Spyware Warrior

[datababe]

Not sure how "new" this is, but not a lot is showing up yet:

http://www.virustotal.com/analisis/188bd0f089f4132c5df7a18c717fd806b1711c771c7077f7c6e83c5153734660-1242418580

Threatexpert had a bit more:

http://www.threatexpert.com/report.aspx?md5=891fb5592b81b401954591b27f947131

Interesting, each threatexpert report (I ran several) returned a slightly different name for the original file I submitted, neh_aryn.exe, as follows:

%UserProfile%\nah_nlai.exe

%UserProfile%\nah_nwps.exe

%UserProfile%\nah_abwd.exe

Malwarebytes picked this up as:

C:\Documents and Settings\<user>\nah_nwps.exe (Trojan.Hanam)

With what appears to be an accompanying run key entry:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nah_Shell (Trojan.Hanam)

FWIW, mbam also picked another infected run key entry:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tafepavusa (Trojan.Vundo.H)

And it picked up both while I was *looking* thru that very key w/Regedit, and I did not see those entries (yes, I was wearing my glasses ).

I first spotted the nah_aryn.exe while picking through the user's profile; the machine (Win XP Pro SP 3) was throwing a rundll32 error on startup regarding a missing C:\Windows\system32\rarutiyi.dll file. <--(anybody heard of THAT one...?). Immediate red flag was the location of the .exe - the only .exe in \\Documents and settings\<user> - and the long tangle of Russian characters that popped up when I hovered the cursor over the file.

I picked that file off and saved it; upon reboot a upd.exe file appeared in the same location (niiiiiiice), and this one DID return red flags from Virustotal:

http://www.virustotal.com/analisis/a6e004258535ac5d2c2a13165cec930049441901a56bab805fd3b5081e038e82-1242992281

and the following from threatexpert:

http://www.threatexpert.com/report.aspx?md5=09054bfd5f047f236a33242db1c34690

AVG Free nailed nah_aryn.exe on first scan. A different commercial AV product ignored it...*grumble*. I'm not very happy with them at the moment. Then again, for different reasons, neither are a lot of other people of late...

Gotta dash; I'd love to hear of anyone else has run into this little beast.
_________________
- Datababe
Until you spread your wings, you'll have no idea how far you can walk.
http://redoakranch.x10hosting.com
http://datababe007.blogspot.com

[suzi]

I don't see much on the file name, but there are a couple of IP addresses in the threatexpert report that might have clues.
In the registry data:

[datababe]

Thanks so much for the feedback, Suzi (and all the legwork you did, yowza!). That gave me a few more ideas. =)

Windows Firewall was on (well, supposedly) logging not. Miss on that one. Phooey.

.py files - yep, lots. All in the Open Office install, which we did for the client at last service. No other pythons waiting to byte that I could scare up. Hmmm.

I checked the Mozilla install dir for suspect files. So far, so good.

I did find a remaining reg entry relating to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"nah_id"

Duly deleted.

As for how the user picked this up...only 2 on this box, parent and child. Parent is careful...but not aware how UNcareful child is. It was the child's profile that was infested, and here is where I start to boil. I'll see if I can't write up this equation, and bear in mind I worked 4 years for a BS (how I love that irony) in Eng Lit: 18th century Feminism (focus). Math has never been my strong suit, but even I can put 2 + 2 here.

Downloadable kids games, lots of ads sponsors, with piggybacking affiliates, daisychain + daisychain + daisychain = total loss of who is doing what.

Let's throw in some folks looking to make a quick buck who know kids will click on durn near anything, and said kids have parents who would be aghast to find they can't trust a website with "disney" somewhere in the name.

Child is <10 years old, and I'll stake my own rep she wasn't surfing pr0n. I found so many supposed "innocent" games with CRIMINAL MALWARE EMBEDDED, it wasn't even funny. This little girl wasn't doing anything wrong. She was clicking on a penguin. Makes me wonder if the Disney "Penguin Club" isn't some sort of under the table potshot.





I seriously need to go soak my tinfoil hat in some Woolite.
_________________
- Datababe
Until you spread your wings, you'll have no idea how far you can walk.
http://redoakranch.x10hosting.com
http://datababe007.blogspot.com

[suzi]

Ugh... Kids should not be allowed to surf the web unsupervised. My 10 year old granddaughter knows how to use Google but she doesn't have the knowledge and judgement to know what to click or not click. She wanted to search for song lyrics and I about had a fit. Lyrics sites have a long reputation for giving you unexpected nasties. I ended up using my virtual machine to find the lyrics she wanted.

She's uses some kids sites but she is supervised when she's online.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.

[datababe]

I am a big proponent of running off live linux distro CDs for kidsurfers (or adultsurfers who act like kids). More than once I've been sorely tempted to configure a machine-specific session, set the box to boot only off the CD drive, pop the disc in the tray and then superglue it shut. There's no 100% bulletproof solution, but that's as much armor plating as I can think to put up, shy of just removing the network card altogether.

I agree with you +10 on the supervision for the young uns. $Parent in this case does also, but she's trying to use some tool from...AOL. To me that's about as useful a defense as a gun with a barrel at both ends. *sigh*

_________________
- Datababe
Until you spread your wings, you'll have no idea how far you can walk.
http://redoakranch.x10hosting.com
http://datababe007.blogspot.com

[suzi]

I had almost forgotten but the lyrics thing made me remember I have this program on the old PC that my granddaughter uses.

http://www.storagecraft.com/shadow_user.php
I used that before I got VMware. I should have her start using that when she's online.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.