The purpose of this post is to document details about the trojan downloader malware that found its way onto my machine and sucked up more than a day of my time. I will describe the specific symptoms that manifested upon its arrival in case someone else has the same problem and comes across this article on a keyword search. I will also share the preventative measures I now have in place to avoid a repeat situation. I don’t assume that readers will automatically make the changes I am presenting here but, like me, many people like to get multiple perspectives before implementing something new or making a change so, for them, I hope this information is useful.
The exact name of the trojan I dealt with is TrojanDownloader:Win32/BredOlab.AC. According to Microsoft’s Malware Protection Center (MMPC) it is “a trojan that downloads and executes arbitrary files from a remote host.” I suspect I picked it up in a forum for a third-party WordPress blog theme (they subsequently announced their site was compromised but did not disclose the specific malware involved). It was detected and removed by the anti-virus software I was running at the time, Windows Live OneCare. I thought I was done with it. Then I began encountering errors when opening email and was intermittently redirected when I used Chrome or Firefox. IE8 was ok. (I run Microsoft Outlook and Windows Vista on a Dell Inspiron laptop and keep versions current). Launching Outlook triggered the error: “Outlook could not create the work file. Check the temp environment variable.” I simply closed the dialog box and my email seemed to function fine.
ERROR: Outlook could not create the work file. Check the temp environment variable
I looked up the Outlook error on the web and found a solution in a Microsoft Answers forum. I implemented the suggested fix and it resolved the error. This involved a change in the Registry Editor so if you are not comfortable making this type of change, you may want to have someone else do it. As the forum poster cautions, “mistakes could cause serious problems that may require a reinstall of your operating system.” Here is a link to the forum. See the second comment box from the top: http://social.answers.microsoft.com/Forums/en/officeinstall/thread/3a46ca1f-9bcc-4336-b16f-c57d005255db.
The next morning my anti-virus software (again, OneCare at the time) detected another virus: TrojanSpy:Win32/Ursnif.FJ. I was not a happy camper. According to Microsoft’s Malware Protection Center, Win32/Ursnif is a family of trojans that steals sensitive information from an affected machine (source: MMPC) . Apparently, even though the original malware, TrojanDownloader:Win32/BredOlab.AC, was detected and removed the day before, it had enough time to spawn TrojanSpy:Win32/URsnif.FJ. While this too was automatically detected and removed by OneCare, I decided to make a change to my antivirus software since Microsoft Windows Live OneCare is coming to the end of its life cycle (see Windows Live™ OneCare® End of Sale Guidance Page).
Microsoft Security Essentials
The free Microsoft replacement solution for OneCare is Microsoft Security Essentials (MSE). According to Microsoft, MSE provides comprehensive anti-malware protection from threats including viruses, spyware, rootkits, Trojans, and other emerging threats in a single lightweight anti-malware solution. In concert with the ongoing improvements in internet security offered by Windows Vista®, the forthcoming Windows® 7, and Internet Explorer® 8, Microsoft believes that this no-cost service will offer the essential security that consumers need (source: Windows Live™ OneCare® End of Sale Guidance Page). Based on my positive experience with OneCare and positive feedback found in numerous online tech forums, I replaced OneCare with MSE.
“Spybot Search & Destroy” found lots of Spyware and 1 Trojan with MSE in Place
At this point, I decided to do a little more research on TrojanSpy:Win32/Ursnif.FJ before moving on from this issue and found the following details on the MMPC website:
This threat is classified as a Trojan – Data Theft. A data theft trojan gathers personal data, often of a financial nature, from affected systems. Collected data may include credit card numbers, tax returns, login credentials or any other information deemed to be of interest to the attacker. The collected data is then surreptitiously sent to the remote attacker via a variety of electronic means. This threat is detected by the Microsoft antivirus engine. Technical details are not currently available (Source: MMPC).
Needless to say, that got me more than a little concerned and motivated me to install SpyBot Search and Destroy as a secondary filter against malware. With MSE installed as the real-time/resident anti-malware solution, I only wanted to use Spybot S&D as a scanner. So, I disabled its Teatimer function (real-time process).
There are numerous credible forums out there that explain how to do that. Here is a link to one of them: http://forums.techarena.in/networking-security/1321759.htm.
Once Spybot S&D was installed with Teatimer disabled, I ran it and it found 15 undesirable items on my machine: 14 potentially malicious cookies and 1 trojan (virtumonde.prx). I was surprised and disappointed since I had just completed a “full scan” of my hard drive with MSE. After having Spybot S&D remove the malware, I immediately decided to find a subscription-based, full suite solution for my primary/resident anti-malware protection. My thought was, when it comes to my time and identity data, and potentially my money, the risks are too high to not go with the most protection available.
AVAST Error at First Detection of Malware
I did a fair amount of research comparing anti-malware software solutions and found that numerous tech forums as well as the CNET website had very good things to say about Avast. So I purchased a two-year subscription. In hindsight, I probably should have gone with the 30-day free trial but I wanted to get my anti-malware situation settled and move on. Within about a week, I had the displeasure of encountering my next piece of malignant malware: Win32:Hilot(trj).
