Friday, January 30, 2009

So the IT guy did it.....

I managed to get a virus on my laptop (not a virus technically, but a very nasty piece of malware). Even though I'm a Systems Administrator, and (at least was) an anti-virus specialist (I implemented the entire new anti virus infrastructure at my last job) I somehow managed to get bit. Here's the run down of how: I had a piece of software that required some add on's, so I googled them. I found a couple sites where I could grab the config's and presets, so I downloaded them. When I opened one of the files, my best of breed antivirus scanner (ESET Nod32) started kicking out alerts. Generally it is very good at cutting off connections if a file is questionable and stopping just about everything, but this time it didn't.

All of the sudden I knew somthing was wrong, disk activity was pegged out and my task bar and desktop would dissapear and reappear over and over (a sign that the malware is killing the explorer.exe process and it is trying to restart). I figured out that I had a variant of Virtumonde/Vundo which is SUPER nasty and hard to get rid of because it creates totally random dll's and registry entries. I managed to get some scans going with a couple products but nothing was working. I stumbled on a couple of dedicated fix tools (vundofix and combofix) but there was mention of the product Malwarebytes Anti-Malware and how it is basically a total Vundo killer. Back in the day, Adaware and Spybot were about all you needed to clean up most nasties, but they're largely ineffective against newer, more advanced malware like Virtumonde/Vundo. So I'm totally prepared for hours of clean up, and I've already resinged myself to having to restore/reformat. I download Malwarebytes and kick off a scan. It runs, finds the offending registry entries and files, reboots the machine and it is back to normal. I was suspicious that all was well, and ran scans with 7 different anti-virus/anti-malware products, including the dedicated Vundo tools, and it was 100% clean. I was completely amazed. No manual removal, nothing. I thought I would post this as a PSA for you guys since Vundo can be such a pain in the ass. If you have any issues with malware, the first thing I would do is grab Malwarebytes and run it.

5 comments:

Shelly Fire said...

I got this the other day. It laughed at malewarebytes. It killed task manager and I was unable to reboot in safemode. I eventually just wiped the damn thing. IT was the first time I've had to wipe the drive on my desktop since I got it.

Shelly Fire said...

it also killed msconfig.

Justin Fox said...

Yea, there are definitely different variants of it out there. Vundofix or Combofix seem the be the apps to use to get the really tough strains of it off. I think part of what happened to me was that Nod32 actually stopped it from getting hooks into all of my system resources. It wasn't actually able to kill the Nod32 Kernel, so it was keeping it from spreading (my hardware interrupts were through the roof, like something was working it's ass off in the background). I'm sure if I hadn't had it, then it would have been a situation more like yours.

Eric said...

IT made pretty short work work of Norton, which has now been demoted as my anti-virus software. The version I had was the "Virus Remover 2008" one.

Justin Fox said...

Yea, Norton/Symantec is an interesting product. I implemented the Symantec Endpoint Protection system at my old job, and it was *ok* but that's a totally different product. Nod32 is generally very very good, as well as Kaspersky. You can download a 30 day trial of Nod32 from their site, I've been generally impressed with it.