Firefox malware

thelawnet

Just got malware from https://www.ihateryanair.org 'privacy.exe' using Firefox.

I loaded the site again using fiddler HTTP trace and found a hit to http://gsdfgsg.coom.in/showthread.php?t=64271947 which is 404 for me now, but I suspect they might cache my IP and only send the malware once.

Not sure what the source of that is as there was no call to it in plain text but there are some obfuscated 'polldaddy' and 'addtoany.com' javascripts also an .swf at poll.fm.

Any ideas what attack vector these malware use to infect through Firefox? The privacy.exe downloaded to C:\Users\%username%\AppData\Roaming which is a low-privilege area, but still annoying.


PS. When I reloaded the ihateryanair.org site again the gsdfgsg.coom.in hit was gone.... Just shows how fast this stuff moves.

free4440273

just out of interest, what anti -virus/-malware software do/did u have installed ?

aerostar

Your malware was probably served from an advert on the site, the site probably did not host it.

Booby trapped adverts are quite often there one minute, gone the next as adverts are sent randomly. If you want to be even safer, run your web browser in a sandbox. eg sandboxie, that way if anything arrives it cannot get into your system, you just empty the sandbox and all is gone, even if it did run you would not have a problem.

marsbar989

How did you recover?

I too visited this site today around 1pm and got hit.

The result is that all my folders and files are marked as hidden. My start menu consists of nothing. and half my icons on my desktop are gone.

I've shutdown and restarted in safe mode.
And currently left the PC as such overnight to decide what to do.

waddler_8

marsbar989 wrote: »

The result is that all my folders and files are marked as hidden. My start menu consists of nothing. and half my icons on my desktop are gone.

Unhide.exe - A introduction as to what this program does

Removal instructions for Privacy Protection

Remove Privacy Protection (Uninstall Guide)

thelawnet

marsbar989 wrote: »

How did you recover?

I too visited this site today around 1pm and got hit.

Timestamp is 1:02pm

The result is that all my folders and files are marked as hidden. My start menu consists of nothing. and half my icons on my desktop are gone.

I've shutdown and restarted in safe mode.
And currently left the PC as such overnight to decide what to do.

I just right clicked on the taskbar, showed task manager, looked for a dodgy looking process and there was privacy.exe. I think it tried to shut down my task manager but I just fired it up again and killed it again.

It didn't exactly make itself inconspicuous.

It downloaded to C:\Users\%username%\AppData\Roaming so I just deleted it from there.

Info here: http://remove-malwares.blogspot.com/2011/11/privacyexe-virus-process-of-privacy.html

I'm not quite clear as to the attack vector they use to infect Firefox, I thought it was supposed to be safer than IE.

mart44

free4440273 wrote: »

just out of interest, what anti -virus/-malware software do/did u have installed ?

I would be interested to know that too.

Gillor

Avast Free a/v blocks it but I suppose by now they all do.

marsbar989

download malware proggy and it reported wmprwise.exe installed.

Removed this and as in safe mode backup some files.
Seems some files are bad - in the sense that I cannot copy them. Access is denied even as adminstrator on pc.
unhide all of \programs and \my docs.
but \programs still appears as if they are hidden. I can see the contents of the directories though,.

waddler_8

marsbar989 wrote: »

download malware proggy and it reported wmprwise.exe installed.

http://www.threatexpert.com/report.aspx?md5=f6d1cc95f023b9d788eaa4cd8737561d

Do an online scan to confirm whether or not you are infected with Ramnit. Don't rely on your installed AV as it may be infected itself.

http://www.eset.co.uk/Antivirus-Utilities/Online-Scanner