Trojan Horse
I don’t recommend this. I was using IE on it (Don’t exactly remember why, I hate IE) and there must be a new exploit of some sort for IE. I visited a certain site and zonealarm freaks out about ~.exe trying to become a startup item. I denied that, then denied access to the internet & trusted zone. I then searched for this file and lo and behold it was in the system32 folder. In case you don’t know, most virii/trojans hang out in that folder. I could not delete it nor could I end it’s process, since it was not added to a startup item I decided I should reboot. I then disconnected my modem, went into system32 and deleted it. Then I proceeded to do a full virus scan with nod32 & zonealarm. Nothing came up, so I guess I made it out alright.
I would have liked to analyze this file, but I would have to setup a vmware machine and play with ollydbg and I wasn’t really in the mood to go that far with it. Of course, I suppose I could have analyzed it with IDA Pro, but alas I didn’t bother since I wanted it gone. I was kind of interested in whether it was a trojan or a downloader for adware. Could’ve dropped it into one of the various online virus scan sites as well I suppose.
looking at milw0rm it looks like there are quite a few IE exploits. Still, most of the sites on RoyalSurf are shady and I really would not recommend using them.
On the flip side, I highly recommend ZoneAlarm, because it has saved me a few times from being infected. I usually don’t have issues with infections, it’s rare but it happens. I wonder sometimes how everyone else gets along with out getting infected with anything.. I think I read somewhere that most Windows PC’s were infected with one thing or another.
So many ways to disguise a file and hide it from virus scanners. Packing, hex modification etc, and with a nicely packed trojan, spliced onto a regular exe I can’t see how a normal user would notice. On top of that, they’re often disguised as FireFox.exe or IEXpore.exe or a system process. So, even if a user bothers to check out running processes, it’s unlikely they’ll see it.
