Malware Exploiting Address Books?

[BobH]

Recently I've been receiving emails from senders I don't know. They have either no subject or one that makes no sense to me. Today, I received an email from a sender whose name is in my address book, an old friend that I rarely communicate with. Normally I just delete mail from people I don't know or with iffy subject lines, but this one I opened and saw no message. After deleting it, I switched to my browser (FIrefox 5.0) and immediately got a warning that there was something bad afoot. I run only Microsoft Security Essentials on WinXP Pro SP3 now, after reading threads and comments here at Eileen's Lounge.

I shut down the active apps and launched the MSE app and ran a quick scan with no malware found. I'm running a full scan as I type with no indications after a couple hours running that it has found anything.

I suspect I've been probed. I don't yet have tangible evidence that I've been infected. I would like to know whether or not anyone else has experienced similar symptoms and, if so, whether it resulted in malware infection. If you took a hit, have you fixed it? What did you do?

TIA

[HansV]

It looks like someone got hold of your old friend's address book. The e-mail may have contained some malware, but if MSE gives you a clean bill, in all probability it didn't get further than your Temp folder or browser cache.
To be on the safe side you could run a one-time scan with another anti-malware program - I use the free version of Malwarebytes Anti-Malware for this purpose.

[stuck]

You could also run a scan with an on-line virus scanner. A long time ago in a Lounge far, far away there was a link to this one from the board index page:
http://housecall.trendmicro.com/uk/

Ken

[BobH]

Thanks for the suggestions. I'll give them a try later - after this MSE full scan I've got going completes.

The MSE full scan must be extremely thorough, if run time is any indication. I've had it running for a little over 5 hours now and it has scanned almost 2 million items. There is a cryptic message saying that "Preliminary scan results show that malicious or potentially unwanted software might exist on your system. You can review detected items when the scan has completed." I changed the MSE option to allow it to use 100% of the CPU, too. It doesn't use much RAM but it sure gobbles the cycles.

While this scan has been running, I discovered another puzzling problem. I cannot access script options following Tools>Greasemonkey>Manage_User_Scripts. Right clicking on the GM icon doesn't work either. Both take me to a display of a list of scripts at "about:add-ons".

Methinks I might have a script monster lurking somewhere that MSE didn't prevent or warn me about - or I missed the warning.

[BobH]

Follow up:

MSE finally finished the full scan. It turned up 2 suspect items, both of which I told it to remove: HackTool:JS/Firesheep and RemoteAccess:Win32/TightVNC.

I have no idea how long they have been on my computer nor where they came from nor why MSE didn't prevent/warn me about them. If anyone has any experience with them and could shed on light on likely sources, I would appreciate the information so that I might avoid getting them again.

[Bigaldoc]

I can only say that TightVNC is (or used to be) a legit application for remote PC access with another computer. In and of itself I wouldn't think of it as a bad guy.

[BobH]

I can only say that TightVNC is (or used to be) a legit application for remote PC access with another computer. In and of itself I wouldn't think of it as a bad guy.

Because nobody should be accessing this computer from the web and nobody but me ever has there hands on the keyboard, I let MSE remove TightVNC. I think it might have been installed with the wifi hack (I'm not sure) but I can see no need for it.

Thanks for the info BigAl.

[Doc Watson]

A little late to the party, but these sound like the tools of someone attempting to make you part of their bot-net. The Firesheep tool would hijack your browsing session and then redirect you to a site that would allow your system to be completely compromised, if that is what they wanted, or to be used via the TightVCN for DOS attacks or whatever their script kiddie game is. PITA !!

[BobH]

Thanks, Doc!

I think perhaps I might have been part of botnet, but I have no way to verify that. I've run Task Manager from time to time and noticed that the CPU cycles seemed inordinately high for the apps and processes that it showed active. My guess is that anyone clever enough to slip Firesheep onto my system is also clever enough to keep me from identifying their app or processes using Task Manager.

Speaking of Task Manager, I wondered if anyone else shares my opinion of this as being an 'almost useful' tool. What I mean is that it raises as many questions as it answers for me. Why not add to it features that would allow users to identify the apps that are sucking cycles and/or eating RAM by simply clicking to get another panel that provides that information. Surely there is someone clever enough to work out the graphics, and I've known enough programmers to know that there are plenty who can gather the information in real time. Also, on the panel that shows active processes, it would be great to be able to click on each and find out who the publisher is, what it does, and when it was installed on your system and, further, what package it was part of when it was installed. Surely the hive contains this information (or should, I don't know) and if the code was inserted surreptitiously then the tool could link to the web with a search.

I don't run Win7 (didn't like Vista at all) sticking with WInXP for the nonce. Has the Task Manager been changed - with luck. improved - in Win7. Is there a tool not delivered with the OS that will do what I posited above?

[JoeP]

Check out Process Explorer. Quite a number of people use it instead of Task Manager.

Joe

[BobH]

Thanks, Joe!

That does give a great deal more information. That answers all my questions about what's running, who published it, how many cycles and how much CPU. I'm gonna google for information on a couple of processes, but I didn't see anything that looked suspicious.

Is is possible that the malware writers could cloak their processes so that they don't appear in Process Explorer, or is this code intercepting all calls and displaying all information?

Thanks again. PE is a much more useful display of information for me than Task Manager.

[JoeP]

If you are infected with a Rootkit it is likely you'd not see it.

The same Sysinternals people (who are now Microsoft employees) produced a utility called Rootkit revealer.

There are a number of other free rootkit tools around the internet. See Sophos Anti-Rootkit & TrendMicro Roobkit buster for example.

NOTE: You must be careful about removing something identified as a rootkit because there is valid software on every system that acts as a rootkit. See Wikipedia - Rootkit for a discussion.

Joe

[BobH]

Hi Joe!

Thanks for the information. I installed and ran RootKitRevealer and got a bunch of suspects. It took a long time to run with nothing else running on the XP system. I'm still trying to run each of them down but I'm not finding any smoking guns.

I'm going to try the other rootkit detectors just for grins.

Again, thanks for the help!