The good news is, Avast detected the malicious code. The bad news is, instead of automatically moving it to the virus chest (isolation location) as it was configured to do, it got stuck on the following error: “Error: virus chest server is not running. RPC communications failed (2147422219).” After numerous unsuccessful attempts to manually transfer the malware to the virus chest, I was able to simply delete it. I know this was a bit risky but I did not want to reboot the machine without knowing this file was contained or deleted. In Avast’s defense, their software detected the threat and enabled me to eliminate it. Nevertheless, I was disappointed with the virus chest function failure since the package was so new and installed flawlessly just a couple of weeks before. Before deleting the malware, I was able to determine that the trojan had buried itself in a .DLL file (c:users”owner”AppDatalocalecoyeguwi.dll_old).
Rather than call, I decided to send Avast an email about the virus chest function failure because I like to have details like this in documented form and because the threat was already deleted, so there was no rush. But I definitely wanted to know why the failure occurred and how to avoid it in the future. On a positive note, Avast got back to me quickly and they were very professional and thorough in their email description on how to avoid it in the future. They said I needed to remove their software with a special removal tool available on their website and reinstall it in safe mode. While the process did not go exactly as they described regarding the removal tool, I successfully navigated the process.
On a not-so-positive note, they never explained or theorized why the virus chest function failed. I asked that question very specifically in a subsequent email which got a reply but, again, no specific answer to my question. At this point, I decided I would simply keep a close eye on how Avast’s software performs with future encounters with malware. For now the bottom line is, their software detected the infection and enabled me to delete it with no damage to my system. That’s the important thing.
Malware Infection Prevention
Here are some recommendations to help prevent infections on your system. You are probably familiar with most of them because they’re pretty standard. Consider this a refresher.
- Firewall – Make sure you have a firewall enabled. If you are running XP (Windows operating system), I suggest you consider a third-party “two-way” firewall. That is, one that monitors both inbound and outbound traffic. Vista and Windows 7 include two-way firewalls.
- OS Updates– Make sure you keep your operating system updates current. I used to hold off on new software updates of all kinds because I wanted to let others handle the beta phase (debugging). I didn’t want to have to deal with buggy code. Today, with the state of malware across the internet, the risk of encountering a software bug compared to being vulnerable to a malicious virus that can steal your time, money and identity, is no contest for me. Besides, software development has come a long way. Most updates from credible companies are pretty solid. It has evolved into on ongoing race between the good guys and the bad guys – the anti-malware developers against the malware manufacturers. My money (and hope and faith) is on the good guys but we have to do our part: install updates as soon as possible after they are released to stay one step ahead of the bad guys.
- Browser Updates – Make sure your browser(s) is running the current version with appropriate updates. While Internet Explorer updates are handled by Microsoft’s “Windows Update” service, Firefox, Chrome, Safari, and Opera and other non-Microsoft browsers need to be updated separately if you use them. Just like operating system updates, browsers occasionally require security updates/patches. If you don’t install them. Your system is vulnerable.
- Anti-malware Software Updates – Some people still refer to this as antivirus software. Updates usually happen automatically if you are using a properly licensed copy but it’s a good idea to periodically check and verify you are current.
- Secondary Anti-malware Solution/Scanner – In addition to the primary/resident anti-malware software that monitors your system in real time, it is prudent to employ a second and even third anti-malware software solution. But these secondary products need to be configured to run as manual scanners and should be pre-screened for compatibility with your primary product. For this, I recommend considering Spybot S&D (with Teatimer disabled as mentioned above). Lavasoft’s Ad-Aware is also worth a look because it is compatible (when used as a scanner) with Avast and MSE when either one is used as a primary/resident solution.
- Don’t click on email attachments from unknown sources.
- Don’t download questionable/pirated software.
- Don’t click on links on questionable websites (in a future post I will provide details about some great online tools that identify sites that have a track record of questionable tactics or low credibility).
- Do use strong passwords.
- Do use caution when providing personal information online, including social networks like Facebook and MySpace.
- Do backup your data regularly. If malware finds its way onto your system and irreparably corrupts your data, a backup copy will be your only recourse.
The Enemy Within
If you would like to read an excellent, eye-opening article on the topic of malware, I recommend “The Enemy Within” by Mark Bowden. He covers an amazing amount of interesting detail regarding the Conficker worm/virus. It may motivate you to tighten your computer’s defenses against the malware threat.
Recommended Resource for Malware Protection
Finally, if you don’t already use it, I highly recommend that you check out the Microsoft Malware Protection Center (MMPC). It’s an awesome “free” online resource for malware information and protection. That is why I referenced it throughout this post. In my opinion, it’s the best “first stop” you can make when investigating a malware/virus issue. Their malware encyclopedia is incredible. It provides a quick, free way to obtain clear, thorough, reliable information about most any piece of malware out there – from severity threat level to how to get rid of it.
What Is Spyware & How to Remove it? – Complete Guide In this guide, Bill Mann explains what spyware is, why its dangerous, and how to protect yourself from it. He includes a list of the best spyware detection and removal tools to ensure your safety online. It’s an excellent article. I highly recommend it.