David Kaye
2014-11-17 00:37:41 UTC
My first zombie! I have a customer who downloads everything she can find,
especially programs that claim to fix everything that is not wrong with her
computer.
Anyhow, I'm dealing with a for-real zombie that continues to write about 1
MB/s of data to temp directories. I can only stop it in safe mode. What's
curious about this is that when running in regular mode MalwareBytes keeps
blocking its attempt to connect to 95.215.1.57. Guess where that lands --
RUSSIA. The poor thing it trying to phone home for further instructions and
just can't get through to the mother ship.
By the way, the processes involved include powershell, dplaysvr, and of
course our fave, svchost. Even looking at tools that attempt to show entry
points I can't get a handle on exactly what is launching this stuff.
So, this is so full of intrigue. Are the javascripts trying to infiltrate
the Pentagon and using this poor computer as part of its attack network?
All in all, I can get most stuff to work on the computer, so this zombie
likely would have gone undetected if it had been written better. I'm
assuming that it keeps writing more temp files because it's being denied
access to the internet. Looking them over, I'm seeing scripts that attempt
to link to sites with randomized names or names that sound legit but aren't
quite (such as "mirosoft.com", etc.
This infection has apparently come to the fore only in the last few days,
and somebody has written some tools which may or may not fix the problem. I
have no idea who the author is, so I'm going to have to do lots of research
before I use them.
Or wipe the partition and start over....
International intrigue!
---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com
especially programs that claim to fix everything that is not wrong with her
computer.
Anyhow, I'm dealing with a for-real zombie that continues to write about 1
MB/s of data to temp directories. I can only stop it in safe mode. What's
curious about this is that when running in regular mode MalwareBytes keeps
blocking its attempt to connect to 95.215.1.57. Guess where that lands --
RUSSIA. The poor thing it trying to phone home for further instructions and
just can't get through to the mother ship.
By the way, the processes involved include powershell, dplaysvr, and of
course our fave, svchost. Even looking at tools that attempt to show entry
points I can't get a handle on exactly what is launching this stuff.
So, this is so full of intrigue. Are the javascripts trying to infiltrate
the Pentagon and using this poor computer as part of its attack network?
All in all, I can get most stuff to work on the computer, so this zombie
likely would have gone undetected if it had been written better. I'm
assuming that it keeps writing more temp files because it's being denied
access to the internet. Looking them over, I'm seeing scripts that attempt
to link to sites with randomized names or names that sound legit but aren't
quite (such as "mirosoft.com", etc.
This infection has apparently come to the fore only in the last few days,
and somebody has written some tools which may or may not fix the problem. I
have no idea who the author is, so I'm going to have to do lots of research
before I use them.
Or wipe the partition and start over....
International intrigue!
---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com