General discussion

  • Creator
    Topic
  • #2120289

    MS VM vulnerability cleanup

    Locked

    by thomas of austin ·

    A client picked up a virus through the MS VM
    vulnerability. The virus has been cleared out
    and the VM updated with Microsoft’s security
    patch. The problem is that everytime we
    reboot the PC the home page is reset to
    lolitaf..ker.com which passes the browser
    through a-half-a-dozen other porno sites in a
    few seconds. If you edit Internet Options and
    reset the homepage to something sane, it
    reverts back to the above mentioned porno
    site when you reboot the PC.

    Does anybody know how to remove the file
    that changes the homepage AND how is it run
    when the system is rebooted. CLUE; it is not
    in CONFIG.SYS, AUTOEXEC.BAT or the
    Registry.

    Thanks

All Comments

  • Author
    Replies
    • #3422094

      Virus Elimination

      by boomslang ·

      In reply to MS VM vulnerability cleanup

      Do you know what the antivirus software identified it as? Usually Symantec has manual disinfection methods listed, if you know what virus/worm it was.

      http://www.symantec.com/avcenter

      Typically, these persistent worms insert self-starting entries in AUTOEXEC.BAT, CONFIG.SYS, WIN.INI, SYSTEM.INI, in the registry in the Microsoft/Windows/CurrentVersion/Run, RunServices, and RunServicesOnce keys. They can also can insert themselves into the exefiles open key so that anytime you run an executable, they are run as well.

      You will then also have to track down the referenced file and delete it as obviously, the disinfection did not remove it.

      • #3438377

        Re: Virus Elimination

        by thomas of austin ·

        In reply to Virus Elimination

        Norton identified the breach as the
        JS.Exception.Exploit. I updated the MS VM
        because of this info but there are no manual
        remove instructions. Nor is there at
        Microsoft’s web site. I checked the startup
        files including the registry forsuspicious
        startup files and found nothing. It only
        changes the home page and search pages
        after a reboot, so it is not associated with the
        exefiles, checked that also.

        Any advise would be appreciated.

        Thomas

        • #3436907

          Killing JS.Seeker

          by boomslang ·

          In reply to Re: Virus Elimination

          Ok, was the necessary information needed to help find it. It is similar to what Kaspersky Labs calls JS.Trojan.Seeker. Had that on a computer at work.

          http://www.viruslist.com/eng/viruslist.html?id=4107

          As it is described: “The script uses a MS Internet Explorer 5.0 Typelib security vulnerability to create an HTA file in the Windows start-up directory. This file automatically runs upon the next Windows start-up, and the script in it gains control. The script in the HTA file modifies the system registy keys where the home and search page addresses are specified.”

          So, you might want to check the Start Menu Startup folder for weirdness. Also look for strange HTA files.

        • #3436012

          OK, now that’s something new…

          by thomas of austin ·

          In reply to Killing JS.Seeker

          I had not thought to look for errant hta files.

          Thanks Zelda

        • #3438233

          JS.Exception.Exploit

          by boomslang ·

          In reply to OK, now that’s something new…

          Lockdowncorp has a test page to test Internet Explorer for this vulnerability. It also explains how the thing works.

          http://www.lockdowncorp.com/bots/testyourbrowser.html

        • #3437841

          Thanks, we got it….

          by thomas of austin ·

          In reply to JS.Exception.Exploit

          There was an HTA file at C:\ht.hta
          It was just the the relay to the errant web sites.
          What I missed was the regedit with the /s
          option in the Registry. Having removed that,
          the home and search pages are now
          constant.
          Thanks again Zelda.

        • #3436900

          Further on JS.Seeker

          by boomslang ·

          In reply to Re: Virus Elimination

          There are many variants to this. Here’s the McAfee link.

          http://vil.mcafee.com/dispVirus.asp?virus_k=98882&

          Excerpt from VIL: “Upon execution, new registry values are written to a file named “homereg111.reg”; existing registry values are savedto “backup1.reg”, and “backup2.reg”. “homereg111.reg” is then imported in to the registry. Finally “removeit.hta” is ran which attempts to delete the file, “C:\WINDOWS\START MENU\PROGRAMS\STARTUP\runme.hta”. ”

          Since there are many variants, you might want to check the link given, but they all probably stick something into the Startup Folder.

      • #3437137

        Internet Explorer

        by jim_armstrong ·

        In reply to Virus Elimination

        Have you looked in Tools ,Internet Options the general tab The hone page at start up is shown there. See what it has , change it, apply the changes.

        • #3436011

          Been there, done that…

          by thomas of austin ·

          In reply to Internet Explorer

          I change the Internet Options home page and
          edit the changes out of the registry file to the
          search pages and it will behave perfectly…

          Until I reboot, then we are back to square one.

          See Zelda’s responses above, I think she has
          located the solution.

          Thanks for your time Jim.

          Thomas

Viewing 0 reply threads