Windows XP 64, Hotmail & Malware "System Tool"

[Justin]

My brother is using Windows XP 64 bit.
I sent him an MP3 file from my Mac and when he clocked on it in Hotmail,
it tried to start Java, and then the machine was infected with "System
Tool" rogue malware.
After Googling, he followed the instructions for removal, and scanned
his machine with Malwarebytes - the desktop background and whatnot is
gone - hence the machine is clean.
Now he's afraid to click on a file from Hotmail since he think it will
bring that crapware back up. Other than switching to Mac (which he
intends to do this year) how can we make sure the machine is completely
clean?

 

[Paul]

My brother is using Windows XP 64 bit.
I sent him an MP3 file from my Mac and when he clocked on it in Hotmail,
it tried to start Java, and then the machine was infected with "System
Tool" rogue malware.
After Googling, he followed the instructions for removal, and scanned
his machine with Malwarebytes - the desktop background and whatnot is
gone - hence the machine is clean.
Now he's afraid to click on a file from Hotmail since he think it will
bring that crapware back up. Other than switching to Mac (which he
intends to do this year) how can we make sure the machine is completely
clean?

Try a scan with Kaspersky, then install some kind of full-time
anti-malware application.

Kaspersky offers a bootable CD (or you can make a bootable USB stick),
and when you boot the computer with it, you can scan Windows partitions.
As long as your Internet connection supports DHCP, this bootable
solution will also be able to download the most up-to-date virus
definitions.

http://support.kaspersky.com/faq/?qid=208282163

As for what anti-malware application to install in Windows after
that, there are free choices and commercial choices. Commercial choices
will come with a subscription, so you'd perhaps pay on a yearly
basis for daily updates of the virus definition files.

No matter what tool you buy, there is a gap between when new
malware is discovered, and virus definitions are updated. So there
is still the possibility of becoming infected.

And that's where "Safe Hex" comes into the picture. How you use
a computer, like carelessly clicking an attachment in an email,
ignoring the warnings to not run executables from an attachment
and so on, help determine what level of risk you'd be exposed to.
The anti-malware tool might not get very much of a workout,
if you inherently treat all content from the Internet as
being dangerous.

A good question would be, why you didn't scan the MP3 you sent
to him in the first place. Part of "Safe Hex" is the "Web Of Trust".
For example, if I sent you a file, I would scan it first, before
sending it. If you knew me personally, and knew I took care about
the files I sent, then you'd "trust me". Now, in terms of the
"Web Of Trust", you're on your brother's "shit list". Your brother
can't trust you, because you don't scan the files you send.

You don't have to pay money to scan files. If you need a file scanner,
one is available for free at www.virustotal.com . Even a Macintosh
owner can help support the "Web Of Trust", by scanning files before
sending them. The site also offers a search option. If you can
compute a hash (MD5 or SHA1), you can use the string value from
that, in the virustotal.com search box. That saves on having
to upload the file. But if you don't know how to compute a hash,
you always have the option to upload the file and test it.

Now that you have a bad MP3 file in hand, why not send it to
virustotal.com, and see which of the forty scanners, can detect it ?

Paul

 

[Justin]

Try a scan with Kaspersky, then install some kind of full-time
anti-malware application.

Kaspersky offers a bootable CD (or you can make a bootable USB stick),
and when you boot the computer with it, you can scan Windows partitions.
As long as your Internet connection supports DHCP, this bootable
solution will also be able to download the most up-to-date virus
definitions.

Now that you have a bad MP3 file in hand, why not send it to
virustotal.com, and see which of the forty scanners, can detect it ?

Paul

Because I made the file myself using Audacity on my Mac.
But I uploaded it to virustotal anyway and it came back negative.

 

[Justin]

From: "Justin" <[email protected]>

| My brother is using Windows XP 64 bit.
| I sent him an MP3 file from my Mac and when he clocked on it in Hotmail,
| it tried to start Java, and then the machine was infected with "System
| Tool" rogue malware.
| After Googling, he followed the instructions for removal, and scanned
| his machine with Malwarebytes - the desktop background and whatnot is
| gone - hence the machine is clean.
| Now he's afraid to click on a file from Hotmail since he think it will
| bring that crapware back up. Other than switching to Mac (which he
| intends to do this year) how can we make sure the machine is completely
| clean?

What "file from Hotmail" ?
Please provide details and information.

I sent my brother an mp3 file of a phone conversation I had with a
scammer. One of those auto warranty scams. It was funny because they
call every day and I waned to see what kind of car they thought I had.
When I asked which vehicle this was about there was a hesitation, and
she said Ford. Bad guess, nobody in my family drives a Ford. That's
why I recorded it.
I'm thinking the Java VM is infected, hence when he clicks on the file
it tries to play it in the browser, triggers the Java app, and sets off
the Rogue.

