Infection with tenga.a virus

[herbalist]

The only sure solution is default-deny and knowing every process that's allowed on your main system, and install new software on a separate test system first. It's a bit of a hassle, but much less so than cleaning up after an infection.

This will take a lot of time, and may be good on a system to which few new applications are added. My Win98 may eventually become such a system, but currently I am still installing a lot of new stuff under Win98.

What do you consider to be "installing a lot", a few per week, several each day? Do you keep all these apps or are you just testing them, looking for keepers? Full installs or "unzip and go" apps?

There is a fair amount of time involved the first time you set up such a policy. Once you've done it a few times, it goes quick. Unlike an NT system, there aren't that many system processes to make rules for. A 9X system is much easier to control. Even so, I'd bet it would take less time than cleaning up after tenga has. Adding new apps to an existing whitelist is no big deal. My FE unit has been protected by default-deny for years and has somewhere around 150 applications and utilities on it. True, default-deny is best suited for static systems and making sure that they stay that way, but it can also be used to intercept and alert to new/unknown processes and activities. If you do have large quantities of apps to try out, I'd suggest using a separate unit just for that purpose or a virtual system on a well protected host after scanning them at VirusTotal. Virtual PC 5.1 will do this on 98. It takes a little work, but you could make a virtual copy of your primary system for Virtual PC. The copied OS would need to change its drivers to work in Virtual PC, but with the exception of those drivers, you'd have a virtual copy of your system for trying new software on. This way, you could also check the new apps for conflicts with your existing system and software, not including the changed drivers. I don't install many apps on my 98 units. With "unzip and use" apps, I make a registry and core system backup first. With installed apps, I make a backup of the whole partition and disconnect the external drive first. So far, I haven't needed to use a system backup because of malware or infection, but I have used them to revert to a previous version of an app when the new version has undesired changes or other effects on my system.

98 might not be targeted nearly as much as NT systems, but if even one piece of malware causes permanent data loss, IMO, that's too many. It also depends on who you're referring to as targeting 98. The criminal element might be largely ignoring it but I wouldn't bet on the NSA, RIAA, or other such groups doing so. I'm sure the anti-P2P groups are very aware that 98 does get used as dedicated P2P units. It's entirely possible that you've encountered a modified version of tenga that the AV didn't recognize. That's another advantage of default-deny. Anything it doesn't recognize as allowed is blocked. It also eliminates the question of whether your security apps will ignore "official" spyware. Several years ago, because of information I posted on the web, I was targeted by what I suspect was "official spyware". My resident AV didn't detect it. Neither did several online scans. It dialed out at 3AM, granted itself internet access through the firewall, sent out a large quantity of data that matched the size of an encrypted container file I had, then apparently deleted itself. The only things I know for certain is that it used a normally allowed system process, rundll32.exe so it was most likely in DLL form. I seriously doubt that any AV or anti-spyware is going to detect "official spyware' no matter what the vendor claims. It also wouldn't surprise me one bit if that spyware was built into Windows, at least into the NT systems. I share your concern about updates, but instead of avoiding updates after a specific date, I apply only the ones I need/want. The XP unit I have is also SP2. SP3 breaks some of the apps I use.

[Multibooter]

What do you consider to be "installing a lot"

Estimated averages per week: Adding 2 new applications, replacing 1 existing application with a more current version, deleting 1 application which I don't expect to use anymore, testing 3 new applications, most of them installed, not standalone. The installations/uninstalls may occur in different operating systems and in multiple instances of an operating system.

About once a month I restore the last clean opsys backup (of about a month ago) and repeat very carefully all the recent installations/uninstalls of what I want to make permanent and then create another clean backup. Usually I restore the last clean backup 5-10 times a month, after having creating a new clean backup and before creating the next clean backup, wiping out with the restores malware which Kaspersky may not have detected. Undetected malware could stay 3-5 days on my system, but then it gets wiped out with the next restore. Tenga, unfortunately, just needed a few minutes to infect all operating systems installed on my laptop, except for the NTFS-based WinXP.

There is a fair amount of time involved the first time you set up such a [default-deny] policy... Unlike an NT system, there aren't that many system processes to make rules for. A 9X system is much easier to control. Even so, I'd bet it would take less time than cleaning up after tenga has.

If I had given internet access to WinXP during my trip, just as WinXP has internet access when I am in the US, the infection with Tenga could have started just as well under WinXP and then spread to Win98. So a tool to allow only permitted processes would have to be active also under WinXP and on all my installed operating systems, which is just too time-consuming.

