PDA

View Full Version : Clever malware...ever seen this?



The Cyber Medic
2009-08-12, 02:21
I was called into a customer's office with a complaint about 'strange' things going on in Windows XP Pro - SP3...Control Panel with all the buttons showing red 'X's, very slow to open any prog, trouble accessing external drives, WMP library showing odd things....ect.

In the course of business, I hear things like this ALOT....but being a veteran of a thousand psychic wars, and oh so well armed with Spybot, MalwareBytes, ComboFix, full ver of AVG AND a deep understanding of Win XP - I did confidently go forth to do battle with the digital verminous scourge of modern existence....

5 hours later, sporting a lot less hair, my weapons of choice failing me....I decided that the primary account I was working in was simply corrupted, and decided to switch to the hidden Admin account. Without icons, I had to navigate to the directory where Spybot is, and trigger the program manually. I opened the folder, and a few seconds later...several files materialized before my eyes....(I failed to highlight one before I took the screen shot, but these circled files are *.scr 's....averaging 1.5 meg in size) :

3557


At this point, I decided 2 things -
A.) Move all pertinent data, deep format and reload this machine, because :
B.) Any virus infecting my Number 1 tool is one bad mamba-ja-hamba!

Now, I've seen all kinds of bs in the last 9 years....from having to rename the .exe's of Spybot and ComboFix just so they would start, to having to load MS VM, share the HDD and run a cleaning from there long enuff to retreive a customers data.......but THIS was a new one on me.

All my tools ran, updated - no prob. AVG, Spybot, MalwareBytes AND ComboFix ALL claimed to have found Nothing.

wtf, over? Any ideas??

drragostea
2009-08-12, 06:34
The randomly named, hidden files (.scr) are defense mechanisms from Spybot-SD, that is designed to start itself even if malware has disabled the main shortcut.