Virus Hunt: Trojan.downloader-54811

Windows...bleh.

I had a call about a system where the user had a notebook at home and said that something popped up with the word virus on it, and whenever she opened a web browser it would just close back out.

A little vague, but that's par for the course.

I had it brought into the work area and booted the laptop with the latest version of RIP Linux (I wanted to use the network to get tools and repair information, but you should NEVER plug a system...especially a Windows system...into the network if it's suspected of being infected with something. NEVER. Booting RIP from a CD bypasses whatever is on the hard disk, mitigating the risk).

RIP has two antivirus tools available if you're connected to the network...which you'd need to be anyway to get the latest definitions...xfprot (a front end to FProt) and ClamAV. I ran both and they both only buzzed an alarm on once file hidden in c:\windows\system32 called __c00BBCE1.dat, telling me it was infected with "trojan.downloader-54811."

Well, good that only one file was triggering an alarm. The fact that it was a downloader meant it was probably something from the web browser and was some kind of hidden component of malware meant to act as a "hook" to download more malicious crap in the background of the user's system. Marvelous.

Today viruses are meant to take over your computer. Whenever a vendor of an antivirus finds a signature to combat the specific "virus" the malware author changes a few small details and re-releases the malware into the wild until the vendor finds a sample and analyzes it and comes out with a new signature then the cycle repeats. Thus seeing another "trojan.downloader" is like seeing another piece of trash along the freeway. Not a big surprise.

A Google search turned up very little, probably because different vendors classify viruses under different names and because there's just so many of them that are ever-so-slightly changed that it's rediculous. Imagine taking a copy of Huckleberry Finn and changing three words in the fifteenth paragraph of chapter 4 and having a whole new book published because of it...that's the way it is with viruses.

Since I'm scanning under Linux I opened a terminal and navigated to the file and ran the "Strings" utility on it, which, oddly enough, looks for strings of words in a file. One stuck out: a call to find the DNS address of zappoworld.com. A google search for that name yielded a hit on a blog detailing one guy's efforts to get rid of some malware apparently called "Virtumondo". He actually had two posts: one here and one here chronicling the fun he was having.

While I can't verify that he and I were fighting the same fight the description was eerily similar in what little detail I bothered gathering to this point.

I agree with his assement...he'd most likely have to reformat and reinstall to be sure the "infection" is completely gone. Once a system is compromised you don't know what it could be hiding. Most users overlook this idea and figure that it can't be that bad for them; they just want it back in a "usable" state and are happy with that. If they don't mind the idea that something is recording their emails as they type them...their passwords...etc. and then sending them over the Internet to organized crime scum in other countries periodically then I suppose that's their choice.

So if you found this post from a Google of this particular trojan downloader's name you have two choices. The first, the one I recommend, is wipe your computer and reinstall from scratch and restore your personal data from a backup. Hopefully a backup from before the infection (this is why I don't normally do system-level backups on my personal computer...I copy my *data*, my personal files and folders, and want a clean set of system files from a fresh install in case a system is infected with something wonky or gets corrupted. I'd be restoring the same problems I'm trying to solve!). The second is to start downloading the latest antivirus definitions, maybe a bootable disc or two with AV tools like RIP Linux, along with Spybot Search-and-Destroy, Adaware from Lavasoft, etc., and prepare to spend a weekend and a half searching and scanning and rebooting and erasing and lather-rinse-repeat until your computer is supposedly "clean", keeping in mind that true stealth malware will have hooks into your operating system that will cloak the processes that may even simply reinfect your system the moment you reboot.

I strongly recommend the first method. It's right up there with using a Mac instead or Linux.