PDA

View Full Version : Bloodhound.Exploit.131


None of the above
7th Apr 2007, 21:36
Norton advised me that my machine had acquired the above virus (a Trojan) and also revealed that it could not be removed!
Strangely, the Symantec website describes removal as 'easy' as you can see here:

http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-300308-3019-99

As it was seemingly unremoveable, I did a system restore and then did a complete virus scan which didn't reveal 'something nasty in the woodshed'.

As I use this PC for online banking, I am wary that all might not be as it seems. Can I be reasonably confident that the 'thing' has gone?

Thanks in advance one and all,

N o t a

Tarq57
8th Apr 2007, 03:25
Not 100% sure.
The Symantec advisory concerning this indicates it is a heuristic detection for the known cursor vulnerability, which was, within the last 3 or 4 days, patched via MS/Windows update.
If your system is fully updated I would think you'd be OK.
Heuristic detections are the best, and perhaps one of the only, defenses against zero-day exploits. Because of the nature of the detection, however, it's more likely to be a false positive than if detected via signature definitions.
Other defence mechanisms include having a good 2 way firewall, so if an unknown application tries to send your data anywhere, or phone for reinforcements (as trojans often do) you have a chance of blocking it.
Navigate to the folder Norton reported this infection, try and find it, and upload it to Virus Total (http://www.virustotal.com/en/indexf.html) , an online (single file) scanning service.
Of course, using system restore may have invalidated the file, in that it's not there (in your current incarnation of windows) but may be lurking, undetected, or if a fp, benignly, in the system restore.
Personally, not being particularly expert, what I'd do is (1) Check the file, if possible.
(2) Make sure the computer is up to date with the MS update,
(3) Do a full virus scan, and if you have one, and antispyware scan. Superantispyware, AVG antispy, and Asquared are all good.
Check anything found at VirusTotal, and if it looks like malware quarantine it.
(4) If anything was found, scan again in safe mode.
(5) Turn off system restore, all running well, to eliminate past restore points.
The recent MS patches are-I think- part one of three for this issue (cursor vulneralbility. Not too sure, read that somewhere recently. Ceck windows update regularly.
Following the MS update,if your sound manager is Realtec Audio, you may get a "illegal ###.dll moved" error message. MS have a hotfix for that, which apparently works.
The other defense I know of (and use) for this sort of thing is a program with a HIPS or IDS function (Host intrusion Detection System) The one I use is SpywareTerminator, which includes a resident antispy. Freeware.

None of the above
8th Apr 2007, 09:05
Thanks MJ for your response. I'm very grateful to you.

I've searched for the file but didn't come up with anything. I suppose I was a bit hasty in doing a system restore and should have quarantined the wretched thing before doing so. I am reluctant to reverse the last system restore in order to re-instate the infected file, although I concede that this may be worthwhile in the final analysis.

I ran AVG Anti-Spyware this morning and it didn't find anything. I'll run some other tests shortly.
As mentioned I have serious worries about this as I carry out online transactions vital to the financial health of my retirement years.
They're still some way ahead, so still a lot of time to worry in every respect.

Thanks again,

N o t a

Cypherus
8th Apr 2007, 09:41
If you have scanned using Symantecs latest definitions, backed this up with an AVG scan, done a spyware and trojan scan and nothing has turned up, then turned 'Off' your system restore.

A simple reboot will erase all previous restore points so you can turn it back on again if you use it at all so you should have nothing to worry about from that avenue.

One further thing you should do is empty your 'Temp' files as this one often uses a file in there to begin it's install, simple task really.

Bloodhound has been around in various guises for sometime now and is well catered for by Both Symantec and AVG both of which detect its presence.

I note that you say you use your system for financial data storage so it is to be hoped that you regularly 'Back-up' this data to disk, again a simple job that folks often overlook.

None of the above
8th Apr 2007, 12:30
Cypherus.........

Thanks for your response. Since my last post I took the bull by the horns and undid the last System Restore in an attempt to follow the line of enquiry outlined by markjoy.:ok: I then ran Norton/Symantec again which strangely didn't reveal anything untoward. Likewise Trend House Call and AVG!

I then read your post and the remark about 'Temp' files and the cogs staggered into motion. I had run Cr@p Cleaner which, amongst other things, clears these files. I suppose that was enough to solve the problem. Now, I do hope that is an end to the story!

As regards my financial transactions, yes I do back them up to an external hard drive and the really multi-mega important ones are also backed up on a USB memory stick.

Thanks again, markjoy and Cypherus,

There's a cheque in the post! (Online bank permitting):)

N o t a

tallsandwich
9th Apr 2007, 21:30
check your system for root kits:
http://www.microsoft.com/technet/sysinternals/Security/RootkitRevealer.mspx
They are not detected by Browser hijack software and often not by Antivirus software.

None of the above
11th Apr 2007, 19:31
tallsandwich........

Thanks for your reply.

Time is at something of a premium at the moment but I have run Root Kit Revealer as quoted in the MS page you posted.
I have attempted to copy and paste the results here and also save them to My Docs but without success. A screen grab pasted into a Word document is the best that I have achieved so far.

Anyway, the point is that it has chucked up fifteen discrepancies but I have to confess that I find interpreting the results something of a 'challenge'.
I am not exactly cheered by Micosoft's throwaway line: " If you are unsure as to how to remove a rootkit you should reformat the system's hard disk and reinstall Windows".

When I have a little more time (elderly mother in hospital) I'll resort to transcribing the results and posting them here.

Perhaps you'll be able to assist me further?

Thanks again,

N o t a

Tarq57
12th Apr 2007, 00:24
Rootkit revealers results can take a bit of interpreting and knowledge that most of us don't have. Mine is certainly limited in this area.
Recently installed an AVG rootkit offering that seems very straightforward, available here AVG anti rootkit (http://www.grisoft.com/doc/products-avg-anti-rootkit-update-app-art/?ver=1.1.0.42)
Pprune doesn't support uploading pictures/screenshots etc, these have to be linked to a (usually) image sharing site.

tallsandwich
12th Apr 2007, 07:50
Nota,

If you would like me to look at your result, send me a PM and we can work out how to do that, perhaps via email.

I agree, the output is not the easiest to interpret. I have never tried the AVG version, maybe that is more user friendly.

Good luck.

None of the above
14th Apr 2007, 05:31
markjoy and tallsandwich ...............

Thanks for your replies. Domestic pressures have eased slightly enabling me to get back to you. Sorrry for the delay.

markjoy.........

Thanks for the link to the AVG anti rootkit scanner. I've downloaded that and it didn't reveal any malign influences which was a relief as you can no doubt imagine.

tallsandwich (wonderful name!)...............

Thanks for the offer to interpret the Root Kit Revealer results. The AVG scan was kind enough to do the legwork for us.

Having suffered the unwanted attentions of the less well socially adjusted members of 'cyber society' in the past, I've become familiar with most types of attack but I'd never heard of the Root Kit problem.
That's another bit of knowledge I can use when it happens again................ and it will happen again!

How about Cyber ASBOs? (One for JetBlast, I think)

Ta!:ok:

N o t a

tallsandwich
14th Apr 2007, 19:28
Yeah Root Kits are quite new to me too - my next door neighbour got a problem which was a browser hijack that did not go away and I was stumped. He used Blacklight by F-Secure which is another Root Kit tool to resolve it.

Part of the procedure was the removal of previously hidden files, that in his case were in the temp directory - which sounded a bit like what you did - the Root Kit toolkit simply higlighted objects in the filesystem that would not normally be visible in Windows Explorer. He renamed them, rebooted then deleted them etc. I thought that root kits, by definition, had to pretend to be (or replace) OS programs, which surely means the fix for the problem must include the recovering of one or more files that actually belong to the OS, not just deleting things in temp. Maybe the definition of a Root Kit has grown somewhat.

Anyway, re the name - when I was a student on a 4 year course, we did the third year working in industry - and I did my "Sandwich Year" in a company with another student. Normally this company only had one Sandwich Student each year, but as we were two, they now needed a way to discriminate between us, they couldn't just refer to both of us as "the Sandwich Student" anymore. Well I was tall, and my mate had long hair - he was called "Hairy Sandwich" (sounds way too much like 'the bearded clam' for my liking!) and you already know the name I got. Finally after many months our names were abbreviated to "Tall" and "Hairy". All in the name of education of course.

Anyway, glad all is well.