Curses upon all Malware writers

[JohnB]

May the Lord of Lords smite them with the plagues of Egypt.

 

May their chooks turn into emus and kick their dunny down.

 

May the fleas of a thousand camels infest their armpits.

 

May their hubcaps fill with prawn shells.

 

May their beds be filled with rabid skunks.

 

May a family of incontinent ferrets take residence in their underwear.

 

May a host of bull elephants find them sexually attractive.

 

May they be buried up to their necks in bat guano.

 

May they be forced to travel by pogo stick on a pineapple farm.

 

May a computer glitch place them upon every direct mailing list on the planet.

 

May they attempt trampoline training in a cactus patch.

 

May they be caught in a compromising position with a vacuum cleaner.

 

May they mistake local anesthetic for personal lubricant.

 

May their aftershave make them attractive to vampire bats.

[The Peon]

RAmen.

[Callipygous]

dont worry, yours, plus a thousand other curses have already been placed upon these poor, unhugged little blighters.

[Dak]

lol, did someone's computer get infected?

 

This was my favorite

 

May they be caught in a compromising position with a vacuum cleaner.

 

 

you can try reporting the incident here:

 

http://www.malwarecomplaints.info/index.php

 

it's supposed to collect data on infections, issue petitions to, for example, governments and official bureaus that deal with internet security, thus making it clear to those officials how extensive the problems with malware are, and make malware-related-issues known to the news media, which, in turn, can make malware-related-issues known to the population at large etc, although it's not getting enough 'compainers' imo.

 

Go on, complain. you know you want to *pokes JohnB till he agrees to complain at malwarecomplaints*

[ecoli]

why would anyone want to write malware? I don't see the benefit. You can't even usually see your handiwork, right?

[Callipygous]

why would anyone want to write malware? I don't see the benefit. You can't even usually see your handiwork, right?

 

 

i thought i hinted at that strongly enough, but...

 

its because they werent hugged as children. they feel inferior, unloved... all that good stuff. in an effort to boost their self esteem they take out their lifes frustrations on strangers. gives them a sense of power.

[Dak]

why would anyone want to write malware? I don't see the benefit. You can't even usually see your handiwork, right?

 

$£$£.

 

steal someones bank details, or throw adverts at them, and you can make money. Put a trojan on someones machine, and you can download and install a program that does one of the latter and earn a cut of the profits. Put a bot on a machine, and you can rent out your botnet for about 10c/machine/hour. yoink some active email addys from someones address book and you can sell them to spammers. programs that dial premium rate numbers = easy cash for the wrighter. DDoS bots mean that you can extort money from website-dependant companies under the threat of taking their site down if they dont pay.

 

There are a few more sinister reasons, but in the majority of cases it comes down to money.

 

And lack of hugs.

[Phi for All]

May their hubcaps fill with prawn shells.

Thanks for the great curse ideas, but what does this one do? Is it just loud or do you get some other evil benefit that would make my nipples hard?

[5614]

Thanks for the great collection of insults

[JohnB]

what does this one do?

Prawn shells + heat = Incredible smell throughout the entire car. It's a very evil thing to do to someone as the smell will linger for months after they remove the offending shells.

 

Oh, this is the time when a man dreads hearing those three little words. "Cool Web Search". I'm still fighting the bugger.

 

Given unto my care, with my knowledge of the human nervous system, I'm sure the coders would survive. They might live for days.

 

May "Oh give me a home, where the buffalo roam" become literally true for them.

 

May they attend a feminist rally wearing a "Make my dinner b*tch" T-shirt.

 

May they swim in the shark enclosure at Seaworld during feeding time.

 

May they find that the movie "Duel" was based on a true story.

 

May they be visited with Dyslexia.

 

May the Blue bird of Happiness crap on their Birthday Cake.

 

May magpies be forever stealing their car keys.

 

As they slide down the bannister of life, may the splinters always point the wrong direction.