 

[Paul]

I sent my brother an mp3 file of a phone conversation I had with a
scammer. One of those auto warranty scams. It was funny because they
call every day and I waned to see what kind of car they thought I had.
When I asked which vehicle this was about there was a hesitation, and
she said Ford. Bad guess, nobody in my family drives a Ford. That's
why I recorded it.
I'm thinking the Java VM is infected, hence when he clicks on the file
it tries to play it in the browser, triggers the Java app, and sets off
the Rogue.

If the machine is clean, now what he needs is some kind of real time
protection against malware.

What happens if he plays your MP3 file again ? If the machine was clean,
nothing bad should happen.

Paul

 

[Justin]

If the machine is clean, now what he needs is some kind of real time
protection against malware.

What happens if he plays your MP3 file again ? If the machine was clean,
nothing bad should happen.

Paul

I know for a fact the mp3 is clean - it was made on a Mac and I ran it
through virustotal.
My theory is the Java executables are infected, or have been replaced.
That is what triggered the background to change and the machine to shut
down.
I will ask him to play the mp3.

 

[Paul]

I know for a fact the mp3 is clean - it was made on a Mac and I ran it
through virustotal.
My theory is the Java executables are infected, or have been replaced.
That is what triggered the background to change and the machine to shut
down.
I will ask him to play the mp3.

I was surprised, when I tried searching what the level of exploitation
for Java was, and it actually picked up a bit last year. At the very
least, any Java you have installed on the machine, should be kept up
to date. No matter what platform it's on. And if the Java happens to
have busted updating, then uninstall the current version, then
download a fresh one (i.e. manual updating).

http://arstechnica.com/business/new...precedented-wave-of-java-malware-exploits.ars

I don't keep Java in my main (WinXP) OS, because I'd rather not have
to maintain it (like a pet rock). Javascript in the browsers is OK - if
I had to disable that, it would make the browser pretty useless. Java
is easy to avoid, by comparison.

Paul

 

[pjp]

From: "Justin" <[email protected]>

| In article <[email protected]>,


| I know for a fact the mp3 is clean - it was made on a Mac and I ran it
| through virustotal.
| My theory is the Java executables are infected, or have been replaced.
| That is what triggered the background to change and the machine to shut
| down.
| I will ask him to play the mp3.

Bad theory.

Assuming that there is malware related to Oracle Java, it would be a
trojan in the form of
a .CLASS file stored in a Jabva Jar. However, I don't see how playing a
MP3 file would
invoke this as .MP3 is most likely associated to a player not using Java.

I have kept and continue to use an old version of WinAmp (2.4 I think)
because it does only what is required, e.g. play mp3 files without any extra
bs. I refuse to update it. Did this back when MS raised objections to you
could write the mp3 out to disk in wma format, since removed from feature
set.

 

[Justin]

I was surprised, when I tried searching what the level of exploitation
for Java was, and it actually picked up a bit last year. At the very
least, any Java you have installed on the machine, should be kept up
to date. No matter what platform it's on. And if the Java happens to
have busted updating, then uninstall the current version, then
download a fresh one (i.e. manual updating).

http://arstechnica.com/business/news/2010/10/microsoft-sees-unprecedented-wave
-of-java-malware-exploits.ars

I don't keep Java in my main (WinXP) OS, because I'd rather not have
to maintain it (like a pet rock). Javascript in the browsers is OK - if
I had to disable that, it would make the browser pretty useless. Java
is easy to avoid, by comparison.

Paul

Interesting, thanks.
With Java becoming more and more common, this problem will only get
worse.

 

[Justin]

From: "Justin" <[email protected]>

| In article <[email protected]>,


| I know for a fact the mp3 is clean - it was made on a Mac and I ran it
| through virustotal.
| My theory is the Java executables are infected, or have been replaced.
| That is what triggered the background to change and the machine to shut
| down.
| I will ask him to play the mp3.

Bad theory.

Assuming that there is malware related to Oracle Java, it would be a trojan
in the form of
a .CLASS file stored in a Jabva Jar. However, I don't see how playing a MP3
file would
invoke this as .MP3 is most likely associated to a player not using Java.

Ah ha...
Now we're getting somewhere.
I had him scan with Malwarebytes, now I will have him scan with
Kaspersky. There's a free version, right?

 

[Justin]

From: "Justin" <[email protected]>

| Ah ha...
| Now we're getting somewhere.
| I had him scan with Malwarebytes, now I will have him scan with
| Kaspersky. There's a free version, right?

Malwarebytes only tragets EXE/DLL files not .CLASS files nor does it scan
inside archive
files are Java Jars are actually ZIP files.

I suggest scanning with my Multi AV Scanning Tool from the URL in my
signature. It
provides the scanners for; Avira, Sophos, Trend Micro and Emsisoft. They
have a broader
range of target file types and do scan within archive files such; CHM, ZIP,
RAR, JAR,
CAB, etc...

I'll check it out.
What about Kaspersky? Does that scan other types of files as well?