Search this Blog

Friday, March 18, 2011

Computer Virus Fun

I had a fun computer virus on a Windows 7 PC today!  It was delivered to a user in an email that looked like a UPS package tracking email.  When she opened it, her computer pretty much shut down, and when she tried to log on, she would get to a screen like this, except it said "CleanThis", instead of "ThinkPoint".


So we went to work!  Initially, I always assume the Virus has the upper hand, and it's best not to let it know that you are hunting it.  If they know you are on their trail, that just makes them mad.  Be stealthy!


Rebooting brought us back to the same useless screen, as did rebooting in safe mode.  Task Manager did not work, so we couldn't shut anything down.  We couldn't do anything on this computer.  It was dead.

I noticed that as we were shutting down, we received what appeared to be a legitimate Windows 7 message saying it needed to stop gog.exe in order to shut down.  A clue!

We restarted in safe mode with command prompt.  Regedit brought up the registry editor, but I didn't think to search that (missed opportunity).  Typing explorer.exe brought up Windows Explorer!  I searched for gog.exe and found it in the user's profile under "Roaming".  We opened that folder, and I created a new text file called gog.ex3.  Then I renamed gog.exe to gog.old, and quickly renamed gog.ex3 to gog.exe.  It's possible this would give us the advantage in the battle for control of the PC.

The theory is to hogtie the virus by removing the "exe" extension, but replace it with a lobotomized exe file that can't do anything.  The lobotomized exe file looks like a legitimate part of the virus, just in case any of the other pieces of the virus are trained to look around and repair itself.

We restarted in to normal mode, and everything looked fine, except the background was black.  This was a sign we had scored a hit, and we could begin coming out of the shadows!  

I quickly started Malwarebytes and Microsoft Security Essentials (MSE), and updated both successfully.  This was a sign that we were gaining the advantage, because good viruses block those updates.  Obviously we had wounded our foe, but may not have delivered the fatal blow.  We decided it was safe to step out in to the open and show our weapons.  It was time to go for the kill!


We ran concurrent scans with Malwarebytes and MSE.  MSE found something "severe" and removed it.  Success!  I know the official word from experts is a computer should never have more than one security package at a time, but I often run two, with nice results.  Who's to know?  I'm not really an expert, so I'm allowed.

Then we browsed to the folder where the offending gog.old resided, and deleted that, and three other files that had the same "modified" date as the original gog.exe.

We did not remove our neutered gog.exe, which is an empty text file.  My theory is that a trojan mother might still be sleeping deep in the computer, and her job is to wake up periodically and see if gog.exe is there, and if it isn't, she birth's another, reinfecting the PC.

So that's my story of the day!

So, beware of opening tracking emails that appear to be from
or your computer could be recruited in to service in a worldwide botnet!

2 comments:

Don Jacobs said...

What an oddesy! I followed you most of the time. I would not have thought of renaming. Great detective work.

dad

joelUnplugged said...

Very impressive Dr. Alan!