 

May fire ants infest their flowerpots.

 

May they walk through a ghetto wearing a "Your momma's fat" T-shirt.

 

May their Curriculum Vitae be edited by a three year old.

 

May their foot talc be laced with itching powder.

 

May their bathtub be filled with piranhas.

 

May there always be a Redback on their toilet seat.

[Dak]

Cool web search is a bitch to remove... at least five versions of the buggers require very specific approaches to shift from the computer.

 

Want a hand? If so, d/l HijackThis, make a log and post it up, and i'll tell you how to fix it.

[JohnB]

Thanks Dak. I use HJT and the log is clean. Whatever this version is, it's invisible to HJT.

 

I add all known "good" items to my ignore list, so the only things that show up are new changes. HJT finds the things the loader installs, but can't help find the loader. The only hint is the new items are associated with "Coal Send".

 

Tried so far and bounced;

CWShredder

Ad-Aware.

Spybot S&D.

Spysweeper.

Spyware Blaster.

Norton's.

No-Adware

Manual inspection of all .js files and manual deletion of any suspicious same.

 

Regmon detects the installation of the new Registry keys but cannot identify the process doing it. It shows something called "pureface" doing a lot of activity. This shows in the reg as in HKCU\Software\HoleJumpPollVc\Pureface.

 

It creates 3 new folders in C:\Windows\Application Data containing amoungst other things an exe called "tonsmemo".

 

To date, Google searches have failed to find any info on any of the items.

 

Certain .exes keep appearing in the C:\Windows\Temp named 3e910a, 406174, 5187cf, 8b7063 and eb97f. Again, no reference can be found. They can be manually deleted but they reappear.

 

I'm currently running XPSpysoftPro, File Monitor, RegLite and Reg Monitor to try to find the loader.

 

File Mon just caught a new one, 2A776A.exe. The exe can't be deleted as windows is using it and End-It-All can't find the exe to kill it. (Time for a Safe Mode reboot) A process listed as ???:F3AD5297 is contacting the net (Through my firewall:eek:) and adding things to temp.

 

I think I may be winning though. Some things that used to show up in HJT seem to be gone. At least they haven't come back in last few hours, so it looks like I'm just after this downloading loader.

 

Even so, any suggestions would be greatly appreciated.

[Dak]

Out of interest, what makes you think it's CWS? those symptoms suggest that you atleast don't only have CWS, and the notably difficult-to-remove CWS variants all show up in HJT logs:

 

in the R section for CWS.About:blank (something like R1/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = (either res:// or file://) C:\WINDOWS\system32\****.dll/sp.html#37049 (numbers random), R1/R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\USER\LOCALS~1\Temp\sp.html, or as any R entry that mentions about:blank or about:navigationfailure),

 

CWS.se.dll shows something similar that mentions se.dll

 

and CWS.look2me shows as a randomly named O20 entry.

 

So... if it's not showing in HJT AND its not being fixed by stuff like spysweeper, then i'd guess it's not CWS, although i havent done this for a while 'cos i've been busy with uni, so it could be a new version i suppose... and i am kinda rusty.

 

Regmon detects the installation of the new Registry keys but cannot identify the process doing it. It shows something called "pureface" doing a lot of activity. This shows in the reg as in HKCU\Software\HoleJumpPollVc\Pureface.

 

It creates 3 new folders in C:\Windows\Application Data containing amoungst other things an exe called "tonsmemo".

 

this sounds suspiciously like LOP... have your DNS settings been changed?

 

as for finding the loader, three things come to mind:

 

startuplist might show how it's managing to load up on system start.... it shows alot more than HJT.

 

if your using an NTFS system, it might be hiding in an alternate data stream... HJT has an ADS searchy thing under the 'misc tools' section that might help, and adaware has a 'scan for malitiouse ADS' button that might help if you find any dodgy ADS.

 

or there could be a rootkit hiding stuff from you. try rootkit revealer.

