Warning on stealthy Windows virus

BBC News ^ | 11 January 2008

[Aristotelian]

Security experts are warning about a stealthy Windows virus that steals login details for online bank accounts. In the last month, the malicious program has racked up about 5,000 victims - most of whom are in Europe.

Many are falling victim via booby-trapped websites that use vulnerabilities in Microsoft's browser to install the attack code.

Experts say the virus is dangerous because it buries itself deep inside Windows to avoid detection.

Old tricks

The malicious program is a type of virus known as a rootkit and it tries to overwrite part of a computer's hard drive called the Master Boot Record (MBR).

This is where a computer looks when it is switched on for information about the operating system it will be running.

"If you can control the MBR, you can control the operating system and therefore the computer it resides on," wrote Elia Florio on security company Symantec's blog.

Mr Florio pointed out that many viruses dating from the days before Windows used the Master Boot Record to get a grip on a computer.

Once installed the virus, dubbed Mebroot by Symantec, usually downloads other malicious programs, such as keyloggers, to do the work of stealing confidential information.

Most of these associated programs lie in wait on a machine until its owner logs in to the online banking systems of one of more than 900 financial institutions.

The Russian virus-writing group behind Mebroot is thought to have created the torpig family of viruses that are known to have been installed on more than 200,000 systems. This group specialises in stealing bank login information.

[Aristotelian]

Heads Up!

[george76]

rootkit

[Red_Devil 232]

If it can’t be removed while the computer is running, how the heck is it removed?

[JoJo Gunn]

ping

[Dr. Sivana]

If it can’t be removed while the computer is running, how the heck is it removed?

One way is to remove the hard drive, and install it as the non-boot drive in another computer.

You might also have a bootable CD that can tend to it.

[scan59]

So my McAffee won’t be able to detect/delete it? Dang.

[scan59]

So my McAffee won’t be able to detect/delete it? Dang.

[scan59]

See, I’m already infected. Causing double posts!

[stlnative]

THE ANSWER...

http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=3

[sionnsar]

Ping!

[liege]

You might also have to format /mbr.

[Badeye]

Hmmm. We use symantec, in fact it just finished its daily scan on this machine a few minutes ago.

That said, I don’t do online banking for the reasons found in this article.

[ShadowAce]

[stlnative]

Read the full article...
http://news.bbc.co.uk/2/hi/technology/7183008.stm

~SNIP~ Independent security firm GMER has produced a utility that will scan and remove the stealthy program ~SNIP~

GMER HERE...

http://www.gmer.net/index.php

[MediaMole]

It’s really bad form to suggest destructive commands.

I hope most people will know what that does. Unfortunately, it probably won’t really clean off the rootkit.

[Manfred the Wonder Dawg]

Free tools such http://killbox.net/ and http://www.snapfiles.com/get/removereboot.html will delete files upon reboot.

[SunkenCiv]

No, I’m going to allow it to go gray naturally.

[SunkenCiv]

The Russian virus-writing group behind Mebroot is thought to have created the torpig family of viruses that are known to have been installed on more than 200,000 systems. This group specialises in stealing bank login information.

Thank goodness Putin cracked down on all those corrupt oil company and media tycoons. Hate to think of the crime wave that could have happened. I mean, yeah, he's a rough guy, but it's not as if he sells kalishnikov factories and advanced fighters to Venezuela.

[bobsatwork]

Wild Level: Low Number of Infections: 0 - 49 Number of Sites: 0 - 2 Geographical Distribution: Low Threat Containment: Moderate Removal: Easy DamageDamage Level: Low...... - This is from the Norton / Symantec website re Mebroot. Seems to contradict this story.

[N3WBI3]

You would have to boot from a CD and then clear out the mbr..

[indianaconservative]

Europeans seem to get more viruses because they are also the same people less likely to have antivirus programs installed. I once saw a statistic that showed most viruses found in Europe and Asia almost ten times as many as North America even though North America has more computers. I don’t remember which antivirus company had the stat.

[TChad]

You might also have to format /mbr.

I think you meant fdisk /mbr.

[webschooner]

Does anyone know if AVG Free Edition Antivirus will find this?

[liege]

I think you meant fdisk /mbr.

You're right.

[wolfcreek]

AVAST.COM

[citizen]

How do I know this GMER is safe? (no offense to you) Has it been peer revied or tested, etc?

[stlnative]

just google GMER

[stlnative]

http://www.pcworld.com/article/id,126117-page,1-c,spyware/article.html

[BobS]

Instead of getting screwed the first time, how about installing a SW firewall and a hardware firewall? I crawled around the floor with 5 U-320 HDs and that will not happen again. 14 fans and everything in there is happy now. The problem with SCSI is assigning IDs to everything. After that, everything work well at 15k RPM.