Wednesday, October 13, 2010

New Virus Infection

There are a lot of fake, virus infected, Linkedin emails going around.  Supposedly this virus might have come from just viewing a profile on the web site or possibly on Twitter?  The first symptom was that McAfee was popping up every 10 seconds with a message saying that it had blocked a virus.  Then McAfee went down all together and the virus took over.  Alt+Control+Delete did not work.  I could download Malwarebytes but it would not run.

I now know that Symantec has a Trojan.Vundo removal tool that likely would have fixed this problem.  Instead I used Start, Run, and MsConfig to shut down almost all of the Startup items.  Then I downloaded Malwarebytes and ran it again.  This time it ran but would not update.  There is an alternate program killing program called Rkill.com that would have solved that problem.  However Malwarebytes did remove some infections and after the computer was restarted it was able to successfully update and remove the rest of the infections.

The infection got through by using a Java Script.  If the user had been running FireFox with NoScript they would have never had the problem.  I will not digress to ranting about how Java should be banned as over 80% of virus are using java to trash millions of computers........

This virus keeps coming back, even after reformatting the hard drive and reinstalling Windows from CD's.  It could be when email is imported or when my documents are copied? The symptoms are repeated IPCop firewall reports of "ICMP Destination Unreachable Communication Administratively Prohibited" when someone tries to directly access the computer from the outside world and lots of traffic on port 8881.  Every now and then the computer tries to open 20 or 30 UDP connections to port 8881 and some other other ports like 1889, 1814, 1850, 1855, and 1877 among others.

Malwarebytes has removed a dozen virus' and BitDefender keeps finding some too.  But it keeps coming back!  I hate that when reformatting the hard drive does not get rid of it.  There will be more information coming as soon as I can figure it out.  The UDP on Port 8881 has to be a key to the problem?

No comments: