Well, I’ve been working professionally for a long time now and have only had a virus/worm problem once (I knew better than to open the FTP port through my firewall, but my wife needed to send a large file, I wouldn’t leave it open, and, what could happen? <ugh>)…
Anyway, fast forward to last Sunday, I’m doing a some research on a little project of mine when suddenly things are running really slowly.
I check a few of the usual suspects and nothing. So I open TaskMan, figuring I’ve got FireFox running rampant and chewing a bunch of ram.
Well it was, but that wasn’t what was interesting.
What was interesting?
What was interesting was that I was seeing a 20 character long randomly named EXE run, spawn another similarly named EXE, then die. Over and over again.
That’s not the behavior of any kind of normal application.
Yikes.
First things first.
After some frantic clicking trying to kill the process before it could spawn, I finally managed to. Ok. So now what. I opened FireFox and Googled “random named exe running”, got back a list of results and clicked on one.
I ended up at some link farm page (you know the kind, tons of links, but nothing worth anything).
Ok. Back up and try another result. Different link farm page, but same format.
Huh-Whuh?
Ok, Search for “CreateWindow”, first Google result is an MSDN page, click on it, same dang link farm page!
Crap. I’d been hijacked.
Reboot
Maybe it was just an in memory thing, so I reboot (and disconnect from my network!).
Once I log back in, everything crawling. Back in TaskMan and I see, literally, dozens of randomly named EXE’s spawning and dying all over the place.
Double Yikes!
Eset’s NOD32 is running, but it can’t keep up.
Shutdown.
Using another computer, I used NOD32 to create an emergency rescue USB drive.
Back to the infected machine, I boot to the thumb drive and start a scan. Oh…..Dear……Lord….. This is going to take a while.
Hours Later….
When it finally finished, it’d found a number of infected files, particularly, the Win32/Olmarik worm, and cleaned them, but I wasn’t convinced.
I did a quick check for any EXE’s dated that day, and sure enough, there were dozens of them, all about 2.4mb in size, in the SysWow64 folder. I deleted them all, then searched for any other files modified in the last 2 days that I didn’t immediately recognize. I deleted everything I found.
Restart and everything’s running lovely again.
Not out of the Woods
I start up FireFox and Google search results are still redirecting to various link farms. Crap.
I use another computer to search for solutions…
- Uninstall FireFox
- Delete everything related to FireFox on your drive.
- Uninstall Java
- Delete everything related to Java on my drive
Reboot and reinstall FF. Back and working normally. Phew! I just have to restore all my bookmarks and addins and I should be good there.
Turns out, the worm creates some Java hooks into your browser than causes the redirection. Nasty stuff.
Still Not Out of the Woods
I suspected it still wasn’t over and sure enough, I’m right. A few hours later, I happen to need to use KeePass for a password. Pressing Ctrl-Alt-A (standard KeePass hotkey), I get an Explorer popup saying that “The executable 43HJKAN5H1AVC.exe could not be located. Remove this shortcut?”
Son-of-a-bitch.
The damn worm created short-cut links to those random named exes I’d already deleted.
So off I go hunting down all the LNK files modified in the last few days and delete all of them.
Finally, I believe everything’s back to normal (though I’m still walking cautiously for now). I’ve since run a full computer scan on all my machines with nothing noted. Fingers crossed.
Post mortem
I’m still not completely sure what vector the worm used to get in, considering NOD32 was running the whole time. The only thing I can think of was that my daughter was in and out of my office at the time. I could have been distracted at some point and clicked a popup that I didn’t really intend to click.
But that’s just a guess.
The second thing that bothers me is why NOD32 didn’t catch this. It did catch at least parts of it, but the Java browser hijack totally slipped through. Doesn’t give me a good feeling…