Site virus

[lordsmurf]

I was reading a PM when Firefox tried to load Adobe Acrobat, crashed, and then some .dll junk installed itself
mdlasv.dll
arijodohujehukon.dll

the first one came back as "Mask Tools Dynamic Library" but it's a common name given to malware.
There apparently is a legit software with that name "Mask Tools".

WinPatrol stopped the system startup changes.
Process Explorer killed everything in RAM.
And I manually deleted it.
CCleaner removed now-dead commands from registry.
Curiously, SuperAntiSpyware did not see it.

It added this BS to the registry: HKCR\AcroAccess.Premiere.2
ms0cfg32.exe was in the browser temp folder.
klomp.exe was in the system32 folder.
userini.exe was in the registry.
There were a few things hidden in win.ini, too.

It came from videohelp.com

[hech54]

Obviously a Princo and K-Lite user sending you fan mail...

[lordsmurf]

... added more to first post.

[Vidd]

Disable scripting in Acrobat to prevent an Adobe exploit virus in the future.

[deadrats]

It came from videohelp.com

how do you know it came from video help?

edit: i just checked to see if it was possible to embed html and php into a pm and it is, looks like the attempted exploit came from whoever pm'd you and not from video help itself.

[aedipuss]

keep adobe crap updated. reader 10 run in a sandbox to prevent exploits.

[gonwk]

Hi Lordsmurf,

Just out of curiosity what are you running for "Firewall" and "AntiVirus" !?!

Thanks,

G!

[lordsmurf]

No firewall, no anti-virus. It slows systems too much to be of any value.
Firewall would not have helped.
And this also wasn't a virus. It was a worm, which AV can miss anyway.

The system had actually scanned clean not 6 hours before this happened, during routine defrag/backup.

It was some errant JS from videohelp that failed to launch Adobe Acrobat then proceeded to install crap.
I was able to remove it with minimal effort -- just a nuisance.

This post was mostly for baldrick, but also a warning to see if I was alone in this.

The PM in question had no attached JS that I could see. (It's been deleted anyway.)

[intracube]

It was some errant JS from videohelp that failed to launch Adobe Acrobat then proceeded to install crap.

Have you got the NoScript plugin for Firefox?

Sometimes malicious code can spread via embedded advertising banners:
http://www.h-online.com/security/news/item/Malicious-advertising-banners-distributed-b...ek-740249.html

I've only allowed JavaScript originating from videohelp.com

I don't have Adobe Acrobat installed. I use a less bloated alternative, Okular - which I doubt is susceptible to the same security exploits as Acrobat.

[lordsmurf]

NoScript was eating into CPU for some reason, so I had just removed it last week.
Firefox had become almost unusable due to several plugins.

I do think it was an ad.

I don't have Adobe Acrobat as active -- I use Foxit, which is why it was strange.
It probably crashed because I have some related Adobe services disabled.

[aedipuss]

this exploit discovered a few months ago works on both acrobat and foxit.

an attack can use the launch action functionality in Acrobat PDF and Foxit to run embedded executables. The good news is that it's a relatively easy fix unless you require the usage of that functionality. To prevent Acrobat from running an executable simply open Acrobat and select Edit –> Preferences –> Trust Manager and deselect "allow opening of non-PDF file attachments with external applications". This will prevent Acrobat from executing executables within the program.

[AlanHK]

deselect allow opening of non-PDF file attachments with external application

What completely irresponsible fool thought it was a good idea to allow that by default?

Didn't they learn anything from Microsoft and its endless macro virus exploits?

I run Acrobat 4 myself; it can display just about any PDF I need, but doesn't have the functionality of launching malware. I can live without that.

[jman98]

Acrobat replacement programs are sometimes vulnerable to the exact same problems as Acrobat.

lordsmurf - I used to be a gigantic Firefox supporter but I now mostly run Chrome. You might give it a try if you feel that Firefox is too slow (a valid complaint).

[lordsmurf]

I've already been using Chrome for my "random surfing" and various web dev work, since the day it went beta.
The problem with Chrome is the ajax support sucks.
I run Chromium, too.
Some decent plugins for both.

I only use Firefox for trusted sites where I have memberships. It's not too bad plugin-free
Flock is a pig, even without plugins. All the social integration crap is waste of RAM and CPU.

Another good one is Seamonkey, which is only part Mozilla code.

K-Meleon is decent, but has some annoyances with keyboard shortcuts (CTRL+B isn't bold, for example)

IE5 through IE8 are here for testing. Need to get IE9. Not used for anything, if I can avoid it.
Some gov't sites require it for logins, the morons.

There's several great Mac browsers not on Windows, too!

I didn't even know Acrobat had those settings -- much less the brain-dead choices in default settings.
The only reason I have Acrobat is because it came with CS3 Master Collection, which is installed in full.

[deadrats]

The PM in question had no attached JS that I could see. (It's been deleted anyway.)

the java script wouldn't need to be attached, you could use html to hide instructions to download and execute a java script, i don't know if you know how browsers display web pages but basically a page is coded in an interpreted programming language (mostly html) and a browser is designed to execute the instructions line by line. within a web page you can embed other types of scripted languages that a browser by default will also execute line by line.

all the author of the pm would have to do is embed some tags that tells your browser to download the js from a remote server and execute it.

very simple to do, really.