Malware blocks access to Safer-Networking and other security sites

[reptevye]

Sorry in advance if this is in the wrong forum - but I have recently been afflicted with a spyware/virus that launches pages from both IE and Firefox, and generally redirects you to pages that you were not trying to go to.

On top of all of this (as this was a new work laptop and I hadn't had the chance to put Spybot S&D - my favorite - on it yet), this bugger will prevent you from being able to access the safer-networking site, you can't even ping it. It completely blocks all internet traffic to this and other spyware programs' sites.

I finally was forced to put the IP and name into my HOSTS file, which allowed me to access the site to download Spybot and run it to *hopefully* clean my system.

For those who are not aware of the HOSTS file on Windows (I am sure that most on this forum are quite technically savvy, but I figured I would add this just in case), the file is normally located in:

c:\Windows\system32\drivers\etc

It is a file called HOSTS (with no extension)

Open it with NOTEPAD and at the bottom (normally it should just have the entry for the localhost), you would enter onto a new line the IP for the safer-networking.org site and the name for the site (i.e. www.safer-networking.org) - the IP I have now is 89.238.64.39 Once I did this, I was able to finally resolve and download Spybot to clean my computer.

In case anyone else runs into this problem, I hope this helps.

-Reptevye-

[tashi]

There are several infections that prevent users from seeking help.

Conficker/Banload/Downadup infection is the one in the news, everyone please make sure your computer is updated and patched. Specifically security update MS08-067.

Win32/Conficker.B

http://blogs.technet.com/mmpc/archiv...d-banload.aspx

[dougmac]

New guy on block. So this may be old news:

My wife works at Tufts University and their IT Security group advises a four day old virus DOWNADUP that blocks updates access to virus tools I assume such as Spybot . I have a bit more on it, but wanted to see if any awareness out there.

Dougmac

[tashi]

Hi there,

My wife works at Tufts University and their IT Security group advises a four day old virus DOWNADUP that blocks updates access to virus tools I assume such as Spybot . I have a bit more on it, but wanted to see if any awareness out there.

DOWNADUP/Conficker/Banload. Please see links in my post above.

It is not a four day old virus, F-Secure: Where is Downadup?

[dougmac]

Tashi,

Thanks for the update and download.

Spot-on

dougmac

[AplusWebMaster]

FYI...

- http://www.microsoft.com/security/po...in32/Conficker
"... Win32/Conficker is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. Depending on the specific variant, it may also spread via removable drives and by exploiting weak passwords. It disables several important system services and security products and downloads arbitrary files. Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067* immediately. Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords..."
* http://www.microsoft.com/technet/sec.../MS08-067.mspx

Third party information on conficker
- http://isc.sans.org/diary.html?storyid=5860
Last Updated: 2009-04-11 18:15:39 UTC ...(Version: 9) - "(This will be updated as more information becomes public)... Removal Instructions, Removal Tools..." etc.

Conficker Eye Chart
> http://www.confickerworkinggroup.org...feyechart.html

> http://www.secureworks.com/research/...wnadup-removal

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.html?storyid=5914
Last Updated: 2009-02-23 18:10:08 UTC - "Malware which comes with its own "hosts" file* to install in \system32\drivers\etc\hosts is pretty common. Usually, these changes are made with the intention to keep the infected system from updating its virus pattern files and OS patches - eg. by adding an entry that makes "update.microsoft.com" resolve to 127.0.0.1 (localhost), and hence prevents the updater from connecting. A malware sample that we analyzed earlier -today- pulled a hosts file from txt<dot>kxwii<dot>com/ad.jpg. The file contains 200 or so domains that are reconfigured to point to 127.0.0.1 ... but, surprisingly, not domains of commercial software. Rather, it looks like a turf war is in progress between malwares, and this particular species tries to null out the connections of the competition..."
* http://www.mvps.org/winhelp2002/hosts.htm