Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sending A Virus To You, My Friends - p.s not a virus prob. ( )


  • Please log in to reply
5 replies to this topic

#1 jezzmo

jezzmo

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:40 AM

Posted 24 September 2013 - 08:49 AM

Guys, and girl(s) [please s be true]

Look i'm using my first post on this forum for a selfish one but I hope it can be a community one too.

Today I had to make a time-felt decision to fly a virus laden user profile over the network into a compressed folder.

The spyware was UKASH.

I understand there might be a hoorah of "OH GOSH" and "JOLLY NO GOOD SIRE". Rest assured, i WILL spank myself to sleep- for pleasure or for pain.

My quiz is this: Outside of (from my understanding, W7 no longer uses predictable, hardcoded memory locations for it's kernel). What threat does this legitimitely pose to the network, apart from any virus detection messages. Can the virus escape out of ... *transfer mode* .. into execution? And how?


Edited by hamluis, 24 September 2013 - 11:02 AM.
Moved from Win 7 to General Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,669 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:40 AM

Posted 24 September 2013 - 09:08 AM

Hello jezzmo, and welcome to BleepingComputer.

I hope I understand you correctly, you zipped a userprofile and sent it over the network to another computer. So far nothing's at risk (you could for safety password-protect the archive though). It depends on the malware, but typically ransomware will not load even during decompression, only if you (accidentally) execute the dropper file.

The tricky part is what you're going to do with the archived profile: do you want to extract files and save important files, or do you want to reintegrate the userprofile? If the former is the case, then you should be fine (just be careful not to save malicious files), if the latter, then things are a bit more complicated because besides locating and removing the malicious file(s) you also may need to manually load the ntuser.dat file in the registry and clean the userprofile's registry.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 jezzmo

jezzmo
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:40 AM

Posted 24 September 2013 - 10:04 AM

Ok no it was transferred *into a compressed folder*

 

Ideally, my direction was to zip it first. That direction was not followed.

 

It was transferred over the network in the clear which is why it set off the alarms - and then zipped and taken off. I can't defend this - it's not how I wanted it to be done, but I will take responsibility - I was distracted, overworked and vague. I did want it zipped before transfer. I did and still do not see it as a viable risk. This is something I would never hope for, but regardless, I don't know how it would load, short of an escape sequence during the move. (and no, it hasn't).



#4 jezzmo

jezzmo
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:40 AM

Posted 24 September 2013 - 10:07 AM

super thanks just for a reponse, elise :)

 

this has less to do with job preservation and more to do with interest in how - latest methods that - a virus can enter execution mode.



#5 jezzmo

jezzmo
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:40 AM

Posted 24 September 2013 - 10:14 AM

oh and as for restoration - this user can get a few word documents and maybe the odd excel document back.

their torrents, html and temp files can be rendered missing ;)



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,669 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:40 AM

Posted 24 September 2013 - 11:21 AM

this has less to do with job preservation and more to do with interest in how - latest methods that - a virus can enter execution mode.

By far the most common way to accomplish is to doubleclick the file. :) Another way is, restore the userprofile, leave the registry loading point(s), which will cause the baddie to be executed on startup, but that comes only into play when you want to recover the entire profile and not just some personal files.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users