General discussion

Locked

MS VM vulnerability cleanup

By Thomas of Austin ·
A client picked up a virus through the MS VM
vulnerability. The virus has been cleared out
and the VM updated with Microsoft's security
patch. The problem is that everytime we
reboot the PC the home page is reset to
lolitaf..ker.com which passes the browser
through a-half-a-dozen other porno sites in a
few seconds. If you edit Internet Options and
reset the homepage to something sane, it
reverts back to the above mentioned porno
site when you reboot the PC.

Does anybody know how to remove the file
that changes the homepage AND how is it run
when the system is rebooted. CLUE; it is not
in CONFIG.SYS, AUTOEXEC.BAT or the
Registry.

Thanks

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Virus Elimination

by Boomslang In reply to MS VM vulnerability clean ...

Do you know what the antivirus software identified it as? Usually Symantec has manual disinfection methods listed, if you know what virus/worm it was.

http://www.symantec.com/avcenter

Typically, these persistent worms insert self-starting entries in AUTOEXEC.BAT, CONFIG.SYS, WIN.INI, SYSTEM.INI, in the registry in the Microsoft/Windows/CurrentVersion/Run, RunServices, and RunServicesOnce keys. They can also can insert themselves into the exefiles open key so that anytime you run an executable, they are run as well.

You will then also have to track down the referenced file and delete it as obviously, the disinfection did not remove it.

Collapse -

Re: Virus Elimination

by Thomas of Austin In reply to Virus Elimination

Norton identified the breach as the
JS.Exception.Exploit. I updated the MS VM
because of this info but there are no manual
remove instructions. Nor is there at
Microsoft's web site. I checked the startup
files including the registry forsuspicious
startup files and found nothing. It only
changes the home page and search pages
after a reboot, so it is not associated with the
exefiles, checked that also.

Any advise would be appreciated.

Thomas

Collapse -

Killing JS.Seeker

by Boomslang In reply to Re: Virus Elimination

Ok, was the necessary information needed to help find it. It is similar to what Kaspersky Labs calls JS.Trojan.Seeker. Had that on a computer at work.

http://www.viruslist.com/eng/viruslist.html?id=4107

As it is described: "The script uses a MS Internet Explorer 5.0 Typelib security vulnerability to create an HTA file in the Windows start-up directory. This file automatically runs upon the next Windows start-up, and the script in it gains control. The script in the HTA file modifies the system registy keys where the home and search page addresses are specified."

So, you might want to check the Start Menu Startup folder for weirdness. Also look for strange HTA files.

Collapse -

OK, now that's something new...

by Thomas of Austin In reply to Killing JS.Seeker

I had not thought to look for errant hta files.

Thanks Zelda

Collapse -

JS.Exception.Exploit

by Boomslang In reply to OK, now that's something ...

Lockdowncorp has a test page to test Internet Explorer for this vulnerability. It also explains how the thing works.

http://www.lockdowncorp.com/bots/testyourbrowser.html

Collapse -

Thanks, we got it....

by Thomas of Austin In reply to JS.Exception.Exploit

There was an HTA file at C:\ht.hta
It was just the the relay to the errant web sites.
What I missed was the regedit with the /s
option in the Registry. Having removed that,
the home and search pages are now
constant.
Thanks again Zelda.

Collapse -

Further on JS.Seeker

by Boomslang In reply to Re: Virus Elimination

There are many variants to this. Here's the McAfee link.

http://vil.mcafee.com/dispVirus.asp?virus_k=98882&

Excerpt from VIL: "Upon execution, new registry values are written to a file named "homereg111.reg"; existing registry values are savedto "backup1.reg", and "backup2.reg". "homereg111.reg" is then imported in to the registry. Finally "removeit.hta" is ran which attempts to delete the file, "C:\WINDOWS\START MENU\PROGRAMS\STARTUP\runme.hta". "

Since there are many variants, you might want to check the link given, but they all probably stick something into the Startup Folder.

Collapse -

Internet Explorer

by jim_armstrong In reply to Virus Elimination

Have you looked in Tools ,Internet Options the general tab The hone page at start up is shown there. See what it has , change it, apply the changes.

Collapse -

Been there, done that...

by Thomas of Austin In reply to Internet Explorer

I change the Internet Options home page and
edit the changes out of the registry file to the
search pages and it will behave perfectly...

Until I reboot, then we are back to square one.

See Zelda's responses above, I think she has
located the solution.

Thanks for your time Jim.

Thomas

Back to Malware Forum
9 total posts (Page 1 of 1)  

Related Discussions

Security Forums