Tuesday 27 April 2004

Virussed by sachost

Darn, my unbroken record of "never having had a virus on my machine" is now Kaput. None of the standard virus-checkers I've used (including Symantec and Trend Micro) can detect it - yet. It sliced through my first few lines of defence like they weren't there. It got caught by my Firewall before it could do any damage, but that line of defence is well beyond the tolerable boundary.

It appears that all you have to do to get it is to a) Use a Microsoft Operating System ( Yes, I know, that's my first mistake), b) Use Outlook Express as the mail client, and c) Attempt to read the wrong e-mail. You don't have to open an attachment, and I don't think you even have to click on a hyperlink - if you can receive html mail, it could do an immediate re-direct to the malware site.

I'm still trying to track down the exact sequence of events causing infection, and make sure that no damage was caused to the system.

It's not properly a Virus, but a Trojan, and from looking at its internals, it probably originated in Russia. It logs keystrokes, and reports things like your password files to a 3rd party site. Until it gets a proper name, I'll call it "sachost". It's a variant of the Ibiza Trojan, so will probably be called "Ibiza-something" when it finally gets named.

How can you tell if you've been infected?

First, use your task manager ( or on Win98, hit CTRL-ALT-DEL once ). If you see the processes sachost, sachosts, sachostc on the list, you've got troubles. If you haven't got a Firewall installed, then ALL YOUR PASSWORDS MAY HAVE BEEN COMPROMISED. You must change all the ones you care about, be it to eBay, Amazon, PayPal, or whatever (but not just yet!). If you change them now, they'll be logged, and sent to the Mafya sometime in the next five or ten minutes (I haven't tracked down when it sends the data, there's quite a few candidate IP addresses in the code, plus proxies).

Here's how to get rid of the thing (if you're using Win98, anyway):
First, if you're not totally sure what you're doing, disconnect from the Internet and go find a Tame Geek. Otherwise, continue as follows:
a) Terminate the 3 processes sachost, sachosts, sachostc using the Task manager. End them.
b) Use the regedit utility (Start->Run->type in "regedit") to find the line Onlune Sarvice"="%Windir%\sachost.exe or possibly c:\windows\sachost.exe and delete it. (this will stop it from automatically re-starting when you start the computer up again)
c) Restart
d) Now make a note of the timestamp of creation of the files C:\Windows\msrt32.dll and C:\Windows\sachost.exe. Then delete them. msrt32.dll is the beast's black heart, the invisible process that logs keystrokes. If you're curious, open C:\Windows\sysini.ini using Notepad to see what the nasty little trojan was going to report back to base. Then blow it away, delete it too.
e) Finally, delete C:\Windows\System\sachostc.exe and C:\Windows\System\sachosts.exe

After step c), it should be safe to go change your passwords, but I'd wait till step e)'s finished just to be certain. Send e-mails to the appropriate sites, saying that any transactions after the timestamp you noted in step d) should be treated as suspect/fraudulent. If you used your Credit Card on the net since that time, go cancel it now. If you did any on-line banking since that time, get your account frozen immediately, and inform the bank what has happened. Hopefully, you still have some money in them. Of course if you have a Firewall, it should have stopped any data from escaping, and you don't need to change any passwords. etc. Assuming it's a good Firewall, that is. ZoneAlarm is fine.

The first mention of this Trojan "in the wild" that I've found is on the 22nd, and I repeat, none of the standard virus checkers appear to be able to recognise it yet. Perhaps Ad-Aware could have, but by the time I ran that, I'd already cleaned up the infection.

I feel like a homeowner who's come home to find the front door lock jemmied open, the burglar-alarm disconnected, the whole place turned over, and signs where the thieves have attempted (and failed) to open the safe.

UPDATE : The Symantec on-line scanner does detect the presence of the beast. It recognises parts of the sachost.exe file as being a Backdoor Trojan. But the rest of the stuff isn't detected.

UPDATE : From reader Orlando Colamatteo :
Symantec Corporate AV Def 5/5/2004 rev. 8 recognised sachost.exe as trojan and quarantined it.
He also corrected some typoes in the instructions for editing the registry. Thanks, Orlando.

As far as I know, no anti-virus system as at 5/5/2004 recognises the sachosts.exe, sachostc.exe and msrt32.dll files as well. I've seen a report that Ad Aware doesn't recognise them as malwear either, but haven't confirmed that.

If you find this advice useful, well, the Tip Jar takes Paypal and all major credit cards, should you wish to make a donation of a dollar or two. But it's strictly voluntary.

1 comment:

Anonymous said...

Oh, so it is voluntary to give you a buck! You are so swell!