A new breed of virus - phishvirus ?
I've discovered a new technique being used by virus writers and fallen prey to it. A phish-type email, but for software. I'll explain ...
The problem started when I got an email telling me the latest version of Winzip was available. Turns out to have been a phish-type email. I clicked the link and it took me to a website that looked just like the Winzip site, I downloaded the software and installed it. The site was in fact a spoof and the software packaged did nothing other than riddled my system with virii and trojans as well as install the free trial version of winzip. Interestingly none of AdAware, AdWatch, Microsoft Antispyware, Norton and McAffee detected anything being installed. I kept getting winlogon.exe application errors and eventually traced it to a file called msupdate32.dll, and then when I went looking, the can was open and the worms were everywhere. Literally.
I had manually remove these files, sometimes with the aid of a program called moveonboot, and manually search for and remove entries to them from the registry. Trend Micro's "Housecall" kept finding them but couldn't delete them, and the same was true for Microsoft Antispyware.
(all in windows/system32)
mdms.exe
msupdate32.dll - this was the one causing the winlogon.exe application failure
mstool.exe
mspostsp.exe
winsub.xml
svcp.csv
outpstd.exe
ll.exe
zlbw.dll
~update.exe
dh9012.exe
hdmbcnaj.exe
sporder.dll
mswsck2.dll
The killer was the last one - along with plonking that file on to my system, the trojan rewired my winsock LSP values to use it so when I deleted it and rebooted, I had no network or internet. Running a freeware app called lspfix.exe solved that problem and when I rebooted again, all was well.
So be warned - if you get emails with promotional links in them for new software, type the URL in to your browser yourself. The virus-writers are employing new tactics.
The problem started when I got an email telling me the latest version of Winzip was available. Turns out to have been a phish-type email. I clicked the link and it took me to a website that looked just like the Winzip site, I downloaded the software and installed it. The site was in fact a spoof and the software packaged did nothing other than riddled my system with virii and trojans as well as install the free trial version of winzip. Interestingly none of AdAware, AdWatch, Microsoft Antispyware, Norton and McAffee detected anything being installed. I kept getting winlogon.exe application errors and eventually traced it to a file called msupdate32.dll, and then when I went looking, the can was open and the worms were everywhere. Literally.
I had manually remove these files, sometimes with the aid of a program called moveonboot, and manually search for and remove entries to them from the registry. Trend Micro's "Housecall" kept finding them but couldn't delete them, and the same was true for Microsoft Antispyware.
(all in windows/system32)
mdms.exe
msupdate32.dll - this was the one causing the winlogon.exe application failure
mstool.exe
mspostsp.exe
winsub.xml
svcp.csv
outpstd.exe
ll.exe
zlbw.dll
~update.exe
dh9012.exe
hdmbcnaj.exe
sporder.dll
mswsck2.dll
The killer was the last one - along with plonking that file on to my system, the trojan rewired my winsock LSP values to use it so when I deleted it and rebooted, I had no network or internet. Running a freeware app called lspfix.exe solved that problem and when I rebooted again, all was well.
So be warned - if you get emails with promotional links in them for new software, type the URL in to your browser yourself. The virus-writers are employing new tactics.
Comments