Virus Trojan info/opinions sought.

In My Humble Opinion
1

I put this in IMHO instead of GQ, because I welcome opinions that I am being overly paranoid.

My virus scanner found an infected file. I know exactly when and where it came from and that has me spooked.
Last week an employee of an out of town company we are partnering with was working at my site.

He asked to use a computer to check his email. We are a small office, and no spare computers, so I set him up with a guest account on my laptop. XPpro SP2, and it was NOT an admin account.

We finished a bit early on Friday, and he checked the web for a local mosque, and prayer times. Obviously he is Muslim.

Saturday my virus scanner (AVG) turned up the infected file. It is an Excel spreadsheet of prayer times (going by the name, I didn’t open it again). The IE history shows only one possible place, and date/time where it could have come from. I have it isolated, but available to anyone who has the means to reverse engineer it and figure out what it does.

According to the virus data sites this is a fairly recently discovered exploit, with dates on the descriptions only in the last couple of weeks. Apparently this Excel exploit was only used in a single highly targeted industrial espionage attempt. In that case the exploit ran a program that downloaded spy-ware.

I’m a little freaked because I can think of exactly one entity that might hack an Islamic information site and install spy-ware on the computers of persons looking for prayer times. Beyond normal hacking exploits, this entity probably has the means to swap IP packets between a server and the client.

Beyond the AVG, Ive run AdAware, and Spybot S&D, neither of which turned up anything beyond tracking cookies and the usual MRU list stuff.

I also did an XP system restore to a point a week and a half ago, before my Muslim colleague arrived.

So the IMHO part of this posting is:

Am I being overly paranoid?

Should I contact the Islamic information organization and let them know they have an issue?

The GQ part of this posting:

How much can I expect from the XP system restore function? I assume it will undo registry changes, and startup directory changes, thus disabling some malware that may have been installed.

What are good, free/cheap, tools to determine what, if anything, may be phoning home?

What are good sites to look for people who would enjoy reverse engineering a virus, and figuring out what exactly it does?

2

Unfortunately, by doing a System Restore, you may have deleted key information. You say you are a small office; are you part of a larger whole? If so, you should contact your corporate IT department and ask them as they should have policies and procedures for this.

3

I’m curious as to which one entity you are thinking of? An entity that can do packet swapping voodoo, but installs spyware that free applications can detect. :dubious:

4

This is a startup in the truest sense of the word. My salary represents well over 1/2 of the company payroll, and I ain’t the CEO. I am the IT department, such as it is…In the sense that I solve/fix all the computer problems for the other employee, and our president. (who does not draw a salary as he is the principle investor)

1)Implicit in you curiosity is the implication that freeware is inferior to commercial software in the detection problems. I will counter with the supposition that freeware/shareware developers may well be less suseptable to financial and/or political pressure to ignore threats than commercial developers.

  1. Freeware applications have been able to detect this for only the last two weeks or so. Apparantly an independant hacker (in the traditional, good sense of that word) notified microsoft of this issue some time back. Annoyed at the lack of response from MS, he offered it for sale on ebay. cite
    Given that MS regularly offers security patches to fix known voulenerabilities, and they apparantly (yes, assumption on my part) knew of this long ago, why would they choose to ignore it?

dons foil beanie and ducks

5

I would call them. If their excel sheets are infecting other PCs it would be neighborly for them to know. BTW there are dozens of was things can get infected. If the government was interested in tracking the receiver of the spreadsheet there are more direct and effective ways to track that (for the government) than messing with an excel app that’s going to light up people’s virus scanners and get reported back to the source in short order.

I just read the article. This exploit just corrupts mem addresses. What’s the point of that for the govt.?

6

Sorry, but I didn’t mean any of that. You imply that there is some agency who would be interested in finding out certain things, and that they are capable of “Beyond normal hacking exploits, this entity probably has the means to swap IP packets between a server and the client.”. And yet this entity uses an Excel exploit that is detected readily. Shit, if I was a US taxpayer I’d expect much better from the NS[NO CARRIER>>>>>>>>>>>>>>>>>>>

7

Thank you for feeding my paranoia. <giggles> OK but recall that this is the same administaration that told us we were weeks away from Sadam producing a mushoom cloud over the United States…and that the truth wouldn’t copme out. I think your expectatations are inflated.
One thing that is really feeding my paranoia is that I’ve been pretty good about virus scanning, etc. for several years. In all that that time, everything I’ve found has been related to pushing porn, or tracking cookies. This is the first thing I’ve ever found that doesn’t stink of a profit motive.

Seriously, I can’t see a way to make a buck off this, but given the current moron in the oval office’s world view, I can see a path to me ending up locked up forever with no charges, no trial,etc. Honestly, the current definition of an “enemy combatant” is at the whim of our idiot-in-chief and the sociopaths that tell him what to think this week.