nerdistmonk Posted July 29, 2010 Share Posted July 29, 2010 (edited) Oh great a new virus:AxBb4Z6hIO1.exeShut the system down and isolated it from the network, when we brought the system back up the next day, we had to find the file manually, no antivirus or antimalware could find it, and combo fix would end up causing the apocalypse.The file was found in Appdata/Local/Temp, it has put 2 entries into the MSCONFIG startup (it says Audio HD Driver, however theres already an entrie for the actual Realtek audio, so its a fake), it has also put a registry entry into the registry so it will start even if you disable msconfig entries,Version information says 0.0.0.0 150kb, mike.exe Edited November 11, 2013 by nerdistmonk Link to comment Share on other sites More sharing options...
VideoRipper Posted July 29, 2010 Share Posted July 29, 2010 Files with names like that are most likely virusses or at least malware. And if the version-info doesn't show anything useful it's time to scanthe system thoroughly.Make sure you also scan for rootkits, since these are almost never detectedby virusscanners: you can use ComboFix for those.Keep in mind ComboFix will be very thorough and may (will) reset some settingson a system, you might not want as an administrator, so check it's log afterit's finished and re-check user permissions, preferences and services.Greetz,Peter. Link to comment Share on other sites More sharing options...
nerdistmonk Posted July 29, 2010 Author Share Posted July 29, 2010 (edited) Loading up good ol Vista x64 sp2 with extra vlite. mmmmmmm low fat goodness. Edited July 29, 2010 by nerdistmonk Link to comment Share on other sites More sharing options...
Tarun Posted July 29, 2010 Share Posted July 29, 2010 Downgrading from 7 means you'll be even more insecure. Also, Combofix is very dangerous to use. Perhaps you should follow the directions in the pinned thread. Link to comment Share on other sites More sharing options...
dencorso Posted July 29, 2010 Share Posted July 29, 2010 It would be a good idea to submit the actual file to VirusTotal, too. Link to comment Share on other sites More sharing options...
nerdistmonk Posted July 29, 2010 Author Share Posted July 29, 2010 (edited) EDIT: http://www.virustotal.com/analisis/e08d36692357c3349b9eafd66acededc3391e018011f45c58b5379a381380776-1280327850 Edited November 11, 2013 by nerdistmonk Link to comment Share on other sites More sharing options...
dencorso Posted July 29, 2010 Share Posted July 29, 2010 It's a virus, all right! And a pretty new one, at that: Worm.MSIL.Arcdoor, according to MS. Link to comment Share on other sites More sharing options...
CoffeeFiend Posted July 29, 2010 Share Posted July 29, 2010 As for the remark about older versions of windows being unsafe, ill selectively ignore it as its not the age that makes a OS insecure, its the contentsTarun is right. Vista is still pretty secure but when you start going further you really lose a lot of security. For the record, I have yet to see a single Vista or Win 7 machine with a virus, ever.I wouldn't be so fast blame Windows either. There's just so many possibilities: infected installation media/image? end users with admin rights? careless admin? Someone carrying an infected executable (driver, app, installer, etc) on a USB memory stick to install it on there? not keeping patched? the list is endless. Also, AV's aren't 100% foolproof either, especially with really recent threats. Whatever got your win7 box infected (with up to date AV definitions), would have been infected your Vista and XP (x64 or not) boxes just as well. Link to comment Share on other sites More sharing options...
nerdistmonk Posted July 29, 2010 Author Share Posted July 29, 2010 (edited) Anyways the problem is solved, this is my final post to the thread as the problem is solved (I just didnt want you to think I abandoned the thread, so heres my final entry).--Signing Off-- Edited November 11, 2013 by nerdistmonk Link to comment Share on other sites More sharing options...
cluberti Posted July 29, 2010 Share Posted July 29, 2010 Frankly, if you're running as an admin and/or have disabled UAC, 7 and Vista have basically the same security model. I've been taking this thing apart to see how it works, and you are most definitely NOT more secure on Vista when it comes to this particular one. This one appears, from disassembling it, to be a variant of the other Worm.MSIL network worms (like the PC security scam malware). The processes it spawns appear to be looking for email programs and network ports to try and replicate itself.On Vista or Win7, if you run as admin or do not run a browser that runs as a low-integrity process (like IE or Google Chrome) and come across a site that is dropping this particular malware, it will infect Vista or Win7. If you open a .zip or .rar file that contains this and execute it's contents, it'll infect Vista or Win7. If you disable the host's firewall and are running as administrator at the time, you can get infected if the binary is executed after being dropped.None of these things will be protected in any better way on Vista than they are on Windows 7. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now