Posted on 02/03/2010 9:05:39 AM PST by Ernest_at_the_Beach
Security researchers have spied malware that stashes a copy of itself in a Windows help file to ensure victim computers remain infected.
The trojan, dubbed Muster.e by anti-virus provider McAfee, infects a Windows file called imepaden.hlp so it stores the main components of the malware in encrypted form. In the event the installed malware is removed, the secret payload is decrypted into an executable file called upgraderUI.exe and run by a companion installation file that automatically runs as a Windows service.
"This is hiding in plain sight," said Craig Schmugar, a threat researcher at McAfee Labs. "The help file trick is pretty new to us. Usually on the client, we don't see this very often."
(Excerpt) Read more at theregister.co.uk ...
That complaint is often heard around here....
Not from Mac users, though. I wonder why?
My mom’s computer had a nasty bug that was centered around a file called Winhlp64.exe. It installed a fake antivirus and used a rootkit to disable the real antivirus.
************************************EXCERPT***********************************
“Muster” is a family of backdoor which has been using help files for hiding themselves. The help files or “.hlp” files are data files designed to be viewed with Microsoft WinHelp browser for providing online helps for applications users. Earlier variants of “Muster” drop encoded copies of main backdoor components in filenames with the extension “.hlp”. These “.hlp”files are later decrypted with Microsoft CryptAPI with hardcoded keys and executed by loaders.
A recent variant “Muster.e” is using help files in a different way. Once installed, it infects to an existing help file called “imepaden.hlp” which is the one of the help files for Microsoft IME. Of course, this infected help file still can be viewed with WinHelp browser in the same manner as the original help file, and users hardly find its infection from the view.
*****************************snip*****************************
How this is activated upon each machine boot? Muster.e also drops a sys file that is loaded as a service upon reboot. This sys file is responsible for extracting the appended executable file from the help file and copy it to a standalone executable file called “upgraderUI.exe”with the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run AutoPatch, which makes users to believe this is something related to a system update tool. On top of this, the malware authors also have crafted the sys file for deceiving users.
This entry was posted on Tuesday, February 2nd, 2010 at 00:38
Does it have a recognized name?
64 bit malware?
Or Linux users.
bump
It wasn’t 64 bit. The malware was a typical malicious “anti virus” called “Malware Defense” with a rootkit called “TDSS.” The fake AV software closely mimics Windows dialogues. It also tries to install more trojans.
Here’s info on removal. Once I found the tools, it wasn’t too difficult, just annoying.
Because they don’t have enough market share to be bothersome.
The fact is that Windows has structural problems that the Unix based systems DO NOT HAVE!
I’m not a computer guy. I don’t care except I want computing without problems and Windows works really, really well for me.
When I worked at the NSA, we ran almost everything on UNIX and we got debilitating crashes at least twice a month. 8-14 hours of downtime, work building up, and bad guys getting away.
It’s hard to convince me that UNIX is better than Windows, when in my view, it crashed a lot.
But, like I said, I’m no computer guy.
This is kind of like an argument I had with a guy about my Benelli R1 .300 Win-mag. He said it was a $#!7 gun because it wasn’t as accurate as his bolt action Remington (which I happen to have a similar model to his, except in .270).
In a technical MOA accuracy test, he is probably right. But, when shooting jugs or deer, 1/4” doesn’t really matter at 400 yards. The difference is that the bolt kicks like a mule and the Benelli has systems designed to take the hurt away and make the gun more user-friendly. It’s a beautiful work of art to boot.
So, I use the Benelli almost exclusively, even though my Remington might be the “better” gun.
There are front-wheel drive imports in the drag-racing world, too. Why aren't they an event on the NHRA Nationals tour?
There are lots of fans of boat racing across the country. Why aren't these races covered on national TV like NASCAR?
Unix was the system on which the world’s oldest and most popular hack was invented: The buffer overflow trick.
Unix was the system on which the world’s oldest and most popular hack was invented: The buffer overflow trick.
I thought the oldest hack was rummaging around in the wastebasket for punched cards with someone's username and password on them.
Uh, not that I would ever do that. No sirree bob!
Hardware had some real problems back in those days too!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.