I found the Source of the Sality Virus


C

casey.o

I was suspecting it more and more. I got a computer from Ebay. Just a
tower without keyboard, monitor, etc. But it came with XP installed. I
booted right up when I got it last week. I didn't do anything to it
except boot it. Then I copied IDE-ID to it with a flash drive.

The more I thought about this, the more I kept thinking that shortly
after I copied that file, I used that same flash drive again, and that
is when all the problems began.

I have not touched that computer till now, but I still suspected it. I
put salitykiller on a flash drive, and booted that computer. The killer
went bonkers the second I loaded the killer program. It found 439
infected files, 3 infected processes, and 24 infected threads (whatever
that means). It said it cleaned all the files, but now I am getting
"Runtime Errors", when I start some programs on it - just like I did on
the other computers. Either way, it gets formatted clean, but not until
I contact the seller and make a LOUD complaint.

I think he owes me (at least) a XP-Pro CD to reinstall, which would also
solve my laptop needs. The guy sells other computers, I bet they are
all infected.

I wont stick anything into that computer for now, even if salitykiller
says it's clean. But I do now have another flash drive to format.
 
Ad

Advertisements

C

casey.o

Well, that answers that question.

And I bet the previous owner of that computer, knew
it was compromised.

A smart person would just boot a DBAN CD and wipe
the machine before selling it. And throw in a copy
of the OS CD that corresponds to the COA they used
on it. (That's assuming the OS is legit in the
first place, and isn't just a cracked copy or a
known VLK). If it was a Dell, it should come with
the Dell CD.

It didn't come from a person or family, it came from a reseller who has
lots of computers for sale, and this OS was installed new. No programs
except tghose on the XP install CD. In fact there was a sticker on it
saying "install drivers before shipping". The virus probably comes from
the drivers, not the OS, unless they install it without a CD.
 
P

Paul

I was suspecting it more and more. I got a computer from Ebay. Just a
tower without keyboard, monitor, etc. But it came with XP installed. I
booted right up when I got it last week. I didn't do anything to it
except boot it. Then I copied IDE-ID to it with a flash drive.

The more I thought about this, the more I kept thinking that shortly
after I copied that file, I used that same flash drive again, and that
is when all the problems began.

I have not touched that computer till now, but I still suspected it. I
put salitykiller on a flash drive, and booted that computer. The killer
went bonkers the second I loaded the killer program. It found 439
infected files, 3 infected processes, and 24 infected threads (whatever
that means). It said it cleaned all the files, but now I am getting
"Runtime Errors", when I start some programs on it - just like I did on
the other computers. Either way, it gets formatted clean, but not until
I contact the seller and make a LOUD complaint.

I think he owes me (at least) a XP-Pro CD to reinstall, which would also
solve my laptop needs. The guy sells other computers, I bet they are
all infected.

I wont stick anything into that computer for now, even if salitykiller
says it's clean. But I do now have another flash drive to format.

Well, that answers that question.

And I bet the previous owner of that computer, knew
it was compromised.

A smart person would just boot a DBAN CD and wipe
the machine before selling it. And throw in a copy
of the OS CD that corresponds to the COA they used
on it. (That's assuming the OS is legit in the
first place, and isn't just a cracked copy or a
known VLK). If it was a Dell, it should come with
the Dell CD.

So now you have a new thing to do with your Ebay purchases.
You can wipe them on arrival with DBAN. Or you can boot
with PCLinuxOS CD first for a look around. Or even, use
your Kaspersky offline scanner, just for kicks (a fresh
copy downloaded at the Wifi place and burned to CD, so
the definitions are fresh).

(The ~375MB file...)

http://support.kaspersky.com/8092

It's not guaranteed to catch everything, but it's a start.

Now you understand why the advice on these groups, with
used machines, is to "level and reload". Even if the
machine came from a family member, because they
might not be malware-savvy. If a family member says
"I'm giving you my computer, because it's too slow",
that's your first hint it should be wiped :)

Paul
 
P

Paul

It didn't come from a person or family, it came from a reseller who has
lots of computers for sale, and this OS was installed new. No programs
except tghose on the XP install CD. In fact there was a sticker on it
saying "install drivers before shipping". The virus probably comes from
the drivers, not the OS, unless they install it without a CD.

You should inform the seller, in case the sellers entire
network is polluted, and every machine leaving the place
has Sality on it. Not for the sellers sake, but for the
next customer who buys one.

As I mentioned in another post, the developer of ComboFix
got hit by Sality, so even experienced malware people
can get smacked. It's remotely possible the seller
doesn't even know there is a problem.

Paul
 
B

~BD~

David said:
the best cure is to wipe the PC

An interesting choice of words. Not simply wipe the hard drive?

What *other* steps are required to ensure the machine isn't reinfected?

If it helps - I read THIS recently:

Your operating system is neither the first code that executes on your
computer, nor is it the code with the highest level of access. Malware
loaded into the bootstrap code (including BIOS, video BIOS, RAID BIOS,
NIC BIOS, UEFI, UEFI modules) not only will not be erased by
installation of a new OS, it can hide itself from detection by the OS
(although not perfectly, it will slow things down and timing analysis
may be able to detect that).

Only a small fraction of all malware operates at this level, but
multiple cases have been documented. Here are just a few examples:

New BIOS Virus Withstands HDD Wipes

Blue Pill is the codename for a rootkit based on x86 virtualization

Rootkit Detection Framework for UEFI "UEFI has recently become a very
public target for rootkits and malware. Last year at Black Hat 2012,
Snare’s insightful talk highlighted the real and very significant
potential for developing UEFI rootkits that are very difficult, if not
impossible, to detect and/or eradicate. Since then, a couple of
practical bootkits have appeared."

Also, Stack Exchange site Information Security has several relevant
questions:

How to detect a virus in a network card?

Viruses on video cards?

To be pedantic, these wouldn't be called "Windows viruses", although
they may be carried inside Windows malware which served as the infection
vector. And they wouldn't be said to "transfer to Ubuntu". My point is
that if you had asked the right question, which I feel is "After
formatting my Windows partition and installing Ubuntu, might I continue
to be affected by malware?", you would learn that the unfortunate answer
is "Yes that is possible."
 
Ad

Advertisements

Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top