A default-deny tool looks useful to protect a computer which has only a single operating system (or to protect a Win98 installed on a hidden partition, invisible to other operating systems), but less so on a computer with various operating systems, because of possible infections across operating systems, as with Tenga. If I remember right, on the WinXP FAT32 partition even the file avp.exe (= the virus scanning engine of Kaspersky) was infected by Tenga under Win98, but WinXP was killed already at that time.

98 might not be targeted nearly as much as NT systems... The criminal element might be largely ignoring it but I wouldn't bet on the NSA, RIAA, or other such groups doing so. I'm sure the anti-P2P groups are very aware that 98 does get used as dedicated P2P units. It's entirely possible that you've encountered a modified version of tenga that the AV didn't recognize.

Yes. But my dedicated eMule laptop was not infected. My main laptop, on which I process downloads (virus checks), browse the internet, etc was infected with Tenga. This not-infected dedicated eMule laptop was connected in a peer-to-peer network under Win98 to the infected laptop, and completed downloads were transferred via WLAN from the eMule laptop to the main laptop. The eMule laptop was running normally, it even posted a record uptime then of 7 days 11 hours.

That's another advantage of default-deny. Anything it doesn't recognize as allowed is blocked. It also eliminates the question of whether your security apps will ignore "official" spyware... I was targeted by what I suspect was "official spyware". My resident AV didn't detect it... I seriously doubt that any AV or anti-spyware is going to detect "official spyware' no matter what the vendor claims. It also wouldn't surprise me one bit if that spyware was built into Windows, at least into the NT systems.

I don't know how credible rumors are that some chips have built-in backdoors for the US agencies. But my 10-year-old laptops, built before 11-Setp-2OO1, are unlikely to contain such chips. Edited March 27, 2010 by Multibooter

[Multibooter]

ADDENDUM - CORRECTION: The content of this posting is not correct, it seemed to be correct during my 1st infection with Tenga, but during my 2nd infection with Tenga, Tenga infected \Windows\ and \Program Files\ of the currently active Win98. See my posting #62. Multibooter 28-March-2010

Tenga.a does NOT infect .exe files in \Windows\ and in \Program Files\ of the currently active Win98/XP. This characteristic of Tenga.a does not seem to be mentioned in the Internet, and has permitted me to retrace chronologically the infection by Tenga:

1) \Windows\ and \Program Files\ of my main Win98 on the infected internal HDD were NOT infected by Tenga. Since I install nearly all of my software to specially-named folders outside of \Program Files\, e.g. to H:\eMule\, the existence of Tenga under Win98 was noticed immediately, because my apps were infected and wouldn't work anymore, or would not behave as usual.

2) All .exes in the \Windows\ directory of my test-Win98 (exact directory name: F:\W98DIAG\) were infected with Tenga on the infected internal HDD, i.e. the infection must have started under another operating system, NOT under the test-Win98. Tenga, not recognizing that F:\W98DIAG\ was the \Windows\ directory of my test-Win98, infected all .exes in F:\W98DIAG\. I can therefore exclude the possibility that I got the Tenga infection during my experimenting with possibly-infected stuff under my test-Win98. I never experiment with unknown stuff on my main Win98.

3) After the infection with Tenga I had trouble booting into FAT32-based WinXP and shortly afterwards FAT32-based WinXP wouldn't work anymore. Unfortunately I had then restored a clean FAT32-WinXP partition from backup onto the infected internal HDD, so that I don't have a direct proof anymore that the WinXP \Windows\ folder was infected (only possible if WinXP was infected while I was running another operating system, i.e. my main Win98).

But here is an indirect proof, answering a very good point raised by Queue in posting #21:

What could be a mystery is if you successfully booted into an infected WinNT environment, why the NTFS partition wasn't infected then. The virus may only search for executables to infect under certain circumstances which failed to occur.

Tenga under my main Win98 had infected the .exes in the \Windows\ folder of the FAT32-WinXP partition. When WinXP came up, using infected .exes, it didn't work properly anymore and Tenga, which uses some WinXP APIs, didn't work properly anymore either and couldn't infect files on the NTFS partition of the NTFS-based WinXP.

The original infection with Tenga was probably caused on my main Win98 by an undetected trojan downloader, which then downloaded Tenga from somewhere, similar to Trojan-Downloader.Win32.Small.bdc:

"When launched, the Trojan checks whether the victim machine is connected to the Internet. If a connection is detected, the Trojan will download the following files from u***ti.lycos.it/vx9:

cback.exe – will be detected by Kaspersky Anti-Virus as Backdoor.Win32.Small.gl

gaelicum.exe - will be detected by Kaspersky Anti-Virus as Virus.Win32.Tenga.a

These files will be saved to the same file that the original Trojan file was saved to. They will be registered in the system registry, and launched for execution."

http://www.viruslist.com/en/viruses/encyclopedia?virusid=87572

Whether in my case the trojan also downloaded a backdoor is unknown. If so, the backdoor most likely was ineffective or didn't work under Win98 since my Tiny Personal Firewall didn't report anything and with the subsequent system restore it must have gotten wiped out.

