1
I just watched this malware do a man in the middle attack on one of my clients paying for a service using their credit card and cannot find any source to confirm it is in fact Sunspot so I can verify post removal process. No anti-viruses detect it! http://www.net-security.org/malware_news.php?id=1719 Any ideas?
Cameron McGrane
Posted 2011-07-12T08:45:23.200
Reputation: 215
1
I would look at the two registry keys mentioned in the article you posted, this is where it launches from.
Once installed, Sunspot is started either by "rundll32.exe" via
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
or via
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components.
It uses CBT hooking to load its DLL into the browser (Internet Explorer/Firefox).
Or better yet use a browser it does not "hook", like Chrome Browser
Moab
Posted 2011-07-12T08:45:23.200
Reputation: 54 203
Yeh, I checked HKCU\RUN was clear and HKLM\Install Components had too many CLSIDs and folders distinguish. What do you mean by hook? – Cameron McGrane – 2011-07-12T20:21:04.140
"It uses CBT hooking to load its DLL into the browser (Internet Explorer/Firefox)." Its a term use to describe injecting a process or dll into another program or process, some are legitimate, some are malware. – Moab – 2011-07-12T22:35:53.273
You would have to look through all the install component keys for something that does not look legitimate in the right pane, use google when needed, I have only 24 installed components in my reg key. You will be looking for a dll or path to a dll that is not legitimate windows dll. Did you try the System Sweeper I recommended? – Moab – 2011-07-12T22:40:41.590
I used System Sweeper which successfully removed the malware. – Cameron McGrane – 2011-08-15T07:36:13.803
I like that scanner boot cd, its a good one. Glad you got it removed....http://superuser.com/questions/100360/what-to-do-if-my-computer-is-infected-by-a-virus-or-a-malware/157533#157533
– Moab – 2011-08-15T15:29:05.417
How did you "watch" it? Packet sniffing? – Andrew Lambert – 2011-07-12T08:49:06.750
Try the System Sweeper boot disc....http://connect.microsoft.com/systemsweeper
– Moab – 2011-07-12T15:14:40.200possible duplicate of What to do if my computer is infected by a virus or a malware?
– Wuffers – 2011-07-12T15:31:17.560I watched the user complete the transaction they do on a monthly basis and when they did the post back another form popped exactly as described in the article. Claimed to be mastercard but image links were broken. The giveaway was it was asking for an ATM pin. I'll grab a screen shot next time. – Cameron McGrane – 2011-07-12T20:17:32.857
Updated title and description to "Identify" as to more accurately define the problem – Cameron McGrane – 2011-07-12T20:23:41.487