I was about to leave for college to get some documentation work done. I insert my pen drive into the USB port and double click on a folder. What do I notice? It only looks like a folder, but its actually an executable. I instantly realized my terrible mistake, when an IM window popped up on my screen and I saw that a junk message was sent to one of my contacts from my account. It was the irritating and notorious W32/Yahlover.worm. I immediately sent an apology message to all my contacts and logged off.
I tried to clean up all files from my USB drive but it won't let me delete the infected files, which had not replicated itself in each folder in the drive. I started a full system scan and found that there is a file called SSVICHOSST.exe in my system32 folder. This file also tried to access the internet which thankfully my McAfee firewall was able to block.
It all started when I used this same pen drive at a cyber cafe in Matunga to get a print out. When I inserted the stick on my home machine, McAfee said that the autorun.ini file is infected and has been cleaned automatically. I thought that was the end of the story. But somehow the infection had persisted and had spread to my physical machine now. I could not format the pen drive, could not delete the infected file from my comp even though my antivirus did detect the infection. It simply said that it was unable to clean/delete/quarantine the file.
I thought that I would simply deal with the problem later after I get back home and I can simply avoid using Yahoo till the time I fix it. When I got back, I realized that the problem was not just with Yahoo messenger. The rogue files were actually hidden files and the folder options in the tools menu of windows explorer was missing. So there was no way to view hidden files (I always keep this setting to show hidden files). I could not navigate using command line as the command window simply kept disappearing as soon as I open it. Task manager and Regedit won't open. It kept saying that these have been disabled by the Administrator. Even if I get to the files, I won't be able to delete it cos' a rogue process called SSVICHOSST was already running.
At this point there was really something easy that I could have done, but somehow I did it a more geeky way. I first booted into linux and tried to see if I could delete the file, but somehow I had some read/write permission issues, so I just dropped the idea there. I wrote a program in C# to list all the currently running process.
Process[] processes = Process.GetProcesses();foreach (Process process in processes)
{
Console.WriteLine(process.ToString());
if (process.ToString().Contains("SSVICHOSST"))
{
process.Kill();
}
}
That is what actually showed me that there are multiple instances of a process called SSVICHOSST running on my machine. I could not even view the results of my console application till I actually set a breakpoint and debugged into it. Finally I just added a line of code which would kill the process of the above said name. Thankfully the process got killed.
Once that happened, I was able to open the command window, and my antivirus was able to delete the dirty file. Now I also opened msconfig and saw that the file was set to start at bootup, so I unchecked that option too. I still did not have my taskman, regedit, and folder options. But the infected files I thought were gone.
Booted the comp in safe mode, and logged in as Administrator (which should have been the first thing I should have done). I ran the virus scan again and it caught another instance in another folder. This one was attached to the winlogon.exe. I was able to quarantine it so that it does not launch itself everytime with winlogon. Turned off system restore, installed AVG AntiRootkit utility. I searched for malicious instances in the registry and deleted them. (found one in yahoo messenger, and one in msconfig related keys)
Logged back in normal mode and ran the AntiRootkit utility which found nothing. So finally I think the infection was gone, but the damage still remained. To get regedit working, I opened gpedit.msc -> User Configuration | Administrative Templates | System. There was an option pertaining "disable registry editing tools". It was set to "Not configured". Nevertheless I enabled it once, and then set it back to "Not configured". Doing this ensures that the DisableRegistryTools registry value is removed successfully. Now I could open the registry editor.
Next I navigated to HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System and deleted the DisableTaskMgr key. This got my taskman back.
Finally made another small change in group policy to get back the folder options. The last thing I did was to disable autorun on all drives using TweakUI.
As I write this, my machine is being scanned by the Kaspersky online AV scanner. I hate people who use their programming skills to create malicious software that causes pain and misery to others.
Friday, October 05, 2007
Viruses, worms, creepy crawlies...
I was about to leave for college to get some documentation work done. I insert my pen drive into the USB port and double click on a folder. What do I notice? It only looks like a folder, but its actually an executable. I instantly realized my terrible mistake, when an IM window popped up on my screen and I saw that a junk message was sent to one of my contacts from my account. It was the irritating and notorious W32/Yahlover.worm. I immediately sent an apology message to all my contacts and logged off.
I tried to clean up all files from my USB drive but it won't let me delete the infected files, which had not replicated itself in each folder in the drive. I started a full system scan and found that there is a file called SSVICHOSST.exe in my system32 folder. This file also tried to access the internet which thankfully my McAfee firewall was able to block.
It all started when I used this same pen drive at a cyber cafe in Matunga to get a print out. When I inserted the stick on my home machine, McAfee said that the autorun.ini file is infected and has been cleaned automatically. I thought that was the end of the story. But somehow the infection had persisted and had spread to my physical machine now. I could not format the pen drive, could not delete the infected file from my comp even though my antivirus did detect the infection. It simply said that it was unable to clean/delete/quarantine the file.
I thought that I would simply deal with the problem later after I get back home and I can simply avoid using Yahoo till the time I fix it. When I got back, I realized that the problem was not just with Yahoo messenger. The rogue files were actually hidden files and the folder options in the tools menu of windows explorer was missing. So there was no way to view hidden files (I always keep this setting to show hidden files). I could not navigate using command line as the command window simply kept disappearing as soon as I open it. Task manager and Regedit won't open. It kept saying that these have been disabled by the Administrator. Even if I get to the files, I won't be able to delete it cos' a rogue process called SSVICHOSST was already running.
