Does anyone know what specific vulnerability is being exploited here?  Were the computers involved completely up-to-date with MS patches and still got infected?

From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of Bosman, Don
Sent: Thursday, June 26, 2008 10:07 AM
To: [log in to unmask]
Subject: Re: [MSUNAG] XP or Vista Antivirus 2008 ..... Here is one mechanism of infection

I always accepted users comments that they didn’t know how they got infested because its generally the truth. I didn’t understand how they couldn’t have noticed that their machine had slowed, but even on campus the network can get frustratingly slow at times. Now that it happened to me, I can tell you one way to get it. Using MSIE, browse to a recommended site from a news aggregator who has never let you down in the past. After thirty seconds or so your machine slows to the point that any tech knows it’s been infested. There are thousands of sites that are harboring mal-ware scripts. I know I should have been using Firefox, but for some reason I was in IE.

 

For my home machine running online scans offered by both www.antivirus.com (Trend Micro) and http://www.kaspersky.com/virusscanner (Kaspersky Labs) cleaned up the problem. While not requiring much interaction from me, the scan process did take hours.

 

Here at work I used to trust HitmanPro II http://www.hitmanpro.nl/hitmanpro/ but even it hasn’t been catching the latest script installed malware.

Best practice as of today – Run Firefox or Opera with scripting turned off. I was amazed at the number of everyday sites that require scripting to do simple things that could have been better coded. Now I generally recover data from another profile and re-image the machine.

 

Good luck.

 

 

Don Bosman
Information Technologist
Libraries, Michigan State University
  100 Library
  East Lansing, MI 48824-1048
  [log in to unmask]
  (517) 432-6123 ext 233
  Fax (517) 432-8374