Jump to content
Sign in to follow this  

System attacked with SAS installed

Recommended Posts

I bought SAS lifetime subscription a few weeks ago, installed it on my main system with Win XP SP3, security patches up to July 2010.

Last week I watched a Robin Hood video (.AVI) with WMP which (I believe) exploited a Cinepak MS vunerability found out somewhere in August and patched by MS. It opened a webpage, I closed it at once, and I got infected.

SAS said nothing so I disregarded it, although I found it strange that a video could open a webpage...but then again, MS shitty code keeps surprising me after 25 years of C coding.

The infection seemed to open my system to further virus, so three days later, I noticed my disk space was going away, installed AVG to check my system and I found some effects, all effects of an infection called Ramnit by malware experts:

- A trojan (C:\Program Files\Microsoft\desktoplayer.exe) masking itself as firefox.exe and using WinLogon/UserInit reg. key.

- A trojan in .exe/.dll files

- A VBS/Generic VBS script at the end of every .htm/.html file in my system calling svchost with a 100K binary coded ascii data stream... the trojan.

- An internet connection to some bastard in central Russia, 193.23.126/24

It took me 3 days to clear this infection from all my disks, using Recovery Console, several anti-malware softwares and my own experience.

- Why, during the whole process, SAS did not detect anything ? Real Time Protection was enabled the whole time.

- How can I help you detect such viruses better ? I've got samples of the trojan corruption in some backed-up .EXE/.DLL/.HTML

Thank you

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Create New...