{"id":51,"date":"2009-06-02T09:51:00","date_gmt":"2009-06-02T09:51:00","guid":{"rendered":"http:\/\/mayanktrivedi.net\/technotes\/2009\/06\/02\/mysterious-new-virus-spyware-grayware\/"},"modified":"2022-04-06T20:23:49","modified_gmt":"2022-04-06T20:23:49","slug":"mysterious-new-virus-spyware-grayware","status":"publish","type":"post","link":"http:\/\/mayanktrivedi.net\/technotes\/2009\/06\/02\/mysterious-new-virus-spyware-grayware\/","title":{"rendered":"Mysterious New Virus \/ Spyware \/ Grayware"},"content":{"rendered":"<div><span style=\"font-size: medium;\"><span style=\"font-family: verdana;\"><span style=\"color: rgb(255, 0, 0);\">Strange but true,<\/span><\/span><\/span><\/div>\n<div><span style=\"font-size: medium;\"><span style=\"font-family: verdana;\"><span style=\"color: rgb(255, 0, 0);\"><br \/><\/span><\/span><\/span><\/div>\n<div><span style=\"font-size: medium;\"><span style=\"font-family: verdana;\"><span style=\"color: rgb(255, 0, 0);\">Yesterday I happen to identify a new virus \/ spyware \/ grayware that is interestingly a mysterious stuff. \u00a0I suddenly suspected something fishy on my machine and the initial diagonosis using Trend Micro revealed Nothing. \u00a0I restarted my machine and there while the processes were being started saw a new process &#8211; &#8220;Beast.Exe&#8221; being initiated.<\/span><\/span><\/span><\/div>\n<div><span style=\"font-size: medium;\"><span style=\"font-family: verdana;\"><span style=\"color: rgb(255, 0, 0);\"><br \/><\/span><\/span><\/span><\/div>\n<div><span style=\"font-size: medium;\"><span style=\"font-family: verdana;\"><span style=\"color: rgb(255, 0, 0);\">Tried looking for beast.exe in the location where the process was getting triggered for, result &#8211; Nill.<\/span><\/span><\/span><\/div>\n<div><span style=\"font-size: medium;\"><span style=\"font-family: verdana;\"><span style=\"color: rgb(255, 0, 0);\"><br \/><\/span><\/span><\/span><\/div>\n<div><span style=\"font-size: medium;\"><span style=\"font-family: verdana;\"><span style=\"color: rgb(255, 0, 0);\">Trend Micro, Symantec and McAfee, seemingly the leading AV don&#8217;t have any signatures for it. \u00a0Interesting isn&#8217;t that?<\/span><\/span><\/span><\/div>\n<div><span style=\"font-size: medium;\"><span style=\"font-family: verdana;\"><span style=\"color: rgb(255, 0, 0);\"><br \/><\/span><\/span><\/span><\/div>\n<div><span style=\"font-size: medium;\"><span style=\"font-family: verdana;\"><span style=\"color: rgb(255, 0, 0);\">Well the steps followed then were &#8211;\u00a0<\/span><\/span><\/span><\/div>\n<div><span style=\"font-size: medium;\"><span style=\"font-family: verdana;\"><span style=\"color: rgb(255, 0, 0);\"><br \/><\/span><\/span><\/span><\/div>\n<div><span style=\"font-size: medium;\"><span style=\"font-family: verdana;\"><span style=\"color: rgb(255, 0, 0);\">1. Used sysinternals Process Explorer to identify the processes running &#8211; Beast.exe was indeed running<\/span><\/span><\/span><\/div>\n<div><span style=\"font-size: medium;\"><span style=\"font-family: verdana;\"><span style=\"color: rgb(255, 0, 0);\">2. Location of Beast.exe was confirmed to be &#8211; C:DATAFILES, the entire tree being Hidden Directory and with misleading Folder Icons.<\/span><\/span><\/span><\/div>\n<div><span style=\"font-size: medium;\"><span style=\"font-family: verdana;\"><span style=\"color: rgb(255, 0, 0);\">3. Beast.Exe not visible at the Location, though is present and to unveil that I used &#8211; Simple File Shredder that I use to wipe the data (that was not a smart move, that was interestingly accidental discovery)<\/span><\/span><\/span><\/div>\n<div><span style=\"font-size: medium;\"><span style=\"font-family: verdana;\"><span style=\"color: rgb(255, 0, 0);\">4. Killed the Process using sysinternals Process Explorer\u00a0<\/span><\/span><\/span><\/div>\n<div><span style=\"font-size: medium;\"><span style=\"font-family: verdana;\"><span style=\"color: rgb(255, 0, 0);\">5. Wiped the traces of Beast.exe from the reported folder using Simple File Shredder.<\/span><\/span><\/span><\/div>\n<div><span style=\"font-size: medium;\"><span style=\"font-family: verdana;\"><span style=\"color: rgb(255, 0, 0);\"><br \/><\/span><\/span><\/span><\/div>\n<div><span style=\"font-size: medium;\"><span style=\"font-family: verdana;\"><span style=\"color: rgb(255, 0, 0);\">Symptoms and impacts are something that I didn&#8217;t actually make note of, but a slight research on goolgle reveals that the it impacts the Microsoft Office Files and corrupts them. \u00a0Though I was working on some Excel Sheets when the incident happened, luckily they were opened from Outlook and were residing in the &#8220;temp&#8221; folder.<\/span><\/span><\/span><\/div>\n<div><span style=\"font-size: medium;\"><span style=\"font-family: verdana;\"><span style=\"color: rgb(255, 0, 0);\"><br \/><\/span><\/span><\/span><\/div>\n<div><span style=\"font-size: medium;\"><span style=\"font-family: verdana;\"><span style=\"color: rgb(255, 0, 0);\">As stated above, it was interesting to not find any definition from the three leading AV product companies.<\/span><\/span><\/span><\/div>\n<div><span style=\"font-size: medium;\"><span style=\"font-family: verdana;\"><span style=\"color: rgb(255, 0, 0);\"><br \/><\/span><\/span><\/span><\/div>\n<div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Strange but true, Yesterday I happen to identify a new virus \/ spyware \/ grayware that is interestingly a mysterious stuff. \u00a0I suddenly suspected something fishy on my machine and the initial diagonosis using Trend Micro revealed Nothing. \u00a0I restarted my machine and there while the processes were being started saw a new process &#8211; &hellip;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[63,64,39,62],"tags":[],"class_list":["post-51","post","type-post","status-publish","format-standard","hentry","category-beast-exe","category-grayware","category-spyware","category-virus","entry entry-center"],"_links":{"self":[{"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/posts\/51","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/comments?post=51"}],"version-history":[{"count":1,"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/posts\/51\/revisions"}],"predecessor-version":[{"id":192,"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/posts\/51\/revisions\/192"}],"wp:attachment":[{"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/media?parent=51"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/categories?post=51"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/tags?post=51"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}