Wednesday, June 10, 2009

How Windows Defender Helped Me Save Face

This morning I received a direct message from my brother on Facebook (warning #1) with a link to a url that just looked 'crazy', I clicked (mistake #1).

I was redirected to a site that appeared to be hosting a video, but prompted that it "Required Adobe Flash Player 10" to continue and attempted a download of file "setup.exe".  I downloaded the file and ran it (mistake #2).

Luckily, I am running Windows Defender, which detected changes to my system and prompted me for approval before committing them.  Windows Defender prompting me after an install is not unusual, however, it gave me a critical moment to collect my thoughts (first cup o'coffee this am, after all) and review what was about to occur.  That's when I noticed that the "Adobe Flash Setup" had installed several Windows driversDrivers?  Nothing from the browser should EVER install a Windows driver?!

I'm now suspicious (sharp as a spoon, I am) and decide to investigate a little further.

I reviewed the "setup.exe", and viewed its details, there was no manufacturer data.  I then navigated to Adobe and downloaded its installation program for Adobe Flash 10.  The file name is "install_flash_player.exe" and when viewing the file details is stamped repeatedly that its from Adobe.

Windows Defender reported the following changes to my system.

Windows Defender Report

Description:
This program has potentially unwanted behavior.

Advice:
Permit this detected item only if you trust the program or the software publisher.

Resources:
driver:
podmenadrv

file:
C:\Program Files\podmena\podmena.sys

Category:
Not Yet Classified

Description:
This program has potentially unwanted behavior.

Advice:
Permit this detected item only if you trust the program or the software publisher.

Resources:
regkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\sysfbtray

runkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\sysfbtray

file:
c:\windows\freddy46.exe

Category:
Not Yet Classified

Description:
This program has potentially unwanted behavior.

Advice:
Permit this detected item only if you trust the program or the software publisher.

Resources:
regkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\sysldtray

runkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\sysldtray

file:
c:\windows\ld09.exe

Category:
Not Yet Classified

 

That's enough for me...I deny the changes in Windows Defender, which requires a reboot to rollback.  After the reboot, all is well in the 'verse.

Shortly afterwards this morning I got an email from my brother warning me about it - he wasn't so lucky.

This is not the first time Windows Defender has saved my bacon. If your running Vista, or Windows XP SP2/3, make sure your running Defender, or a good virus scanner.  Defender seems to be less intrusive than the actual virus scanners I've tried over the years.

2 comments:

  1. Just a few minutes ago I accidentally let the same file get through into my system through a keygen. By deleting it's registry entry (my action thus far), would you reckon that I'll be safe?

    I'm running a full system search, and deleting any files that it yields right now, which should help if that wasn't enough. Cheers.

    ReplyDelete
  2. Mike,

    Once infected, I'd be surprised if it went away that easily. One can always hope, though! :)

    It may require booting back up in safe mode, removing the registry keys and deleting the executables that were installed.

    Sysinternals autoruns.exe is a nice tool to help clean up registry entries related to Run/RunOnce, etc.

    I don't deal with this sort of thing on a regular basis, so my problem is that I imagine that its doing all sorts of nasty stuff that will be difficult/impossible to track down once it gets through.

    Good luck!
    Z

    ReplyDelete