Like most tech guys I provide technical support for a number of PCs belonging to family and friends. After two years of no malware infections on the Vista PCs, and multiple infections on XP PCs, I finally had my first Vista infection to clean up. My forensics found that the malware was a new variation of the System Tool 2011 executable contracted via OkCupid on Christmas morning. Because I’d taken advantage of all the User Account Control (UAC) features on the Vista PCs I support, the damage was minor and easily repaired.
My experiences over the past several years have taught me to not even bother trying to start removing malware using only the infected PC. I always open the infected PC’s case and attach its hard disk to my system with a SATA/IDE to USB 2.0 Adapter. Scanning the USB attached drive with Microsoft Security Essentials it found no problems. Sadly this is frequently the case for me, the bad guys are constantly evolving their malware, so there usually is a few days to a week between the malware release and when detection systems are updated.
Next I searched the drive for files that where updated or created within 48 hours of the infection being noticed. This found the malicious software and what turned out to be its only other damage a shortcut in the start menu’s startup group. At first I was puzzled by the small scale of the infestation because on XP/2K/98/95 PCs I’ve repaired it has always been much worse. So I updated Malwarebytes and had it check the drive for me. It only found the same two items as my time based search and while it was scanning it dawned on me that UAC had prevented this malware from getting its hooks deeply into the system.
I saved a copy of the malware in my quarantined collection then deleted it and its shortcut from the drive. Next I reassembled the Vista PC and booted it up, no problems showed up and a manual check of the registry found no trace of the bad stuff. Just to be certain I installed and ran Malwarebytes from all the user accounts and it found no problems. The final step was to check the internet history to figure out where the malware came from, this showed me that it came from either Facebook of OkCupid. Later research points strongly to the malware coming from OkCupid via an advertising feed. I gave the PC back to its owner and Vista is running fine again.
The last thing I needed to do was report the malware to the Microsoft Malware Protection Center so that they could update their detection system. I submitted it and received confirmation of receipt Mon 12/27/2010 1:25 AM. They acknowledged the malicious nature of the software and changes to detection where in testing on Tue 12/28/2010 9:26 PM. The case was closed and new definitions released on Wed 12/29/2010 12:17 AM, less than 48 hours after I submitted it.
More Information on the System Tool 2011 malware:
- Encyclopedia entry RogueWin32Winwebsec – Microsoft Malware Protection Center
- Screenshots and removal @ the Tee Support Blog
- Google Search
Paul Hutchinson's Blog 