The Blog's of Elijah Lynn.

Whether you tell yourself you can or whether you tell yourself you cannot... you are always RIGHT!

First Virus in Ages


I got my first virus in ages the other night. I think it was a link off of Reddit or Digg.

Anyways, I know I should have been using noscript with my Firefox but I wasn't. I am using Google Chrome to write this and will use noscript when I use Firefox from now on. the virus would not let me use Chrome or Firefox, I didn't test IE but thankfully it let me run Opera with no problems! Everyone should have Opera anyways.

So here it is and hopefully this will help a few others since searches didn't yield much of a result since it may still be relatively fresh.

Firefox all of the sudden showed three windows "opening" but never popped up. next thing you know my machine was in shutwdown mode. Then it restarted.

Anyways, the virus mascarades as a "Windows security" center alert after rebooting and says something about "windows firewall". It says that win32.zafi.b is doing something etc. Hijackthis didn't turn up anything suspicious. I then ran Sophos anti rootkit and it picked up some unknown files but i didn't delete them. Finally I searched for "windows security alert win32.zafi.b" and found this thread where I found the fix!! I don't think it was randomly names though as I had the exact same file names as the guy in the link below. (ocboo1892823.exe and sysspc.dll)

http://www.computing.net/answers/security/fake-security-alert/24161.html

I had to delete a registry entry in the following location

D:\Documents and Settings\Eli\Application Data\Google\ocboo1892823.
"D:\Documents and Settings\Eli\Application Data\Google\ocboo1892823.exe" 2

Hopefully this helps someone out. Here is a screenshot.

I used a Ubuntu 8.04 Live CD to boot up and delete the files from the following Google folder.
D:\Documents and Settings\Elijah\Application Data\Google

1 comments:

Hello Elijah,

I also ran into this infection last night. This malware is trying to hide itself from anti-virus scanners by using rootkit techniques. The main process, ocboo1892823.exe, is executing on the machine, but it does not appear in the Windows Task Manager, nor in any other program that enumerates processes using standard procedures. This is probably why it did not appear in hijackthis.