What a cunning Trojan!
#1
Hi,

so I'm collecting ebooks for a while and although ePubs and PDFs are fool proof (so I thought), I came across one ebook a few weeks ago, that came in a normal folder (after I unRARed it), at least it looked like a normal folder. I double clicked the folder and there was another folder, so I double clicked that one as well and apparently it applied something to my system, because my mouse pointer was busy for a second or two and then a little window with an error message came up, saying somthing like: "Windows Update xxxxx has already been installed". I was annoyed about myself, falling for this stupid trick of a normal looking windows folder, that upon double click installed something nasty.

After that I run CCleaner, HighJackThis, Adware Removal Tool, Malwarebytes, HitmanPro - but nothing obvious was found. I really don't like reinstalling Windows from scratch  because of all the numerous adjustments and additional installations that have to be done, yes I can be very lazy. But only just today something strange happened as I received multiple emails: a confirmation email (with my real name!) of my registration with western union, two emails from google, notifying me about signing in attempts from a different system than usual .. and one email from amazon:


[Image: Irz4usS.jpg]

[Image: xyGPmzZ.jpg]

 

Of course I've then changed passwords on all accounts.
Then I decided to run TDSKiller by Kaspersky and oh surprise, it found "Chrome.exe" at users/my name/AppData/Local/ ... to be a dangerous threat. I then uploaded it to virus total and got this:

[Image: GPS5N9j.jpg]


... and these were no false positives  Angry
Imagine - this happened by opening a simple looking windows folder icon.
Be careful, the world is so bad!
Reply
#2
Mistakes:
1) Using Windows
2) Downloading and extracting a rar file from a non trusted source
3) Assuming PDF doesn't have executable code
4) Clicking on unnecessary nested folders.
Reply
#3
Cov

Really respect you, food for though try using a VM machine to test files. I do it as I do not have to redo the whole system.
Reply
#4
@politux
@contrail

A VM is something I really should look into. Thanks both of you for your comments.

Edit: just found this method to check whether a system is affected by "Poweliks":
(I did notice indeed terrible lag while using windows, occassionally)

[Image: QwpJJUL.jpg]

  Source
Reply
#5
(Jan 13, 2018, 19:52 pm)politux Wrote: Mistakes:
1) Using Windows
2) Downloading and extracting a rar file from a non trusted source
3) Assuming PDF doesn't have executable code
4) Clicking on unnecessary nested folders.

+1
Reply
#6
Set your explorer to display known file extensions so if it's executable with folder icon you will know.
Reply
#7
(Jan 13, 2018, 19:52 pm)politux Wrote: Mistakes:
1) Using Windows
2) Downloading and extracting a rar file from a non trusted source
3) Assuming PDF doesn't have executable code
4) Clicking on unnecessary nested folders.

Windows is fine if you aren't a fool, and download and open things foolishly. Linux is no better in that regard. Linux users can still be foolish.

There is nothing wrong with .rar files. It's what may be in them that can be bad. Again, if you are foolish and don't pay attention. .rar files themselves are fine.

A PDF can have an exe. in it, but it's about a one in a million chance, and that's likely not what happened here, but it's possible.

Clicking on nested folders also isn't a problem. Many compressed files have nested folders. Many unecessary ones at that.

The problem here it seems is that the op clicked on some .exe inadvertantly, though as I said, it could have been the pdf.

Also I would bet that it wasn't downloaded from TPB.

My point is that you, politux, are perpetuating many falsehoods for no reason. Except to make your favored OP, Linux, look good, which is totally disengenious and evil.
Reply
#8
(Jan 14, 2018, 14:10 pm)Mr.Masami Wrote: Set your explorer to display known file extensions so if it's executable with folder icon you will know.

on windows 7, here how:
1. Click Start, Click Control Panel.
2. Choose view by: small icons
3. Click Folder Options
4. There 3 tabs, General, View, and Search. You choose View tab.
5. On Advanced Settings, click "Show hidden files, folders, and drives"
6. Also un-check on "Hide extensions for known file types" and "Hide protected operating system files"
7. Click OK button.
Reply
#9
Yeah great, now I got this email and my bank app doesn't work anymore.
I need to visit my bank first thing tomorrow morning 
Angry


[Image: UiKBBVu.jpg]



Have just written another email to Western Union to cancel the account, which some asshole registered on my behalf.
  • executiveresolutionsdept@westernunion.com
  • CustomerCare@westernunion.com
Reply
#10
Best to try using 2-factor authentication to further hinder his attempts.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Trojan analysis from the recent wave of fakes w4r3zh4ck 0 8,922 Aug 22, 2014, 10:15 am
Last Post: w4r3zh4ck



Users browsing this thread: 2 Guest(s)