Ill computers

[davidn]

For a long time now, I'd thought that computer viruses were things only contracted by idiots and users of Internet Explorer (qualifications which it must be said often go hand in hand). But we had an infection of something at work last week that necessitated going out to buy a new hard drive, and my work laptop's just got something today as well. I'm not sure how it happened - as far as I can remember I wasn't doing anything with it that was more horrific than normal.

I got a trojan warning from Avast when things were going well on massive upgrade #3 of 4 in the middle of the day, and not too long after that, I noticed a process taking up far too much CPU time, and a pop-up advert appearing that was an Internet Explorer window trying to look like Firefox (the icon in the taskbar was wrong). Further, it seemed that some Google links were being redirected - I thought I'd just misclicked the first couple of times, but when I clicked on MalwareBytes and got a page about how to have a healthy pregnancy I was beginning to suspect that something was wrong.

Spybot caught it, it's called Virtumonde.prx and fiddles with your Internet traffic, so I've disconnected it from the network while it runs a giant scan to see if it's been successful in removing it after one reset. HijackThis couldn't seem to, though, so if that doesn't work I have Combofix and a big list of instructions to fall back on.

Comments

[kytheraen.livejournal.com]

I got an email from "Support Michael Raines" <parcel@dhl.com>

I know dhl.com is a real website but I'm pretty sure it's some kind of coverup... the attachment of delivery advice and shipment label to be taken to the depot for pickup is a .zip file. I've always been taught that .zips are the bog standard of virus carries.

Should I be opening this? Or if so... on a work computer instead? ;)

[kytheraen.livejournal.com]

Answered my own question: http://www.kenkai.com/seo-blog-article-207.htm

[davidn]

Yes, I would also have instantly said that opening that would be a phenomenally bad idea :)

It's odd - my own virus (which is hopefully gone now) wasn't an email attachment or anything, and I wasn't doing anything out of the ordinary - it just suddenly appeared as a trojan warning which Avast completely failed to deflect.

[kytheraen.livejournal.com]

What confused me was the email address it came from looks like a valid email. I was under the impression you could make anything look like a genuine email from X company, but you always failed at the email address. "DHLParcelTracker@hotmail.com" for example (or all the Neopets Team emails I get subjected to asking for my password and pin).

I just didn't think malicious emails could be sent from real companies.

[davidn]

It's possible to spoof email addresses (I've had ones that appear to come from myself before), but perhaps it's something that they rarely bother with - most of mine come from places like uk_lottery@yahoo.com as well! I think that if you look at the full message headers (View Source in Thunderbird) of such emails, you'll see an "Original sender:" or something like that that exposes the true address it was sent from.

[kytheraen.livejournal.com]

758715082.06220334286440@mindblogger.com

Nice job Watson.

[pami-zee.livejournal.com]

I have this on my new laptop - I'm blaming a housemate since she's had it for a long time now, but since this is too new for me to have much stuff on it it's going to get formatted and reinstalled with Windows 7. It needs a nice clean anyway, I got far too much junk software with it!

[(Anonymous)]

David, if you have an old version of flash player (or any other plugin) you could be exposing yourself to risks like that as you browse the web.

[shoe--gal.livejournal.com]

I had something weird like this a few weeks ago - it was redirecting a few google links, not to anything bad, but just to weird random sites, although if I hit the back button and clicked on the google link again, it would go to the right place. Can't remember what it was called, but managed to successfully remove it.