Rummys Blog An world of endless Monday

Tuesday, 15 December, 2009

Drive by Shooting

Filed under: General — Andrew.Rowbottom @ 12:19 pm

Sue was visiting a bunch of news sites the other night, visit this site trying to find something or other about Strictly Come Dancing, when suddenly a notepad window popped open with random looking text in it, starting with the dangerous MZ characters and including some text or other about “this program cannot be run in DOS mode”. Simultaneously Kaspersky popped up saying it was putting “CriticalUpdate.exe” in the low risk group.


We’re pretty sure one of the sites had managed to shove a trojan/virus on her computer presumably using vulnerability in Firefox or one of the essential addons (Real Player, Flash or somesuch).

A full scan with Kaspersky found two highly suspicious files with its heuristics analyser but they had later dissapeared from view! More than a little suspicious.

I’ve managed to find 4 really iffy looking files, two tmp files containing executable code and two executables lsass.exe & CriticalUpdate.exe. I’ve stuffed these into a zip for later investigation.

The thing is Kaspersky doesn’t see them as dodgy! Not even when I check them on my presumably uninfected machine.

I’m dissapointed. Until Kaspersky can see these files as bad we can’t assume that the machine is not badly infected.

It’s looking like we’re going to have to wipe her notebook and start afresh. Which is difficult because it doesn’t have a built in CD drive or standard Windows XP installation CDs.

So now I know that Kaspersky isn’t quite as solid a defence as everyone pretends it is. I’m particuarly annoyed that it blithely accepted lsass.exe as low risk when it wasn’t even in the System32 directory! If Sue hadn’t previously associated .tmp files with notepad we probably wouldn’t even have noticed anything!

Boo! Then again, maybe I’ll get to play with Windows 7.

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress