I think I´m being attacked

LOL…here we go. :doh:

I was trolling through some German websites and blogs trying to find out a bit about cycle racing for old dudes here in Germany…when suddenly my Windows Security went crazy and announced viruses everywhere…and a pop-up insisting that I download an updater packageupdate107_2194.exe :eek:

I immediately thought, this looks like a classic drive-by attack (or, before Draggles puns in, a “bike by attack”)…and bingo - within a couple of seconds my Avira sounded the alarm. I found the possibly offending beast in my Downloads Folder…scanned it with malwarebytes…no infection (curious…it´s supposed to be hot!), tried with my Spybot…but NO reaction <-- that´s one hell of a warning sign I decided, so let my Avira loose.
Within a few seconds, the .exe was gone…found it in Avira quarantine :clap:

BRB with a screen shot…it´s quite amazing

Oh…and what made the weirdness even weirder…exactly in the middle of this, Microsoft pointed its Tuesday updates at me…the little yellow shield appeared with the message that updates are now ready to be downloaded!!!

I haven´t clicked that one yet!

LOL

Get those screenshots up sir as i am curious.

BTW, to me this sounds like the A-typical Scareware BS.

Here are the screenshots…notice the first one looks like the “My Computer” info area…but is in fact a website
The scond just confirms that letting Avira deal with it looks like it´s gone, done for…but I´ll be running more scans in a mo



Yep, this looks like Scareware.

I’m kind of surprised that Malwarebytes hasn’t picked it up. You may have to run a process killer app to close down this scareware first for MBytes to pick it up.

I´ll do that.

Just updating all my security stuff first…then I´ll reboot and scan again, then run the Cleaner.

(hope I can get this done before Michael shows up on the forum and bitch-slaps me for running my lappy under admin while online :doh: )

:stuck_out_tongue:

To me it looks like it did little other than deliver the infected download, which your virus checker picked up. It does not appear like anything executed. Assuming you didn’t try running or opening that download and the website malware did not manage to compromise the browser or a running process, this would explain why Malwarebytes and Spybot didn’t pick up anything, since the infection needs to run for it to have effect.

The screenshot sure enough just looks like an image to fill the browser window, probably a huge animated GIF.

Wow, good thing your Avira got that. But it would be best to check again though, it’s best to be sure. :wink:

[QUOTE=deanimator;2544435]
Just updating all my security stuff first…then I´ll reboot and scan again, then run the Cleaner.

(hope I can get this done before Michael shows up on the forum and bitch-slaps me for running my lappy under admin while online :doh: )
[/QUOTE]
You called? :bigsmile:
[B]SLAP[/B]

Check your system with a couple of live CDs in order to find what your security placebos on your compromised system were not able to find.

Then be prepared to reinstall your system.

Michael

All systems are go today…overnight full scan by Avira didn´t find anything else…the exe is still in quarantine for now.

@Seán: yeah, what you said makes sense…it delivered the file but nothing was activated. The thing was animated, probably a gif as you suggested…but what kept me from going with it was the update packet included its source address which identified it as coming from the Czech Republic! (hard to see, but there in the screenshot). I thought, since when do MS security updates come from there??? Then I looked at the top of the screen and saw that I was on a completely different site than I thought I had just clicked to…also Czech Republic. Naturally I didn´t try to run or install it. Avira did it´s job very well…hats off to them!

What was most “impressive” about this attack was the way it was able to totally emulate how my “My Computer” looks when opened. Was this sheer luck? Or was it able to see what skin I use, that I have just a “C drive” and no “D drive” etc???

@ Mciahel: Not sure what a “live CD” is…? :confused:

Which site was it, Dean??

[QUOTE=deanimator;2544553]
@ Mciahel: Not sure what a “live CD” is…? :confused:[/QUOTE]http://club.myce.com/f34/i-am-locked-out-all-my-files-314919/#post2538529

Michael

[QUOTE=mciahel;2544578]http://club.myce.com/f34/i-am-locked-out-all-my-files-314919/#post2538529

Michael[/QUOTE][QUOTE=chef;2544570]http://en.wikipedia.org/wiki/Live_CD

Which site was it, Dean??[/QUOTE]

Not sure which one was the culprit…but if you can read the google window top right in my screen shot you can see I was searching for previous results of a race I want to take part in. I had opened a bunch of links in parallel, and I think it was the last one which hijacked me to another web address which gave me the screen you can see in the screenshot.

@chef & Mciahel: thanks for the links…I´ll check them out

Since I have Avira I’m downloading the latest Avira AntiVir Rescue System & I will burn it to a CD -RW or a DVD RW.
Thanks mciahel . Even if do beleive AVs & Amalware are placebos.
I need to see if MalwareBytes has a similar download.

A colleague has just alerted me, the website host is NOT the Czech Republic (sorry Czech dudes), but a hacker group known as "Computer Chaos Club"
Look closely at the address…it ends with [B].co.cc[/B]
:cop:

So the ccc dudes nowadays try to interfere innocent surfers??

First time I heard of such things about ccc…

Thanks Chef…I hadn´t tried to verify my colleagues comments (he seemed very sure) so I´ve just done a google for more info now. It is probably nothing to do with the CCC. Here is Wiki

.cc is the Internet country code top-level domain (ccTLD) for Cocos (Keeling) Islands, an Australian territory. It is administered by VeriSign through a subsidiary company eNIC, which promotes it for international registration as “the next .com”; .cc was originally assigned October 1997 to eNIC Corporation of Seattle WA by the IANA. The Turkish Republic of Northern Cyprus also uses the .cc domain, along with .nc.tr…
…Note: “co.cc” is not an official hierarchy; it is a domain (www.co.cc) owned by a company who offers free subdomain redirection services.

So…
Hmmm
Who dunnit???

Maybe some scridders (script kiddies) with too much time, nonsense in their mind and nothing to loose, so it seems so far. :smiley:

I would be worried if it had anything to do withthe c³. :wink:

I know everyone hates Norton but I haven’t got a virus or spy-ware in years. Norton instantly tell me when a site is compromised and I can tell you that I search the whole world. Just my 2 cents worth. I also run CCleaner and AdvancedSystemCare and use Firefox exclusively.

[QUOTE=Zathros;2546395]I know everyone hates Norton but I haven’t got a virus or spy-ware in years. [/QUOTE]You just had luck, so don’t feel safe. :smiley:

Michael