the other way around) set with JavaScript/Java ON, for sites which require JavaScript/Java, plus marking the desktop shortcut, e.g. "Java ON" or "Java OFF"

Edited March 26, 2010 by Multibooter

[Queue]

...maybe a practical workaround would be to have the main browser set with JavaScript/Java OFF (e.g. Opera), and another browser (e.g. Firefox, or the other way around) set with JavaScript/Java ON, for sites which require JavaScript/Java, plus marking the desktop shortcut, e.g. "Java ON" or "Java OFF"

Remember that Java and JavaScript are totally different things. 99.99% of the internet (probably more) works without Java, whereas JavaScript is present nearly everywhere, but most of the internet is designed to still function (although in a more limited capacity) without it.

I'd argue that the most practical way to handle it is to block JavaScript on a per-case basis (or block everywhere and allow on a per-case basis), and to just outright not have Java. I personally do the former because for me it's a convenience/performance measure, not a security measure. This can be done in any major browser that I can think of, so you could continue using your favorite.

Queue

Edited March 26, 2010 by Queue