Malware Attack!

Incoming!
It all started when ZoneAlarm reported a trojan called Win32.Virtumonde.fp and my system slowed to a crawl. I clicked Repair nonchalantly only to find that ZA couldn’t handle the infection. Quarantine, Rename, Delete and even Delete on Reboot didn’t work. They all failed.

And there was no word from NOD32 either. I scanned the System32 folder where the malicious .dll files were but NOD32 only reported that they were in use (Locked, it said).

What do I do? What do I do?!
I quickly launched Firefox. It took about two minutes to start but atleast it was working. With the system responding like it had a 133 MHz processor I looked on the net for a while and found this page.

First, I tried Vundo Fix. It detected the infection but was unable to remove it even after repeated tries. It took a long long time to scan and to try to delete the files.

Then I tried VirtumondoBeGone and followed instructions. I ran it and was the operating system gave me a BSOD (it was supposed to happen; the software warned me that it would stop the computer and I might have to restart manually). When I restarted ZA reported that a DLL file in the Eset directory (NOD32 is installed in that directory) was a malicious file; the same Virtumonde.fp thing again. However I was able to repair it this time.

Did it work?
I thought I might have to generate a HijackThis log and post it on the forum and wait for support since the fixes I tried didn’t seem to work. However when I restarted the computer seemed to be working normally and no alerts were generated by ZoneAlarm. Surprised, I checked the VBG.txt file that had appeared on my desktop and found that it was a log file for VirtumundoBeGone and it reported that it had successfully renamed and removed the files. Excellent! My system was clean again!

Making sure it doesn’t happen again
What I want to know is why didn’t NOD32 even acknowledge the threat. In fact, I haven’t seen it catch any infection for a long long time. Perhaps it is not equipped to handle Adware and Malware?

So I went looking for anti-virus reviews and found this. So Kapersky was on the top. And BitDefender was rated very high on many sites. So maybe I should get one of those?

But then I found this article. I quote from the article:

Andreas Clementi, who runs the web site av-comparatives.org, has released his latest report that looks at how well antivirus programs do against threats that have not yet been identified and included in standard AV signatures. The test looked at 17 different products, including offerings from Symantec, McAfee, AVG, Kaspersky, and Microsoft, and tested how well releases dated February 2 (with no updates) fared against a swath of new malware—viruses, scripts, trojans, and other nasties—that were discovered between February 2 and May 2.

The winner of this antivirus sweepstakes was a product called Avira, which managed to detect and defeat 71 percent of the unknown malware. Right behind it was the equally-obscure NOD32, which swept away 68 percent of the threats. The more well-known commercial products fared more poorly. Norton Antivirus and McAfee tied at a mere 24 percent, while Microsoft’s OneCare did even worse by only identifying 18 percent of the new threats. Resting at the bottom of the barrel were Kaspersky and eScan at nine percent, and AVG, which detected only eight percent of malicious software in addition to producing many false positives.

I spent many hours reading reviews on the internet before I chose NOD32 and it looks like it is better than the rest after all. So I shall stick with it. I haven’t had a virus infection from the time I installed it (until now) so it can’t be that bad after all.

But I did download the latest Ad-Adware version and updated it. By the way, I don’t just use ZoneAlarm as a firewall. I have the entire ZoneAlarm Security Suite 7 which also has built in anti-virus that uses the Kapersky engine!

But wait!
Oh crap. ZA just alerted me that I was still infected. I’ll see what I can do with Ad-Aware and I’ll run full system scans.

Now ZA detects the infection in different parts of the system but is able to quarantine the files properly. I shall run a full system scan with ZA after Ad-Adware.

ZA found the malware hidden in a LimeWire Pro torrent I downloaded from Isohunt. I always assumed torrents were clean. This teaches me a nice little lesson.

Note:
People suggesting that I move to Linux or get a Mac will be ignored.

Category: Software
Posted: Wednesday, June 13th, 2007 at 1:57 am.

23 Responses to “Malware Attack!”

  1. sindhu says:
    June 13th, 2007 at 4:39 am

    wew. huge 1 this be men. i use avast, hmmm you think i am infected?



  2. Arun says:
    June 13th, 2007 at 8:10 am

    I don’t seem to have a problem with Nod32 and ZA combination. They work fine. And yes alerts are issued only by ZA.



  3. Arun M says:
    June 13th, 2007 at 8:47 am

    Torrents are not clean…I too learnt that the hard way :p



  4. Marc Z says:
    June 13th, 2007 at 1:34 pm

    Sindhu, you just formatted. As long as you use some combination of anti-virus and firewall you’re safe.

