Gnutella Forums - View Single Post

#1 (**permalink**) March 8th, 2005

A festival of malware in pcsurg.rar

I had the misfortune of experiencing this 1sthand the other day: 3 ISTbar regkeys/values, 4 from media-motor.net (popuppers.com)which targets internet trusted zones (inf from AdAware), & the exe from which all this sprang, rraut.exe (associated with "blue"-something in the registry) & a .txt file, composed of numbers.
Yes, I did click on it. I was lulled into a false sense of security by Limewire dl warnings in the past, & NAV warning about/deleting W32Tibick. Later, it found and quarantined 2 "bloodhound unknown" suspects, deleted DealHelper, & NetOptimizer, failed to delete ISTbar(s), mmxsitessc.exe, gammainstaller.exe.exe.
12 hours later, 2 Norton Antivirus, AdAware, X Clean, Spyhunter, SpySubtract scans (not to mention finding & manually rewriting over them with Norton “wipe info”)! I did another AdAware scan, and found 9 reg keys/values for DyFuCA and about 40 for Backweb lite! Rraut.exe planted itself in my startup group, & gives a reg value, but its neither finable in registry, nor in the C drive! If this had been one of my early experiences with file sharing, I would never have gone near it again. Not only would I have been chicken, but I wouldn’t have known enough to have used the arsenal of tools I did to even remove as much as I have! My computer would have been as frozen as the wretched NYC outdoors is today, all the malwares trying to phone home at once!
On one of the googled sites, I saw a reference to an article, which may explain the viciousness & amount of malware in one small download:
” PC World has learned that some Windows Media files on peer-to-peer networks such as Kazaa contain code that can spawn a string of pop-up ads and install adware. They look just like regular songs or short videos in Windows Media format, but launch ads instead of media clips”. The rest of the article can be found at: http://www.pcworld.com/news/article/0,aid,119016,00.asp
Although mine was a .rar which decompressed into an exe, I’m sure that it would be no great stretch to code.

If there is anything to be learned from this (aside from the obvious), its
1) virus-hunting programs like NAV aren’t especially made for malware, so its possible that some might slide on through into your computer.
2) Adaware doesn’t keep vigil like virus-monitoring programs do. You actually have to set the scan in motion.
3) NEVER just hit “accept” when AdWatch mentions a pgm is trying to access the registry! True, if you click on the link for more details, it just sends you to the Lavasoft page where they tell you to be careful (the link isn’t specific for each instance). The popup AdWatch box is kind of small and cuts off the end of long entries, so you don’t really have all the inf. And most of the time, the change was instigated by an action on your part. But, when in doubt, CHOOSE BLOCK!

I will never get back the time spent exorcising all this trash, but what might make me feel a little better about this is if someone reads it and avoids the same fate. I probably would get absolutely wickedly cheerful if presented with writer of this rarbomb, trussed up on a spit (hint… ; ) ). Be careful!