In case I get this undetected trojan downloader again, I will probably get Tenga again. I am still pondering how to improve my defenses, with as little effort as possible. The downloader+virus combo seems to be very hard to stop in my current multi-booting setup, unless I spend a lot of time. I probably will focus on improving my backups, especially of the external USB HDD, and just HOPE not to get infected again by something like Tenga.

BTW, I have been using Firefox quite a lot over the past few months, and Firefox has been reported to have a lot of security problems recently. Maybe I should use Opera most of the time.

Edited March 28, 2010 by Multibooter

[dencorso]

@dencorso: By mistake I just wiped out my posting #22 here, is it possible to restore it? (wiped out, not because I was running without JavaScript/Java, it was just a mistake ). It looks like the posting is NOT cached by Google or Bing either!!!! The following quote was a quote from my posting #22

@Multibooter: I'm deeply sorry, but I have no alternative way to recover the lost content, but for those caches and the WayBack Machine for older content. I'll ask xper about whether perchance we have a full forum backup containing that post, but this may take a while, and I can guarantee nothing. Meanwhile I've put back in post #22 the two snippets of its original content findable throughout the present thread (the one you yourself provided and another found in post #23). They may be of help in recovering the full content of that post. I'm sorry not to be able to help more.

[Multibooter]

My laptop is infected AGAIN with Tenga, but on the first look the infection hasn't spread to other operating systems yet, only my main-Win98 (and new downloads and recovered stuff) seems to be affected.

Many .exe files on the laptop got infected at 1:42 PM (about 45 minutes ago), while others got infected while I was making my earlier postings at msfn.org, around 11:50 AM

Persfw.conf (the file with the rules) of the Tiny Personal Firewall was modified at 1:41 PM, PFWADMIN.EXE got infected at 01:43, but the actual firewall engine PERSFW.EXE did not get infected.

Any suggestions as to what stuff I should save as a .rar, before restoring a clean Win98, so that I may find the cause/culprit of this 2nd infection?

I am posting from my 2nd uninfected laptop. I guess there goes my weekend.

Edited March 27, 2010 by Multibooter

[Multibooter]

I'll ask xper about whether perchance we have a full forum backup containing that post, but this may take a while, and I can guarantee nothing.

Thanks dencorso, but it's not that important, I am much more concerned with the 2nd infection by Tenga.

[herbalist]

Default-deny works on single OS and multi-boot alike. This PC has 2 operating systems. My HP has 5. It's no different with the conventional approach to security. An AV only provides real time protection for the OS it's installed on. It's useless if you switch to another OS. It's not necessary that each OS be protected by the same security policy. You could use default-deny on 98 and a different approach on the NT systems. With NT systems, your options are wide open. Virtualization and sandboxing are 2 very good options. Sandboxie is an excellent security app for NT systems. Its default settings leave something to be desired but that can be said about any security app. The default rules for a firewall are good examples. How you decide to secure each OS isn't that critical, as long as you do secure each one. Even if an OS never directly sees the internet, if it's connected to one that does it has to be protected from internet threats.

I'm finding your position and logic very difficult to understand. It takes too much time and effort to set up a good security policy but it's acceptable to spend just as much of both cleaning up after an infection, then trust random chance that it won't happen again? I realize that setting up a default-deny based security system can be a bit intimidating the first time but you don't have to do it all at once or lower any other defenses you have to do so. When I first started testing SSM back when Max was the developer, I still had an AV. Actually, I had 3, 1 resident, 2 for manual scanning. It was a gradual process that slowly moved SSM to the front line of defense while the AV became a secondary layer. As I gained understanding regarding how the different processes interacted, what the attack surface was and how to defend it, the AV became less relevant until I finally shut the resident AV down. After nearly a year of AV scans finding nothing, I removed it. For me, the complete transition took about a year and a half. On my 2K system, I use a slightly different approach. I'm using Sandboxie to isolate the attack surface and SSM to defend the core system. Unknowns are allowed but are limited to the sandbox. On a 9X unit with sufficient RAM and a good processor, VPC 5.1 can fill a similar role as long as the core system is protected.