    Arun, this is the first time I’ve had an infection since I started using Nod32 and ZA but I think it was because I didn’t update ZA.

    Arun M, what happened to you?



  5. Arun says:
    June 13th, 2007 at 9:30 pm

    I ran an NOD32 indepth analysis after reading this post on my PC and found no threats.



  6. Marc Z says:
    June 13th, 2007 at 9:39 pm

    So maybe it is pretty good after all.



  7. Marc Z says:
    June 13th, 2007 at 9:41 pm

    Check the Wikipedia article: http://en.wikipedia.org/wiki/Nod32

    Quotes:

    It has been tested 46 times by Virus Bulletin and has failed 3 times, the lowest failure rate of the tested anti-virus products.

    NOD32 is written largely in assembly code, which contributes to its low use of system resources and high scanning speed, meaning that NOD32 can easily process more than 23MB per second while scanning on a modest P4 based PC and on average, with all real-time modules active, uses less than 20MB of memory in total but the physical RAM used by NOD32 is often just a third of that. According to a 2005 Virus Bulletin test, NOD32 performs scans two to five times faster than other antivirus competitors.

    Damn!



  8. raghavsr says:
    June 15th, 2007 at 7:22 pm

    so which one should i install ? The anti virus must be able to catch those viruses start affecting my comp after i download a virus and keep them in a .rar file



  9. Marc Z says:
    June 15th, 2007 at 11:02 pm

    You need Linux then, cause your viruses will be Windows only.



  10. Sanchan M says:
    June 17th, 2007 at 5:43 pm

    I use only ZA, haven’t had any probs till now.. is nod32 that good..? maybe i shud install it .. hmm



  11. Marc Z says:
    June 17th, 2007 at 8:05 pm

    You should. You have no antivirus software?



  12. Sanchan M says:
    June 18th, 2007 at 11:10 am

    haven’t found any use for it yet.. never had any infections..



  13. Marc Z says:
    June 18th, 2007 at 3:34 pm

    It prevents virus attacks. You don’t install it after you have one. In fact most of the time you won’t even know you have a virus.



  14. George says:
    June 19th, 2007 at 3:43 pm

    You can’t just ‘get viruses’. What shady business is you up to?



  15. Hari says:
    July 6th, 2007 at 10:47 pm

    Kaspersky = GUI S.H.I.T. I loathe it and I’m proud of the fact that I loathe it. Nod32 is cool…



  16. Marc Z says:
    July 6th, 2007 at 11:02 pm

    George, Linux users are unwelcome in this discussion. And there is firewall software for Ubuntu. Go install it.



  17. George says:
    July 6th, 2007 at 11:49 pm

    I don’t need it, I have a physical firewall.



  18. Marc Z says:
    July 7th, 2007 at 12:16 am

    Oh yeah, which stops you from using FTP, P2P and pretty much everything else.



  19. George says:
    July 7th, 2007 at 11:22 am

    Sadly, yes. I shall buy a wireless router when I move. Then I can have a hardware firewall [i]and[/i] do all those things.

    Also, I’m entitled to support removal of malware on Windows computers. I’m willing to bet all those bots were from Windows botnets (they’re from Windows, that’s certain). And the only reason they don’t post is because I’ve blocked them from commenting and also because I stopped the bloody Russians.



  20. George says:
    July 7th, 2007 at 11:24 am

    Okay, you are just not going to believe this. I had my blog Dashboard open in the other tab while I posted that comment and when I tabbed back I noticed the number of comments in moderation: 2080. This is like a very bad flashback. I thought I’d stopped them!



  21. Marc Z says:
    July 7th, 2007 at 3:10 pm

    For the last time, BBCode does not work on Wordpress.

    It’s not just the Russians targeting you. It’s pretty much everyone.



  22. George says:
    July 7th, 2007 at 11:55 pm

    It was a couple of Americans and a Russian this time, so I blocked some Comcast, and some specific ip ranges.



  23. Marc Z says:
    July 8th, 2007 at 12:14 am

    You’re going to end up blocking most of the two countries at this rate.



Leave a Reply

Guidelines:
1. Do not submit a comment multiple times. If your comment does not appear immediately it might be in the moderation queue awaiting approval and will be released when I get to it.
2. Do not post comments asking me to link to your blog.
3. I reserve the right to edit, delete or republish all comments.
4. Subscribe to the comments feed to keep track of all discussions in this blog.

Copyright © 2008 Marc | Blog Oh! Blog

Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 India License.