Warning to all those with windows based PC's.

Crabber85 · Post by **Crabber85** » Mon Jul 15, 2013 7:02 am

I've been doing some research for a family member who has an infected PC and it turns out the infection they have called a Blaster Worm is actively targeting PC's which are out of date to target a vulnerability in the OS's(operating system)HKCU:Run class since the update to plug the hole isn't present.Even if you have a good fire wall, anti-virus/malware program installed your still at risk for infection if your PC is not up-to-date because the out of date HKCU:Run registry acts as a back door allowing the Worm to gain access and slip by your firewall and other protection completely unnoticed.The Worm downloads itself as a fake anti-virus program and then hijacks your computer obfuscating(hiding) the run DLL libraries(this essentially hides all of your programs from you preventing you from running your anti-virus or anything else) , blocking safe mode during boot up, runs a fake scan which then reports that it has found several threats and that you need to pay or call the number listed to get the full version of the fake anti-virus to remove the threats which if you do either you just gave your identity over to the hacker along with all your money as you just granted them full access to your bank account or credit card.

Nnnnnnnn · Post by **Nnnnnnnn** » Mon Jul 15, 2013 10:23 am

My dad got this virus on him computer recently. It took quite a while but he was able to get it semi-fixed.

Crabber85 · Post by **Crabber85** » Tue Jul 16, 2013 12:17 am

@Dawson, there are at least three known variants of this worm floating around out there in the wild and the easiest one to clean up is the original Blaster Worm that was created back in 2003 as its a basic design and only has one goal which is to use your isp numbers to flood/spam a ddos(distributed denial of service)attack directed at the Microsoft update service website so this variant is easy enough to remove but the newest one is a bugger as it mimics a legit anti-virus program which self installs on your machine via the back door without you the user having done anything to initiate the attack ie: clicking on an infected message or link.With the new variant all the attacker needs to do is flood port 80 on your computer with arbitrary data which initiates a buffer overflow protocol sending the excess data to an unprotected port usually port 135 which then allows the worm to infect the machine by setting up a shell and an executable file which the computer will then execute or run without the users permission.This type of attack and infect is hard to detect without a good fire wall and even harder to stop without a good active scanning anti-virus/anti-malware program that scans ports as wells as your system.Usually an lsass.exe. HKEY registry will be written into the startup folder where the legit lsass file will never appear and into your BIOS registry so when the computer is booted up after the initial infection it will then run the exe file at start up which in most instances will completely cripple your system just after the boot up process has stopped.LSASS stands for local security access and is a legit file on your computer which will appear as C:WindowsSystem32lsass.exeThe fake lsass will appear as C:WindowsSystemlsass.exe, notice the missing 32 thats because this infection isn't mimicking the legit lsass entry above for several reasons one being that the virus isn't written specifically for windows 32bit it's just meant to target windows period.You'll get a pop up which looks like a legit anti-virus program as soon as you log in to your computer and it will then tell you all of your exe file extensions are corrupted due to infection so you wont be able to run anything which will prompt the fake anti-virus(worm) to run a fake scan which will report back that you have several infections and where they supposedly came from.With the nastier variants of this infection you'll get a data leak started which is basically where the worm is stealing what it thinks is critical information and then it will promptly tell you that your identity has been compromised and will then prompt you into paying for a one time scan and removal of the threats which if you do so will actually cause your machine to become infected further.I've seen these infections get so bad so quick from the worm reproducing every six seconds that no matter how many times a good anti-virus program tried to run and clean the machine there were always more copies of the infection popping up after the cleaning process was done.This usually happens as a result of a back door or root kit that was installed during the initial infection so that the virus/worm can keep re-infecting the same machine even if the update to fix the out of date HKCU:Run entry is installed.This is usually when a professional computer tech will tell you that your machine needs to be factory reset meaning the whole computer wiped clean and a new copy of the OS installed as the presence of a root kit means the machine will never be secure again even if the infection and reproduction process could be stopped.Because your dad could only get so far with the computer its still at risk for re-infection and should not be used for financial transactions of any kind.

Nnnnnnnn · Post by **Nnnnnnnn** » Tue Jul 16, 2013 2:18 am

The one he had was the one that looked like a legit anti-virus. He got the virus off, but he's still really wary of it now. Thanks for all the info.

MornaStar · Post by **MornaStar** » Tue Jul 16, 2013 3:49 am

It's alright!!! I have no more personal pictures, or special memories on my computer anymore!!! Both my computers and my phone dumped all my files into the non existing trash bin...Everything is already gone...so I'm about to trash everything and start over. Thanks for the warning though

NickB · Post by **NickB** » Tue Jul 16, 2013 3:51 am

lol my dad has cleaned this off several peoples computers already. (he's an IT guy)

Crabber85 · Post by **Crabber85** » Tue Jul 16, 2013 9:18 am

@NickB, I've got a couple of friends are tech guys they don't have degrees or anything but they do know their stuff and even they have had a tough time with this virus because of the way it works but if you know what your doing it can be dealt with your dad is a good guy fighting criminals kind of like the Dark Knight.lolThis virus was only supposed to be able to infect/effect computers still running windows98, XP or 2000 but somebody has done a re-design basically stripping the thing down to it's core and repacking it so that it works against windows7 and I've gotten word of at least one variant working on windows8 within the last six months which is bothering to me as this indicates some person or persons actively reverse engineering our service packages on current windows platforms and repacking old obsolete viruses to exploit the weakness discovered during the reverse engineering process.@MornaStar, it sounds like you have an obfuscater meant to hide then delete the data on your hard drive after the important stuff has been stolen.Obfuscation programs are viruses typically worms or trojans that are designed to actively steal data then delete everything on the infected machine including themselves which is an attempt to hide a digital fingerprint left by the author of the virus on the virus and anything the virus touches and when you get this type of infection detection and removal is often done by a program like Kypersky or Avast because a technician usually can manually do it unless they have hours of experience with the specific virus code to be able to work around it and basically access a back door allowing them to stop, detain and delete it.