Regarding Firefox vs Opera, in spite of the various claims, both are vulnerable. Browsers will always be vulnerable along with their extensions, plug-ins, etc. Right now, FF has a larger user base so it's being probed for weaknesses more than it used to be. If Opera was more popular, it would have the same problem. It's a safe bet that all of them have lots of unknown or undisclosed vulnerabilities. The browser and its add-ons, components, etc are the single most targeted part of the attack surface. It will always be vulnerable. If it were possible to patch an application to the point that it's secure, IE6 would be the safest browser ever, but the opposite is true. With 98, you've also got the problem of compatibility. KernelEX not withstanding, all 98 users may have to settle for using older versions of their favorite browser, complete with known vulnerabilities. IMO, the best way to deal with the browser is to accept the fact that it is vulnerable and that it will be targeted, sometimes successfully. As much as possible, isolate it from the rest of your system with virtualization, sandboxing, and specific application rules that limit its access to the rest of the system and prohibit it from launching other executables. A good content filter (Proxomitron) out front can make a huge difference as well.

[herbalist]

Just saw your last post. I don't remember where I saw it, but I remember reading about malware that's executed by the AVs attempt to parse the file. Regardless, it's clear that your AV isn't recognizing the source of the infection. Regarding the firewall executables, it appears that the malware can't infect a running file, persfw.exe, which is loaded early in the boot process. I'd also suggest checking the dates of any registry backups your system made and see if any predate the infection. If one does, use it. I have seen malware that can hide its registry autostart entries on 98. You may have one of these. There is a registry editor that's supposed to work in DOS. Have you tried using it to check your autostart keys?

I'd consider setting up a bare bones system with USB support and an anti-executable like SSM installed. A stripped Win2K would be a good choice as it works with online AVs. Start copying your infected files to a flash drive and scan them on that system. If an AV scan is triggering the virus to execute, SSM should intercept it and alert you, provided it's set restrictively enough.

[herbalist]

I don't know how much extra hardware you have. If you have enough to build the system I mentioned above plus another one, I'd setup the one I described above for scanning. The next one I'd set up as a receiver for cleaned files. The receiver system should be protected by an anti-executable that alerts whenever something new tries to start. Add a new copy of your AV that hasn't been in contact with your systems, in case it's been infected. It wouldn't be the first time an AV was directly attacked. Check groups of files with the online scan. Whatever shows clean, transfer to the receiver system and check it again. Checking and transferring all your files will be a long process, but if the AV is missing the infection source or its scan is triggering the infection process, I don't know any other way to be sure that you'll catch it.

Edited March 27, 2010 by herbalist

[submix8c]

I tend to agree with herbalist.

Doing a search on just "tenga virus" (without quotes) yields some interesting results, one of which is "downloader.dnx" (and very little on this one; did you mention it already? didn't notice). It indicates multiple variations of several trojan/viruses using various methods of attack.

Somewhere in your Registry is a Run/RunServices/Runonce in HKLM and/or HKCU (or maybe even Default?) that could even be legitimate name but already infected. Risking another isolated OS connected (however done) to the isolated infected one may indeed help. If possible, maybe you could dump the 98's registry in DOS using REG.EXE then inspect it and compare the file sizes in the entries in question to unaffected ones (maybe in DOS using DIR). You're going to have to Sandbox sufficiently (radically) to detect, isolate, and destroy it. Mainly, if the OS is infected and connected to the internet in any way then you're subject to further infection by other "tenga" variations.

You have a real nasty there... Good luck!

edit - also worthy of note is LiveXP to get a copy of the System Hives to an uninfected PC for inspection. Remember that "stealth" trojans tend to erase (e.g. RunOnce) registry entries to avoid detection of their true names.

edit2 - beware! search on "tenga virus" also yields more than a few very suspicious sites.

Edited March 27, 2010 by submix8c

[herbalist]

A couple more possibilities.

Scan from a live CD. A windows virus shouldn't be able to execute under Linux.

Scan from DOS. I still have a copy of F-prot for DOS, signatures dated 5/25/2007. If it'll help, I'll send it.

[Multibooter]

I remember reading about malware that's executed by the AVs attempt to parse the file.

Thanks for helping. In my earlier posting, now corrected, I had gotten the time mixed up, it was not AM that the infection occurred (when I was running the overnight AV scan-job), but around 1:42PM, I got confused with the time displayed on my NTFS-based WinXP, which is an ideosyncratic Middle Eastern version.

Regardless, it's clear that your AV isn't recognizing the source of the infection.

It will be a challenge to fix this infection, without knowing what caused it.

Regarding the firewall executables, it appears that the malware can't infect a running file, persfw.exe, which is loaded early in the boot process.

Yes.

