Posted by: Ken Harthun
Anti-malware, Anti-virus, Hacking, Linux, Malware, Security, Trojan
Forgive me if I brag a bit in this post, but I think I earned the right. You be the judge.
Last weekend, I noticed strange behavior on my home system. ESET Smart Security kept reporting that it had “found and quarantined m.exe, probably a variant of Win.Qhost trojan.” Every time I plugged in a USB thumb drive, ESET would pop up with the message. I couldn’t run HijackThis. If I tried to go to certain antivirus websites–Avira in particular–my browser closed. Sysinternals Process Explorer wouldn’t run. My thumb drive showed two hidden files: Autorun.inf and m.exe. Hmmm. Running ipconfig /displaydns revealed multiple connections to porn and malware sites. Searching Google led me to some tools that eventually fixed my problem at home. Turns out I had a bigger problem.
Apparently, I had picked up the infection from a client’s Exchange server and during my weekly tour there, I found that the tools I used on my XP machine wouldn’t run on Windows Server 2003. I tried everything in my arsenal; no tool found anything wrong. This thing was very stealthy; even Safe Mode didn’t disable it. I was about to give up. Then I remembered that I’d recently finished making up a bootable Linux thumb drive virus scanner using the AntiVir rescue CD, a tool that allows offline scanning (thank you, Avira, you made it a little easier for me). I booted the server to the thumb drive, ran the scan, rebooted the server, and voila! The infection was gone.
There’s a whole backstory to this incident that I won’t bore you with. Suffice it to say that I’m glad I put in the hours of hacking and research to come up with a really useful tool that I was able to use to help a client. Veni! Vidi! Vici!