Monday, August 31, 2009

The Symptoms of This Virus Include...

On Friday, my computer was attacked by the Cryptor virus. Well, technically, it was attacked long before in months before Friday. The Cryptor virus is probably one of the most malicious on the interwebs today. Cryptor is a slow-burn blitzkrieg.

How? Well, it attacks the computer in multiple ways. It invades your computer without being detected from various antivirus and antispyware software (AVG, Malwarebytes, SpywareBlaster, and Spybot did not detect it until Friday). However, slowly the virus takes hold in multiple ways. Without getting too technical, Cryptor is known as a rootkit virus, and that basically means it is impossible to get rid of without very specialized software, outside of the realm of AVG and Malwarebytes, e.g. In fact, the virus goes on the offensive...slowly but very effectively.

Remember me complaining about AVG slowly killing my computer about a month or so ago? Well, it turns out that it was the Cryptor virus attacking it. Yeah, that's right, this virus actually attacks antivirus software. In my case, it would not allow AVG to run at startup, resulting instead in the blessed "Blue Screen of Death". A complete removal of AVG was the only solution (SafeMode), and I installed AVIRA instead. Well, same story. Running AVIRA resulted in a BSD.

Of course, this got me a little concerned. Soon, some software would not work because of memory allocation errors. By this point, I knew I was in trouble, but I had no idea what I had. No remaining software could detect what I had, so I was left with a compromised machine without any knowledge of how to fight it. (The above transpired over about a month's time.)

Finally, on Friday, things came to a head, as my machine was restarted during the night. Nothing could be used, and bogus antivirus software was telling me that I had a virus. (Microsoft does not own something called "Microsoft Antivirus Pro".) This was virus #2, a trojan that essentially enabled itself by freezing my machine. The only thing working (mysteriously) on my laptop was a web browser, and through frenzied Google searches, I learned that by manually killing the bogus software and running Malwarebytes, I could halt virus #2. Unfortunately, either virus #1 or virus #2 appeared to have obtained my credit card information in the meantime. (More on that below.) However, Malwarebytes successfully removed virus #2. By this point, re-installing and running AVG as well as Malwarebytes finally alerted me to the presence of Cryptor, which I quickly learned was the vicious plague affecting my machine. And it is vicious. It uses up a ton of memory, essentially stealing it from other software. It attacks antivirus software. And it's impossible to remove by any remaining antivirus software. (Any restart, by the way, rendered AVG useless once again.)

So, some research indicated my only hope was something called ComboFix, software designed specifically to remove rootkit malware. Unfortunately, its use is risky, potentially permanently damaging the machine. This meant, of course, that I had to copy everything of importance offline immediately. Friday night and Saturday morning were devoted to this.

Finally, on Saturday afternoon, ComboFix was installed and run, and by the magic of the antivirus gods, Cryptor was removed. Or at least, appeared to be removed, since checks from Malwarebytes and AVG thereafter showed clean slates.

The damage, however, was permanent in two ways. For one, it has rendered some data useless, though it appears nothing important. Removal of the virus opened up 4+ GB of space, indicating it was also a storage hog. Nice. More importantly, a mysterious deduction from my debit card was found when virus #2 attacked my machine. Thus, I spent Friday afternoon canceling my first debit card and re-ordering a new one. Money loss: $53. Could have been worse, though as it turns out, the amount is usually low to prevent red flags from credit card companies. Obviously, this virus must collect from many victims. (Lesson here: Best not to pay online when you suspect a virus is on your machine. Fortunately, I never type my SSN online, so I'm relatively convinced that I'm free from identity theft. I will be checking periodically, however.)

So, besides checking daily my bank account with nervous wonder and doggedly checking my machine for any questionable behavior for the past 48 hours, the story ends with some loss, much hardship, and hardened experience.

It was a long battle, but the good side prevailed. Unfortunately, like present-day conflict, it's hard to tell if the war is still going on.