PWN3D

by | Apr 5, 2005 | Culture

You know, it feels REALLY good to smack the shit out of a virus or some spyware. It really does. People who write that sort of shit are dickless, friendless assholes who will be serving me my coffee for the rest of their pathetic lives.

Yesterday I got an e-card from Blue Mountain, a company I’ve heard of and used before. I thought it was from my mom. The link to get my card when to the blue mountain servers (so I thought). When nothing opened in Firefox I assumed it was a flash/shockwave thing, so I opened it in IE…. God, why I did that I’ll never know. After nothing opened in IE (I got what looked to be a 404) I closed the browser and deleted the email. 30 seconds later AVG Anti-Virus is going ape shit. It’s detected that about 30 different backdoor trojans are trying to install themselves. I delete them all before they do anything… or so I think. Apparently I’ve caught the newest nasty virus on the block. A combination of malware, spyware, trojan and backdoor worm. Parts of it are called different things. The most common is wsup.exe and wtools.exe. WTools is a bullshit toolbar thing that hijacks IE and uses it to install more nasty things everytime IE is opened. Wsup is a system process that doubles, triples and renames itself. The kicker is that after it installs it changes registry information so that the files are undeleteable and the processes are unstopable. Trying to kill one process will literally spawn to more with different names. I had WtoolsA, B, C …. S, etc at one point. A quick trip to Trend Micro and those were gone. Or so I thought. These little fuckers were tough. They renamed themselves again, moved, and restarted even after I edited my mscofig to stop the processes from starting.

I was getting made. I restarted, booted into safe mode with a command prompt and BY HAND, tracked down each and every entry in the registry, changing them all so I’d be able to finally delete them. That worked. I deleted Wtools and Wsup. After that I booted normally and just to be on the safe side I ran AVG again. This time it came up clean. Just because I’m anal I started up TrendMicro’s Housecall as well. I’m glad I did. It seems they left me with a parting gift. A nice, hidden copy of Backdoor.Small.33x hidden in my CSRSS file.

Now, csrss.exe is a very important system file, I can’t just go and delete it… or can I? I tried all the normal steps first. I tried to kill the process only to have Windows say “this is a critical system file and it’s not to be fucked with”. Ok, ok… gotta think about this. So, I read up on csrss. Apparently its a wonderful little command layer file that sits in your system32 directory… not your windows directory. Huzah! I had an imposter. The little bastard cloned the properties of the real file so that it couldn’t be messed with but it was sitting in the wrong folder. A quick reboot with a dos prompt again took care of that.

Mess with my shit will they. Not if they know whats good for’em. It didn’t help that SpyBot was jumping around like a jack rustle terrior every 2 seconds trying to tell me that something was jacking with my registry but it couldn’t tell me what. It just kept saying “Process: -blank- is trying to modify: -blank- entry. Allow or Deny?” Great job there guys. At least it knew something was up, I’ll give it that much.

Anyway, after running AVG, TrendMicro and (after installing it) Norton, it appears I’m in the clear. Nothing mildly infectious to be found.

That’ll teach me to open IE… even for cards from my Mom. Stupid IE, if it weren’t for windows update (once a year or so) it would be completely uninstalled anyway.

But, back to the main topic at hand… those wang-less, pimply faces gas station attendents that have a sack small enough to write this shit…. blah, blah blah, explative, dirty word, vulgarity…. you get the idea.

Out.