At this point there was really something easy that I could have done, but somehow I did it a more geeky way. I first booted into linux and tried to see if I could delete the file, but somehow I had some read/write permission issues, so I just dropped the idea there. I wrote a program in C# to list all the currently running process.
Process[] processes = Process.GetProcesses();
foreach (Process process in processes)
{
Console.WriteLine(process.ToString());
if (process.ToString().Contains("SSVICHOSST"))
{
process.Kill();
}
}
That is what actually showed me that there are multiple instances of a process called SSVICHOSST running on my machine. I could not even view the results of my console application till I actually set a breakpoint and debugged into it. Finally I just added a line of code which would kill the process of the above said name. Thankfully the process got killed.
Once that happened, I was able to open the command window, and my antivirus was able to delete the dirty file. Now I also opened msconfig and saw that the file was set to start at bootup, so I unchecked that option too. I still did not have my taskman, regedit, and folder options. But the infected files I thought were gone.
Booted the comp in safe mode, and logged in as Administrator (which should have been the first thing I should have done). I ran the virus scan again and it caught another instance in another folder. This one was attached to the winlogon.exe. I was able to quarantine it so that it does not launch itself everytime with winlogon. Turned off system restore, installed AVG AntiRootkit utility. I searched for malicious instances in the registry and deleted them. (found one in yahoo messenger, and one in msconfig related keys)
Logged back in normal mode and ran the AntiRootkit utility which found nothing. So finally I think the infection was gone, but the damage still remained. To get regedit working, I opened gpedit.msc -> User Configuration | Administrative Templates | System. There was an option pertaining "disable registry editing tools". It was set to "Not configured". Nevertheless I enabled it once, and then set it back to "Not configured". Doing this ensures that the DisableRegistryTools registry value is removed successfully. Now I could open the registry editor.
Next I navigated to HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System and deleted the DisableTaskMgr key. This got my taskman back.
Finally made another small change in group policy to get back the folder options. The last thing I did was to disable autorun on all drives using TweakUI.
As I write this, my machine is being scanned by the Kaspersky online AV scanner. I hate people who use their programming skills to create malicious software that causes pain and misery to others.
I tried to clean up all files from my USB drive but it won't let me delete the infected files, which had not replicated itself in each folder in the drive. I started a full system scan and found that there is a file called SSVICHOSST.exe in my system32 folder. This file also tried to access the internet which thankfully my McAfee firewall was able to block.
It all started when I used this same pen drive at a cyber cafe in Matunga to get a print out. When I inserted the stick on my home machine, McAfee said that the autorun.ini file is infected and has been cleaned automatically. I thought that was the end of the story. But somehow the infection had persisted and had spread to my physical machine now. I could not format the pen drive, could not delete the infected file from my comp even though my antivirus did detect the infection. It simply said that it was unable to clean/delete/quarantine the file.
I thought that I would simply deal with the problem later after I get back home and I can simply avoid using Yahoo till the time I fix it. When I got back, I realized that the problem was not just with Yahoo messenger. The rogue files were actually hidden files and the folder options in the tools menu of windows explorer was missing. So there was no way to view hidden files (I always keep this setting to show hidden files). I could not navigate using command line as the command window simply kept disappearing as soon as I open it. Task manager and Regedit won't open. It kept saying that these have been disabled by the Administrator. Even if I get to the files, I won't be able to delete it cos' a rogue process called SSVICHOSST was already running.
At this point there was really something easy that I could have done, but somehow I did it a more geeky way. I first booted into linux and tried to see if I could delete the file, but somehow I had some read/write permission issues, so I just dropped the idea there. I wrote a program in C# to list all the currently running process.
Process[] processes = Process.GetProcesses();
foreach (Process process in processes)
{
Console.WriteLine(process.ToString());
if (process.ToString().Contains("SSVICHOSST"))
{
process.Kill();
}
}
That is what actually showed me that there are multiple instances of a process called SSVICHOSST running on my machine. I could not even view the results of my console application till I actually set a breakpoint and debugged into it. Finally I just added a line of code which would kill the process of the above said name. Thankfully the process got killed.
Once that happened, I was able to open the command window, and my antivirus was able to delete the dirty file. Now I also opened msconfig and saw that the file was set to start at bootup, so I unchecked that option too. I still did not have my taskman, regedit, and folder options. But the infected files I thought were gone.
Booted the comp in safe mode, and logged in as Administrator (which should have been the first thing I should have done). I ran the virus scan again and it caught another instance in another folder. This one was attached to the winlogon.exe. I was able to quarantine it so that it does not launch itself everytime with winlogon. Turned off system restore, installed AVG AntiRootkit utility. I searched for malicious instances in the registry and deleted them. (found one in yahoo messenger, and one in msconfig related keys)
Logged back in normal mode and ran the AntiRootkit utility which found nothing. So finally I think the infection was gone, but the damage still remained. To get regedit working, I opened gpedit.msc -> User Configuration | Administrative Templates | System. There was an option pertaining "disable registry editing tools". It was set to "Not configured". Nevertheless I enabled it once, and then set it back to "Not configured". Doing this ensures that the DisableRegistryTools registry value is removed successfully. Now I could open the registry editor.
Next I navigated to HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System and deleted the DisableTaskMgr key. This got my taskman back.
Finally made another small change in group policy to get back the folder options. The last thing I did was to disable autorun on all drives using TweakUI.
As I write this, my machine is being scanned by the Kaspersky online AV scanner. I hate people who use their programming skills to create malicious software that causes pain and misery to others.
Subscribe to:
Posts (Atom)