Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With ZeroDay Stuxnet Worm.


  • This topic is locked This topic is locked
8 replies to this topic

#1 HelpMe0ut

HelpMe0ut

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 17 April 2013 - 06:31 PM

Ok I have a pretty serious issue here.  I came across a post on a computer forum talking about the ZeroDay Java virus that's going around..  So I decide to do some research on it.  I did a google search and clicked on a link to a site that said something like "Better Ways To Protect Yourself From ZeroDay". It looked legit from the google page,...boy was I wrong.  Anyways, as soon as my browser goes to load up the page, it froze up and bamb....next thing I know my computer makes a weird noise, like, creepy noise, my screen wiggles a little, then it stops and my hard drive is zooming... I look at my connection and IP address and now I'm being proxied to a remote server.  Mind you my Kaspersky didn't alert till after the payload, and when it did it literally split up into multiple kasperskys... Then Kaspersky paniced and changed all of its file names to Norton or Avira God only knows why and made RegKey references in the file... but I notice it didn't let me open the cmd prompt. Meaning it elevated it's privileges' and put me down to loser privs.  So, I cut the internet off right away. Good thing I did because I found out later this isn't a regular worm.  This is a control bot worm, you can control it, it parsed itself to me, piped me, tunneled me, and rode me home like a....nvm that...but anyways...I it tried restricting most my access.  Lucky for me who ever was controlling it either didn't know how to or didn't get time to lock my keyboard, once its not being controlled it goes into independent mode, self replicating, and performing its programmed duties.  Now me being me, I start going through all the files, changing the ext to .txt and investigating...to find out what it did.  Well...It gets interesting.  It attached itself into the boot. It set up a tunnel on me, it read the contents of all my drives, including my usb drives, was tracking my routes pinging me, then it did specific searches, checking for movies, porn, r4pe, humor, violence,...Music, classes categories, etc... Then it started Metadata scanning everything going through the hard drives, and usb, searching the registry...not to mention my registry like disappeared.  I gave my self back Administrator rights, by using the windows key x and opening the Admin command prompt(couldn't believe that worked), then with that I Immediately opened Admin Powershell, and Remote Management, trying to figure a way to deny its privileges, wasn't happening, this thing is made for war.  Its programed to deny every kind stop, shutdown, quit, interference Well I can guarantee its in my USB Drives, on my hard drive, in my MBR, I spend hours trying to figure out how to stop this thing.  I came here and was going to do my own clean up, but I ran into a HUGE Problem.  I'm running windows 8 and most of these tools Don't work on my platform.  Is there anyway to get this thing out?  I'm not showing signs of infection as I was when I got hit with the payload.  I don't see a remote connection, I did a full format, but still the worm comes back.  I can see the files when I search my windows explorer for .js   I try to delete them and they come right back within a minute.  It just keeps making more and more, and the more you delete the more they make.  It survived a full CD reinstall, and just because all I see it doing is self replicating doesn't mean its not recording, catching key strokes, and sending the info back once a week.  Wouldn't be noticeable.  I'm at a loss on what to do... :smash:



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:10 PM

Posted 17 April 2013 - 06:34 PM

Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 HelpMe0ut

HelpMe0ut
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 17 April 2013 - 06:53 PM

I just tried it wouldn't let me put that in there. I keep my net sharing off by default as soon as I turned it on I saw all the devices then a vbs box popped up saying something about connection failed and to my brothers pc, then I turned off network sharing but I can still he his device and everything with it off. Im pretty sure them attacked my bros pc and that's what that vbs box was. I have the files that I believe are the worm, but with how advanced this is I don't want it attaching with something I upload and damaging the site. Or get released further.  You have to see this java script to understand...I haven't came across anything like this in the wild before.  There are a quite a few files to this all java script.  The Main is 49.4mb file I'm positive this is has to be the new zeroday only far better this has to come from an advanced association, I went through all them and saw the code, It shows the new 2013 zeroday pdf and flash integrated. I know this because I read the article and adobe mention a hint about the way they were doing it, well I found the answer to there hint in the main file, you can clearly see they are creating a border and creating a pixel outside the border, well ill leave it at that, but adobe didn't say that but the script clearly does and no other virus in a java form has ever been 49.4mb(which was around the total of all files in the payload I got) but there is more, there are other scripts you can use to controll this thing after it sets up the pipes, tunnels does its routing parsers takes over your network.  The total size if this monster is between 80-160kb(the parts I have saved)...It is a Monster...


Edited by HelpMe0ut, 18 April 2013 - 04:22 PM.


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:10 PM

Posted 17 April 2013 - 07:36 PM

I'll report this topic to appropriate helpers.

Hold on there...


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 HelpMe0ut

HelpMe0ut
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 17 April 2013 - 08:39 PM

Yeah its still here, its calling out through my ie, and still creating tons of more files... it seems like it is much more passive now, not as noticible, but when I search the logs I see lots of new .js being created.


Edited by HelpMe0ut, 17 April 2013 - 08:41 PM.


#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:10 PM

Posted 17 April 2013 - 09:26 PM

Someone will be with you.

Please be patient.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 HelpMe0ut

HelpMe0ut
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 18 April 2013 - 01:29 PM

ok got it to run im posting logs in other forum I couldn't get it to let me do mbr scan.



#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:10 PM

Posted 18 April 2013 - 04:01 PM

thumbsup-thumbs-up-approve-ok-smiley-emo


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,202 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:10 AM

Posted 19 April 2013 - 01:53 PM

As you reposted about your issue in the malware removal forum, this topic will be closed. Please do not create any additional topics, instead be patient until a malware response team member replies to your topic. If HelpBot replies, please be sure to carefully read and follow the steps outline in the post.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users