Last week, I discussed my disillusionment with Windows security and mentioned a Trojan horse attack that rendered my notebook almost unusable. However, I didn't provide any details about the Trojan, which led to a bunch of email from curious readers. Sorry about that: I wasn't trying to be coy; I didn't have enough details about the attack to write about it in last week's commentary. This week, however, I'd like to describe the Trojan and explain how I got it.
As I often do before a trip, I prepped my laptop with the latest versions of my documents the night before I left and wrote a few DVD backups. Although I'm a big fan of personal information managers (PIMs) and PDAs, I also value the handiness of paper printouts, so I always print my trip itinerary: A printout typically includes flight, car rental, and hotel information, but this was a short trip, so I only needed to print my train schedule. But here's the problem: I'm using a NETGEAR print server that's incompatible with the Windows Firewall in Windows XP Service Pack (SP2), so when I need to print from an SP2 box, I must temporarily disable the firewall. I did so, printed the schedule, and was then distracted by my son, Mark. That was mistake number one: I forgot to immediately re-enable the firewall, as I typically do.
Mark was playing a video game on my desktop PC and had run into a tough spot. Being the good father that I am, I offered to step in and play the game for him and see whether I could complete the sequence he was having trouble with. Embarrassingly, I couldn't complete it either, so I decided to look up a walkthrough for the game online. I launched Microsoft Internet Explorer (IE) and started Googling the game. That was mistake number two: I typically use Mozilla Firefox for Web browsing, but of course, I've been testing the new and improved IE in SP2. As it turns out, many of the links from Google to game walkthroughs are, in fact, front ends to bizarre collections of Trojans, spyware, and other unwanted electronic junk.
I've heard horror stories from other people about the malicious software (malware) they've collected over time, and I've spent a lot of time helping them remove the invasive little buggers. Although I've occasionally experienced some malware on my own PCs, the truth is, I keep my systems pretty safe. I run Symantec AntiVirus Corporate Edition on my network and regularly install and run Lavasoft's Ad-aware Plus 6.0 for detecting and removing malware and spyware. One feature that I like about XP SP2's version of IE is that I can configure it to not load spurious application add-ons (or plug-ins). However, SP2 doesn't go far enough: IE doesn't offer any way to permanently remove these add-ons, and SP2 doesn't offer any sort of integrated, system-level, malware detection and prevention technology. Clearly, this is a feature Windows desperately needs.
After I had helped my son with his deeply technical problem, I returned to my trip preparations, re-enabled the firewall, and got back to work. That's when I noticed the problems. IE windows were spontaneously popping up and disappearing. When I manually opened IE, I saw a new toolbar (identified as blehdefyreal in IE's Manage Add-ons window) and a new home page (allaboutsearching.com). And windows were popping up asking me whether I wanted to install an application that, ironically enough, offered to clean my system of malware. Cute.
After disabling the blehdefyreal toolbar in IE, I used a variety of utilities to track down the offending code, including Ad-aware, Simply Super Software's Trojan Remover, Spybot Search & Destroy, and a few others. Every utility found something to complain about, but none eliminated the problem. I manually deleted suspicious folders in Program Files. I also looked at the running tasks in my system and found a few suspicious entries. Windows' built in Task Manager is useless for this task (ahem), of course, because you can't see which applications are loaded inside of the various svchost.exe application host environments. So I used Sysinternal's Process Explorer to find out what was going on.
One suspicious application was called TV Media (tvm.exe); another was Kind vc (POLL EACH.exe). I killed both processes and used regedit.exe to search for them in the registry. Both were in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run subkey, which meant they would be instantiated each time Windows rebooted. So I removed those entries and kept searching. Nothing. Thinking I was getting on top of the situation, I watched one of the spyware detectors do its thing when, bam, an IE window suddenly popped open, then disappeared. With an uneasy feeling in the pit of my stomach, I relaunched regedit.exe. Sure enough, tvm.exe and POLL EACH.exe were back. Unbelievable.
Looking through the IE history, I discovered that the pop-up IE window had visited http://220.127.116.11/yyy3.html, and that site attempts to launch various other pop-ups. Firefox simply presents a blank page and notes that the page attempted to display unrequested pop-up windows. In XP SP2's IE, there's a popping sound (which I believe is related to a blocked pop-up), but then the IE window closes. Clearly, some damage has been done. And those pesky autolaunch applications keep appearing in the registry, and I can't figure out what's automatically spawning the IE window.
Last week, I noted that I would ultimately be forced to wipe out this machine and start over, but I decided to see whether anyone has any experience with this particular problem. I've also received two offers of help from individuals at Microsoft, and I'll probably take them up on those offers. I'm surprised that so little online information about these problems exists. Google searches have been curiously ineffective, leading me to wonder whether this Trojan is a recent development. For the record, it doesn't appear to damage or delete data, but time will tell. In the meantime, this laptop will be quarantined offline.
I had hoped to present the Laptop of the Month today, but I'm out of space, so I'll tackle that next week. In the meantime, if you have any experience with the problems I've described or any advice, I'm all ears. I'll present the conclusion (I hope) of this nasty little episode next week.