The Mother of All Infected Windows XP Systems

My mom has a Windows XP system with an always-on high-speed Internet connection that's occasionally used by relatives and other guests. The PC had become glacially slow, opening new web pages after a pause of 10 or more seconds, so I started looking for spyware or viruses that might be causing the problem.

I brought the virus definitions in Norton Anti-Virus up to date and installed Ad-Aware to look for other junk.

As they were running, shortly after midnight the PC began sending hundreds of spams that triggered "Scanning message" dialogs in a Norton program that inspects outgoing e-mail for viruses. The computer was infected with Trojan.Abwiz and had been hijacked by a spammer. Hundreds of spams were being sent each minute until I yanked the DSL cable to stop the deluge.

A post on Spyware Sucks describes a Russian spam operation exploiting some of the other trojan files present on her computer, which included winsub.xml, svcp.csv and taskdir.dll:

What I thought was going to be pretty standard forensics "ok-the-machine-is-infected (yawn) lets-get-it-cleaned, reduce user permissions and give it back" turned out to be anything but. While I was connected to the PC via VNC something bad on that box woke up. A slew of connections were made to Russia right before my eyes and things suddenly got very very interesting. This was very cool - sure, I've seen many reports of infected PCs, and helped users fix their machines from afar using various automated products and analysis logs, but I've never had the chance to be hands on with a real, live, actively pumping spambot

Her PC had both Windows Firewall and Norton Anti-Virus running, though the latter's virus definitions were last updated in January. Neither one stopped this crack, which is reportedly installed by exploiting an Internet Explorer vulnerability. I think I've found and removed the trojans, which weren't gone completely until I got rid of all System Restore backups saved by XP, but I'm tempted to wipe the hard drive and reinstall to make sure.

Because Trojan.Abwiz can update itself and send data such as a keystroke log to other compromised PCs, mom has to change her credit card numbers and review other confidential information that might now be in the hands of identity thieves.

In other news, Microsoft will be releasing 12 security updates on Tuesday.

Windows Xp · Security · 2006/06/10 · 14 COMMENTS · Link

Comments

My mother in law wanted to try out "that Ubuntu thing" I work on, so figuring it'd save her from the hassles of viruses and spyware, I watched her install it. She is totally rapt. Loves it. She upgraded it last week without calling us to make sure. The "new release" notification popped up and she just did it. I was gobsmacked, but then, that's exactly what we're trying to achieve.

Save your Mum - and yourself! - from all the wasted time and crap: Grab an Ubuntu CD (shipit.ubuntu.com) and ditch Windows for good. :-)

First comment on your blog - thanks for your work trying to make RSS saner. :-)

#1 · Jeff Waugh · 2006/06/10

I haven't tried Ubuntu, but I will. Norton Anti-Virus is no good. I've been using AVG free edition, with Windows Firewall, and Spyware Doctor for anti-spyware. I rarely pick up junk, occasionally a trojan, which is easily removed.

If you want to buy things over the internet, get a loadable green-dot card at a convenience store. You have to order them, and wait a couple of weeks, but at least you're not jeopardizing your personal information.

#2 · Mama's Cowboy · 2006/06/10

Even Microsoft recommend you nuke and pave the HD if infections get in too deep.

This would be one of those times.

#3 · Mark · 2006/06/10

I agree with Mark. Wipe and load. "Nuke and pave", I'll have to remember that one.

#4 · Sterling Camden · 2006/06/10

I prefer "shave and spank." Or is it "wax and lube?"

#5 · Uncle Mikey · 2006/06/11

I've been using Ubuntu for nine months and I can highly recommend it as well. Just installed it on a new laptop and had very few issues. Hardware support has gotten very good in the Linux world.

#6 · Colin · 2006/06/11

She couldn't handle updating the NAV. Does anyone seriously LINUX is the answer for this level of computer skilled person??

#7 · No Koolaid Here · 2006/06/12

IDK about you all but i would highly recommend puting Avast its really easy to use and updates itself each time you get on your commputer....another viruse protection program i would use with Avast would be Microsoft Antispyware....with both of these programs on at the same time makes your commputer very hard to get viruses with, i know it saved me many times when trying to DL stuff.

#8 · Roy · 2006/06/12

She couldn't handle updating the NAV. Does anyone seriously LINUX is the answer for this level of computer skilled person?

That depends on whether she'd have to update Linux constantly to keep it protected.

She's using the PC for casual stuff -- a web browser, web-based e-mail, word processing and contact management. Linux does all of those well-enough for her to replace Windows, though I haven't recommended that because she might need to work with documents created at work on Windows boxes.

#9 · Rogers Cadenhead · 2006/06/12

I work with documents created at work on Windows/MSOffice boxes all the time -- using Ubuntu/OpenOffice.

For updates, an icon appears whenever there is something available. You click on it and install what it tells you, and you generally don't even need to reboot. All pretty painless.

#10 · Sam Ruby · 2006/06/12

I'm also a NAV refugee. I'm still use windows most of the time, but am a NOD32+Sygate evangelist when doing so. No problems since going to that 1-2 punch. All of my computerphobe friends and family have their definitions updated more than once daily, silently under their noses; that's kept their boxes clean for over a year. Saves my time, too.

#11 · Jorge · 2006/06/21

I've hated Norton/Symantec since their software hogged up so much system resources. I absolutely love Trend-Micro Internet Security 2006. Comes with everything you can think of and it's coded very cleanly. Disabling it when you need to for playing games and running keygens is easy (unlike norton and NOD32). I'm so glad Linux is more maintream now with the hardware support. I start with Linux with SuSE 6.2 way back in the day when the install required a computer engineer to understand. Nowadays I use slackware and freebsd.

#12 · Terry · 2006/11/26

If you backup, nuke, pave and restore, wouldn't you just put the viruses, trojans, etc. back on?

#13 · bob · 2008/08/04

Download Trojan-Remover (download.cnet.com). I had the same prblem and nothing worked until someone recommended this tool. No backups, just a couple of reboots and it cleaned out all evil registry settings, nasty boot apps, and associated DLLs. Whole process took 30 minutes and did what AVG and some others couldn't do.

#14 · Shaunn · 2009/09/29

Add a Comment

All comments are moderated before publication. These HTML tags are permitted: <p>, <b>, <i>, <a>, and <blockquote>. This site is protected by reCAPTCHA (for which the Google Privacy Policy and Terms of Service apply).

Microsoft Bob icon

Rogers Cadenhead

Social Media

Mastodon

Mastodon

Subscriptions

Workbench RSS feed RSS Feed

Blogroll

Projects

Statistics

Line drawing of cowboy on horse

This blog has been published since Nov. 7, 1999 (a span of 8,930 days).

Thank you for visiting Workbench.

Drawing of an owl with glasses reading a book