I'd also suggest checking the dates of any registry backups your system made and see if any predate the infection.

For now I'll use my clean backup of 25-Jan. But in contrast to my first infection with Tenga, I am now backing up everything conceivable accessed under Win98 as .rar before having Kaspersky run as virus checker, so that will keep me busy for a little while. Kaspersky changes the modification dates of files it detects as infected with Tenga. If I later need to, I will have all files, including registry backups, as they were very shortly after the 2nd infection.

[Multibooter]

Doing a search on just "tenga virus" (without quotes) yields some interesting results, one of which is "downloader.dnx" (and very little on this one; did you mention it already?

This may be Panda's name for the trojan downloader I mentioned in posting #49

Somewhere in your Registry is a Run/RunServices/Runonce in HKLM and/or HKCU (or maybe even Default?) that could even be legitimate name but already infected... If possible, maybe you could dump the 98's registry in DOS using REG.EXE then inspect it and compare the file sizes in the entries in question to unaffected ones (maybe in DOS using DIR).

I had noticed about 2 days ago that the registry files were about 400kB larger than one the restored backup of 25-Jan.

You have a real nasty there... Good luck!

Thanks.

BTW, I am right now raring up all relevant stuff on the HDD, to help me trace later the cause of the infection. WinRAR just gave me an err msg "Cannot open F:\W98DIAG\MSNMGSR1.EXE and SIGVERIF.EXE. The file or directory is corrupted and unreadable". When I had noticed the 2nd infection (again unusual flashing disk activity light), I had pulled the plug. Maybe Tenga was at that moment in the process of infecting these 2 files when I pulled the plug. F:\W98DIAG\ is the name of the \Windows\ directory of my test-Win98. I haven't repaired the lost clusters yet.

beware! search on "tenga virus" also yields more than a few very suspicious sites.

That's one more possibility...

Another possibility is that I got re-infected by comparing with Beyond Compare and its Hex Viewer infected vs. clean files. Time-wise, the 1st .exe file to get infected/modified on the system was BC2.exe (Beyond Compare) at 11:13:38. H:\Beyond Compare\ is, alphabetically, not the 1st folder on my H: partition. Beyond Compare triggering the infection????

[herbalist]

I'm sorry if I keep coming back to the same point, but given that your AV isn't detecting the malicious process, I don't see you defeating it until you work from an environment in which the infection process can't run. This can be Linux, DOS, or a default-deny controlled Windows environment, built from a known clean source. The first 2 will work for finding and cleaning infected files, but to find the source, you need to catch it trying to start the first time and every time thereafter. Every time it starts, you're losing ground and files. By the time you notice the hard drive light, damage is done. Regardless of whether it's part of a compromised legitimate process or uses its own, the process of altering files requires a running process that can be detected and intercepted.

[Queue]

Maybe Tenga was at that moment in the process of infecting these 2 files when I pulled the plug.

That seems unnecessary with Win9x; ctrl-alt-del stops system execution while the task list is open (which is something I loathe about XP's task manager). As long as you can get that open, you can stop and think and decide what you want to do; a soft reset with a following ctrl-alt-del is much easier on your hardware than hard power loss.

As for malware or viruses that are executed by being scanned, those rely on exploiting a flaw in your virus scanner, and aren't a problem assuming you have even modestly up-to-date AV software. It's really not a situation you should spend much time exploring or worrying about; it's old news and long patched over.

There could be a code executing exploit for Beyond Compare, but that would be really oddly targeted. There are very few general purpose code executing exploits, and they rely on exploiting a shared library (like the animated cursor exploit).

All browsers are exploitable, switching to Opera, Firefox, IE, etc. isn't going to make you safer, it'll just be a nice placebo. Of course, not updating whatever browser you do use leaves you open to any discovered exploits. Old browser exploits don't go away or fall to disuse; a malicious website will try all known browser exploits (within reason), including patched ones, to try and infect you.

Even a default deny policy won't protect you from code that leverages an exploit to get executed, but it should protect you if said code downloads and then tries to execute a separate program. The code that is run due to an exploit would be within the memory of an already running program, so already beyond the default deny policy's perimeter, so if the exploit code actually does the dirty work... luckily exploit code usually just downloads then executes the actual malicious payload.

I wish I had positive advice to offer; tracking down how you're getting infected is the key, but I'm not sure what I'd do in your situation. Hope any of what I just blurted out is useful information at least.

Hmmm, is there anything else slightly unusual you might check... uhm, maybe the task scheduler, or hmm... make sure EXE (and other executable files types) still have non-hijacked associations in the registry. Those are some less common autostart tactics.

Queue