Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: Rootkit.Win32.TDSS.eyj

  1. #11
    louis_m Guest

    Default Re: Rootkit.Win32.TDSS.eyj

    the name of the file was:C:\Documents and Settings\...Temporary Internet files\Content.IE5\HN0G6G2R\8[1].exe
    if that helps








  2. #12
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Rootkit.Win32.TDSS.eyj


    <blockquote><hr>Louis_M wrote:
    the name of the file was:C:\Documents and Settings\...Temporary Internet files\Content.IE5\HN0G6G2R\8[1].exe
    if that helps








    <hr></blockquote>


    Sounds malicious.
    Okay - if the file was detected and held, then do not restore the file.
    Once it was caught by the security, the file could not execute and infect.
    Restoring the file will infect.

    It was a malicious file obtained through browsing on the web.
    Basically.
    -Often by a bad link pretending to be a site link but actually was a file download.
    (watch what you click on for links)
    -Or it was a pretend or false setup to convince you to download the file because you needed some activex or file in order to watch a video or use the site's features. But it is an executible file instead.
    (never download activeX from unknown sites - they often have eulas attached and instead of the file being a kind .ocx file, it is malware files such as .exe or .dll. Not should you have to unstall a toolbar or addon to use all of the sites features - such sites hould be avoided).
    -Clicking on .swf and .wmv files to be viewed within the browser should first be checked out by looking at the file extension of the file BEFORE clicking the file link(s) - the file extensions are clearly seen in the url for the video. (if the video ends with .exe instead of .swf or .wmv, then immediately remove the mouse from the link and DO NOT click it).
    -Be wary of double extension files - something like 'videoforyou.swf.exe' for example. Just as bad and lethal.
    -Using javascripts on unsafe sites. The javascripts are active scripts running within the browser which can be used to download and maybe even execute malware files. All without you knowing about it. (disable javascripts for global web browsing and use javascripts only on safe and very needed sites).
    -Iframes can be used in the html to either present the browser with malicious files or malicious links. (disable iframes for the global browsing and only use on safe and very needed sites).

    Maybe take a look at this thread for some better ideas:

    http://forum.zonelabs.org/zonelabs/b...essage.id=5419

    I wrote some quick posts to help explain things.
    Maybe this will help you too.
    Oldsod.
    Best regards.
    oldsod

  3. #13
    louis_m Guest

    Default Re: Rootkit.Win32.TDSS.eyj

    WOW...Looks like lots of good information in your posts.
    I bookmarked it and plan on doing ALOT of reading and making some changes.

    And I, like poster Findley from that thread want to thank you for your
    time, effort, and knowledge.


    Again, thank you for all your help!!
    I really appreciate it!!

  4. #14
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Rootkit.Win32.TDSS.eyj

    Thanks!
    These are the basic security practices suggested by many trained and educated security experts.
    I just imitate their teaching and try to follow the basic advice as home user.
    They have many more basics ideals and best practises - some of which are not useful or pratical for the home user as they are more suitable for the enterprise.
    Some of that extra advice from the experts isto be found in some of those links I provided in that thread.
    Best regards.
    Oldsod.
    Best regards.
    oldsod

  5. #15
    riceorony Guest

    Default Re: Re:Beware of PDF - new Adobe on the way

    Naivemelody,

    This was the attack I was referring to in my previous post,

    http://forums.zonelabs.com/zonelabs/...d=55077#M55077

    about the rotating ADs on some sites hijacking your browser to open a &quot;blank&quot; PDF file.

    I hope the fix is released soon.

    Otherwise I basically disabled javascript ever since it happened.

  6. #16
    riceorony Guest

    Default Re: Rootkit.Win32.TDSS.eyj

    Louis, this is a javascript exploit.

    It hit me too.

    Refer to this thread:
    http://forums.zonelabs.com/zonelabs/...d=55077#M55077

    It's been going on since Mid-january. Even safe-sites that use those revolving AD banners will be afflicted.

    Because javascript is enabled by default for Adobe, it effects everyone.

    Most (if not all) security suites so far have been able to block the exploit from loading. As you have seen, it basically tries to download other malicious malware onto your computer (in the form of loggers).

    A patch will be released by Adobe this month.

  7. #17
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Rootkit.Win32.TDSS.eyj


    <blockquote><hr>riceorony wrote:
    Louis, this is a javascript exploit.

    It hit me too.

    Refer to this thread:
    http://forums.zonelabs.com/zonelabs/...d=55077#M55077

    It's been going on since Mid-january. Even safe-sites that use those revolving AD banners will be afflicted.

    Because javascript is enabled by default for Adobe, it effects everyone.

    Most (if not all) security suites so far have been able to block the exploit from loading. As you have seen, it basically tries to download other malicious malware onto your computer (in the form of loggers).

    A patch will be released by Adobe this month.
    <hr></blockquote>


    The browsers such as Opera and Firefox have excellent controls for the plugin or application to be used for the browser - set the Adobe or the pdf reader to disabled or not to be used.
    Okay, this will prevent the browser from opening any online pdfs within itself using the reader, but instead just download the pdf and then scan the pdf first with the antivirus scanner, then open with the pdf reader once it is safe.
    This is not the first time for pdf exploits (with javascript exploits or print or run exploits) to be carried through the browser. Happened several times before. Nothing new.

    Ads and banner carring malware is nothing new either. One of the reasons why I block these from entering the computer in the first place. Got hit many years ago with a rouge ad that dropped a troyan and been blocking these junk ever since.

    Hi riceorony!

    Best regards.
    Oldsod.
    Best regards.
    oldsod

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •