Projo Subterranean Homepage News

Bottom-up journalism from the pros: News, tech and culture by Sheila Lennon
· Headlines · 25 words · Photos · Tag cloud · RSS · MultiBlog
« Transition: 'Dramatic change only comes at times of economic instability' | Main | Anti-Valentines for the lonely, bitter, blasé »

If I'd updated Java I wouldn't have this social disease

5:36 AM Fri, Feb 13, 2009 |
By Sheila Lennon    Email this author |   Email this entry

I've been fighting a Trojan with a French name: Virtumonde.

trojan.jpgI was just surfing along, not downloading anything, just looking at sites, and my resident Spyware Search & Destroy popped up its "Infected! Virtumonde" screen.

Virtumonde Removal Tools and Guide can tell you much more about this ugly disease, and also evaluates the removal tools. My symptoms didn't especially involve the ad popups that others report; my system got hijacked.

I've been involved in public networks since 1990, and never picked up a virus. Now I've seen not only this jack-in-the-box infestation but, right around Christmas when I was hunting coupons, there was an annoying bit of mischief that simply redirected Google search results. It was much easier to get rid of.

Earlier in the week, Virtumonde kicked me offline: All web sites loaded blank. My grinding computer creaked and often hit 100 percent CPU usage. Everything froze up and died. I scrambled to my laptop and it took a day to figure out how to get my browsers back.

Last night, the Infected! screen came back. I immediately pulled the plug, then booted into Safe Mode (by tapping F8 as it came up).

I couldn't log in as administrator, but immediately ran Hijack This, which quickly scans the registry and other key areas, and saw none of the bad stuff from last time -- it wasn't loading a proxy on my Internet connection (hence the blank sites), and the fake Session Manager executable file wasn't loaded in the odd System directory in Program Files, of all places.

I ran Malware Bytes, still in safe mode, and it found 4 infected temporary internet files. I deleted them. I ran VundoFix, which found four more, in Windows/system32.

Cautiously, I started Firefox. No proxy this time.

The first bout of Virtumonde disabled my registry editor and AVG antivirus software. The new Comodo Internet Security's antivirus scans behind its new firewall, and freeing the registry is next. It's not all gone yet; I'm still rooting out the hidden pieces, but my computer is quiet and stable again.

So how did I get this bug? Several antivirus sites emphasize that you must keep Java up to date, that these Trojans can exploit vulnerablilities there. I updated Java, which was out of date. (You can see if yours is current here.) If it's not you'll be prompted to download it.

It's worth having Hijack This and Malware Bytes on your computer so you'll have tools if you get hit. Run them occasionally so you'll be familiar with them when you need them. As soon as you open them, search for updates. If you can't connect for updates, that's a symptom too.

Hijack This throws up lots of false positives, legitimate files, so its best use might be to run it when your system is fine and save the log, so you can compare it with a later log when your system seems suspect.) If you give up and ask for help later, you'll need to upload your Hijack This log file.

Comodo will be scanning for a while, but I'm going to get some sleep. It's Friday the 13th, and my computer has virtual VD and I'm learning way too much about infection and corruption. This was a drive-by.

Fortunately, on Valentine's Day the moon is in the seventh house, and Jupiter aligns with Mars. (Really.) This better be good.

Bookmark and Share

 Tags  VirtuMonde

3 Comments

Silas Scarborough said:

Microsoft has put up a $250K bounty on the authors of Conflicker which is a virus with quite a virulent pattern of spreading. I don't know where corporate bounties will lead but nothing else seems to be working to reduce rather than react to viruses and the like. It's kind of surprising that so little has been done given the tremendous costs corporations run up to defend against the problem.

Link | February 13, 2009 10:36 AM
Report Abuse

trudy said:

Then again, you could live without java.

Link | February 13, 2009 3:35 PM
Report Abuse

Sheila Lennon said:

Trudy, I'll be more judicious about Java. Today I clicked to a site about roses and Comodo popped up and explained that Java.exe was going to to hook this site into my system, add a dll. Did I want that? I decided to skip the roses. It was nice to have more information about the process at the end of the click.

Silas, codemaker and codebreaker are the same job description. Ex-blackhat Kevin Poulsen on credit-card thief Max Butler at Wired:

"Even more important, it satisfied his competitive urge. Offline, Butler was a gentle giant with a generous nature and hippie sensibilities. But in the privacy of his hidden redoubt, Iceman pursued his online enterprise with ruthless zeal. He wasn't after money, not really. He just wanted to prove that he was smarter, bolder, and tougher than everyone else."

Even more interesting: Max Butler started as a white hat. Max Butler AKA Max Vision, Iceman, Aphex, Now Retired.

Free system protection tools can be very good, like polio vaccines. At different times, some seem better than others.

There's good help in forums if you do get infected and think you can hack your way out of that paper bag. I'm not sure what I'd have done if I were new to all this. Call PC pest control?

Link | February 14, 2009 6:46 PM
Report Abuse


Leave a comment





Type the characters you see in the picture above.