 

again, if you want any help reading the logs, post 'em up and i'll have a look-see.

[deltanova]

 

May the fleas of a thousand camels infest their armpits.

 

 

you mean to say, 'may the fleas of a thousant camels infest their groin, and their arms be too short to scratch them'

[insane_alien]

may they have the constant urge to see what would happen if they grated their testicles.

[Phi for All]

May diarrhea coupled with sneezing fits accompany them for the rest of their days.

[insane_alien]

May they wake up in bed with a walrus when they have been out drinking. and may there be pictures on the web.

[Phi for All]

May the ice cream forever fall from their cone.

[danny8522003]

If we know the names of the companies that implement the malware (cool web search for example) .. Why can legal action not be taken against them?

 

Failing that, im sure there are lots of 'hackers' that want them taken down so a voluntary DDoS attack would be simple to start and would get rid of the blighters. I sure as anything wouldnt mind contributing my upload for a good cause such as this...

 

By hackers i mean real hackers, not scriptkiddies and the like...

[Dak]

If we know the names of the companies that implement the malware (cool web search for example) .. Why can legal action not be taken against them?

 

Unfortunately, CWS are based in russia, so they can't be taken to court that easily. Also, as i understand it CWS operates many pseudo-legitimate sites, and have an 'affilate' program from whence the malware that redirect you to those pseudo-legitimate sites comes, meaning that they get to officially distance themselves from the malware wrighters.

[JohnB]

I HAVE WON!!!!!!!!! *Runs around singing "We are the champions"*

 

The evil spyware is dead. *"Ding Dong, the spy is dead."*

 

The first hint of the infection was a browser hijack to a CWS search site. (Once seen, always remembered.)

 

My standard scanners found nothing. (Ad-aware, Spysweeper, SpywareBlaster, NIS and Spybot S&D.) D/Loaded NoAdware and it found two CWS variants and removed them. Normally you'd think the system was then clean, but HJT kept showing new keys turning up. Like I said, all known good items are in the ignore list, so my HJT log is actually blank unless something is added. Merjin's StartupList also couldn't detect the file. And I knew something wasn't right because new exes were turning up in the Temp directory. All time spent on the net was with HJT running and NIS "Block Traffic" set unless I was actually doing something.

 

Thanks for the LOP idea Dak. since the CWS was apparently gone, I was going to keep trying different scanners until LOP or something like it showed up

 

The next step was Spyware Doctor. (The trial version finds things but won't remove them.) It found three LOP versions, two other Trojan D/Loaders and a keylogger. The trojans and LOP were removed by manual editing of the Registry but the keylogger was a bastard.

 

The file was an exe in D:\Docs & Settings\ Admin\App Data\Microsoft\Installers. An unusual place as that is my win2k install and it isn't used for net access. My Primary install is 98 SE on C drive. Windows could not delete the file, although I could copy/paste to another folder. (Where the copied file could not be deleted) I couldn't delete the file after a "Safe Mode" boot. Nor could I delete the file from a DOS window or from a DOS mode boot. I tried Process Explorer to see if i could unhook the file and then delete it but it couldn't be found.

 

The next step was to copy the file and try to edit it with AXE just to bugger it up. This approach also failed. As no process scan could find the exe as active, I've come to the conclusion that the exe wasn't actually active, but somehow contained within itself some code that makes windows think it's always active. Cute.

 

Then I found a little program called Move on Boot. This is a wonderfully simple program that should be in all spyware remover toolkits. It loads itself as the very first process and moves, renames or deletes the offending file before the target can be activated. Install the program, identify the file you want removed and reboot. *Poof* gone.

 

In all, I can thoroughly recommend Spyware Doctor as the best detection tool out there. It found things the others all missed. (And I'm a registered Spysweeper user) And everyone should add the essential Moveonboot to their toolkit.

 

May all malware writers be found and sent to a soviet Gulag reopened just for the occasion.