A colleague had some problems with his Windows XP laptop while I was away last week, and I promised to look at it on my return. It’s a sad story, particularly as he is doing everything Microsoft recommends (aside from upgrading to Vista). His HP laptop was fully patched with SP3, and he had a commercial license for AVG anti-virus. He noticed that his system started running slowly when connected to a network, though it worked fine offline, and suspected a faulty network card. It sounded suspicious to me. I wondered if malware was causing heavy network traffic, and advised him to check that his anti-virus was up-to-date and to scan his machine.
It got worse. He ran AVG, which discovered two viral autorun.inf files that it quarantined, but the machine still did not work right. The AVG tech support could not see what was wrong, and suggested reinstalling AVG. Reinstallation failed because AVG could not get updates (this was actually a good clue). Tech support said maybe a firewall problem. Hmm.
The best solution in cases like this is to flatten the machine and reinstall everything, but I was intrigued. I booted from the Ubuntu 8.10 live CD and confirmed that the hardware was fine. I then tried a couple of anti-virus scans that run from boot CDs, which is safer than running from within an infected operating system – the Kapersky rescue disk and the Avira Rescue System. Kapersky identified and removed Trojan-Downloader.Win32.Agent.ahcg somewhere in temporary files. Antivir found nothing. I also ran the Malicious Software Removal Tool which found Trojan: win32/Alureon.gen. Funny how all these tools find different things. No, I don’t find that reassuring.
At this point I connected the machine to the internet. Tried re-installing AVG but it still would not update. Tried downloading a more recent AVG build. However, when I clicked to download, I got an advertisement page instead. Aha! I checked the DNS settings. Instead of being set to obtain the DNS automatically, it was hard-coded to a pair of DNS servers in Ukraine. Clearly the AVG download site was among the ones privileged with an incorrect entry.
Things looked up after I fixed that. Spybot found evidence of Zlob.DNSChanger.Rtk: a registry entry pointing winlogon\system to an executable with a random name somewhere in Windows\system32, but the file itself was not present. Fixed that entry, and Spybot was happy. AVG installed and updated sweetly and found nothing wrong.
I also noticed a hidden directory called resycled (sic) on the root of both partitions, containing the single file boot.com. Has to be a virus, and seems to be associated with the autorun.inf infection; but none of the clean-up tools detected it.
The machine seems fine now, though it should still be flattened as a precaution. I do find the DNS hijack spooky though. It means you can visit safe sites but get dangerous ones. Nasty.
What all this illustrates (again) is that even users who do everything as recommended still get viruses – in this case, probably from an infected USB stick, though I can’t be sure. Why didn’t AVG catch it? Good question. Why didn’t AVG tech support advise how to fix it? Another good question. Vista would have been a little more robust – you would have to pass a UAC prompt to write to the root of drive C, or to HKLM – but I imagine some users would click OK to a prompt after connecting a USB stick, presuming it to be a driver install or something like that.
And if you get ads or porn sites appearing unexpectedly when you browse the web, yes you should be worried.
Update
I sent the suspect file boot.com to Sophos for analysis. I would have sent it to AVG as well, but could find no easy way of doing so. I received an email informing me that this is a worm called W32/Autorun-NX. A filter to detect it was added to Sophos on 7th November at 20.27, which is about 4.5 hours after I submitted it. If mine was the first report, that is impressive speed; but bear in mind that the infection was over a week old when I encountered it, and had circulated for an unknown length of time before my colleague picked it up. Anti-virus software offers only limited and inadequate protection from malware.
Give me a Mac any day… I am not saying that Mac’s are virus free or 100% safe against any type of attack, but I sleep easier at night!
Gary
To submit to AVG:
Package into a password protected archive and send the archive document and the password off to virus at avg dot com.
Allegedly, a virus sample submission portal is coming soon…
Hope that helps.
Regards
John
At the school where I work, we are seeing this same thing on Vista computers owned by the students