From a friend of mine (includes a fix):
This is not a ruse, I'm absolutely 100% certain of WHAT infected me and WHERE it came from.
MegaUpload just infected me due to one of their random pop-ups!
I just got infected on my backup machine. My main machine was already protected, but the second one I don't surf with much, and it doesn't have the same levels of protection.
What happened: I hit several sites over the course of an hour, and something happened... something was working just slightly differently than before. I quickly looked inside of the c:\windows\system32 directory (sorted by date, reverse order) and lo and behold there was a damned new DLL from just minutes earlier. AVG didn't catch it.
I immediately disabled the network connection, then started to see what had gone on. Based on the Firefox history (you have to sort by LAST VISITED to see it in true time order) and what was in the Firefox cache, it could ONLY have come from a download I'd done at MegaUpload. First I got a Shockwave Flash file, then seconds later the infected DLL came in. Double checking the cache again, the only SWF file (other than all of the crap from MegaUpload itself) came from x-playing.com/spl.swf. After I'd already torched the rootkit and cleaned everything up, I download a fresh copy of that file direct from x-playing.com. It exactly matches the Shockwave file in my cache that hit me
seconds before the virus did, so that certainly was the trojan downloader.
Jotti's malware scan doesn't see anything wrong with the SWF file, but that's just because I'm the first one to track it down and report it. I'll be submitting a full virus report to any of the vendors that will accept it. Jotti DOES recognize the trojan (Vundo.H and a bunch of other names), and the trojan pulled the standard trick of making multiple copies of itself with different names and changing the file contents so a CRC check fails.
Eventually, all of the vendors will catch this piece of shit AND it's SWF loader, but
IN THE MEANTIME, if you EVER use MegaUpload for downloading, DO THE FOLLOWING:
There's a Windows file just called 'hosts' (no extension) that you can use to utterly block access to any domain. It's located in either:
C:\Windows\system32\drivers\etc\hosts
or
C:\Winnt\system32\drivers\etc\hosts
Open it up with Wordpad or another pure text editor. You'll see something that begins like this:
Code: Select all
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
Immediately after that last line, add this:
Make sure there are 2 or more spaces between the 127.0.0.1 and the domain you want to block (x-playing.com in this case)
What did I just do? HOSTS is an old file that tells Windows where certain host names are located in the Internet. When Windows goes to resolve a host/domain name, it first checks to see if it already knows about it in the HOSTS file. If it does, it goes to the associated address. 127.0.0.1 is called a LOOPBACK address... it means "don't go anywhere".
I already had that line included in the HOSTS file on my main machine, 'cos I hate the stinkin' pop-ups that some of the cheezy file sharing services use. I block the content for every damned one I come across. If you want the same level of CRAP PROTECTION, add ALL of these to your HOSTS file:
Code: Select all
127.0.0.1 syndication.exoclick.com
127.0.0.1 www.adtology3.com
127.0.0.1 pagead2.googlesyndication.com
127.0.0.1 landing.etology.com
127.0.0.1 adultfriendfinder.com
127.0.0.1 passion.com
127.0.0.1 www.google-analytics.com
127.0.0.1 www.sponsorads.de
127.0.0.1 login.tracking101.com
127.0.0.1 www.cams.com
127.0.0.1 www.megavideo.com
127.0.0.1 www.sexmission.us
127.0.0.1 iscoolmovies.com
127.0.0.1 bin-layer.de
127.0.0.1 www.usenext.de
127.0.0.1 www.flirt-fever.de
127.0.0.1 www.myfreecams.com
127.0.0.1 adson.awempire.com
127.0.0.1 www.sedoparking.com
127.0.0.1 www.livejasmin.com
127.0.0.1 getmyvideonow.com
127.0.0.1 www.besthqmovies.com
127.0.0.1 cams.com
127.0.0.1 www.mit-iqexam.com
127.0.0.1 us.myfuntext.com
127.0.0.1 www.free-hd-divx.com
127.0.0.1 www.fulltiltpoker.com
127.0.0.1 x-playing.com
127.0.0.1 www.marketgid.com
127.0.0.1 www.desktopsmiley.com
127.0.0.1 showing.com
EDIT: here's a couple of other ad sites that hit within seconds of the one that downloaded the SWF loader. Add these into your HOSTS file as well, as they may be involved in the infection:
Code: Select all
127.0.0.1 s.megaclick.com
127.0.0.1 magistrare.com
You can add as many as you want, but when you get over about a thousand entries, Windows *might* slow down a little. If you get over ten thousand entries, ALL accesses to the Internet will slow down. Keep it short, and only block the really crap sites with the HOSTS file.
Lemme know if you have trouble. Oh, and ONLY open the HOSTS file with Notepad, Wordpad or another file that WILL NOT ADD any strange document formatting. MS Word frequently tries to be 'helpful' and will save a pure text file in Word DOC format, and that will thoroughly fuck up your HOSTS file.
If you've already been hit by this one, Malwarebytes Anti-Malware (a free download) will clean it up properly.
http://www.malwarebytes.org/mbam.php
scroll all the way down to get the latest updates file, or use this link:
http://www.gt500.org/malwarebytes/database.jsp