A malware with my name

There’s a malware circulating that contains my name in its version information. I’m, of course, not the author (putting one’s own name in the version info would be brilliant). I’m clarifying, as three people already contacted me about it since yesterday.

It was probably done on purpose and it’s not the result of a random generation of different version info, as I suspect. What the author/s of this malware ignore, is that they made me stumble on an additional technique against malware, that’ll probably damage their business and force them to work more.

Given my very limited amount of spare time, it’s too soon to discuss this.

This entry was posted in News and tagged . Bookmark the permalink.

15 Responses to A malware with my name

  1. Brad says:

    Hello!

    I was just about to email you notifying you of this exact issue I ran into last night.

    I had done some research on you before I opened the program thinking it was safe as you have some good credentials from what I could find. I was sure you would not be stupid enough to create a program that was malware and attach your name to it.

    I guess that makes me the stupid one for not thinking that it could have been forged.

    Anyways, I am running MS Essentials Virus Scans and MBAM from malwarebytes and so far nothing has been found. Will have to take some further steps to ensure I have not been infected.

    If you want the file I download, then you can contact me via the supplied email for this post.

    Thanks and hope this scoundrel does not drag your name through the mud.

  2. Pingback: 关于一个可疑进程Ogd.exe(0gd.exe)的追踪(全过程) | 阿丁看世界

  3. Pingback: 关于一个可疑进程Ogd.exe(0gd.exe)的追踪(全过程) - 喔!叮咚!

  4. Hello Brad,
    I’m sorry about what happened to you. But I can’t guarantee for files downloaded in places other than my personal webpage.
    I have the malware itself (which has been sent to me by the first person who contacted me), maybe you also have the dropper and could send me that.
    If you look in the Run key in the registry you should be able to find a 3 letter executable, which most surely is the malware. Delete the key, terminate the process, delete the file and that should be it, actually.

  5. Tayler says:

    Well how do I get rid of it? I can’t find it anywhere and neither can my anti-malware software. Where is its location/how exactly do i locate and delete it? I got into the registry, what would it specifically be called?

    Thanks,
    Tayler

  6. Well, look in the registry in the run and the location can be easily spot the task manager (or task explorer). Just look for a 3-letter named process like “klb.exe”. It uses random letters. Kill it, remove the file, remove the entry in the registry (Run) and that should be it.
    I haven’t executed it, but it’s not very difficult.

  7. Xylitol says:

    Hello Daniel,
    that not about your great article
    but just for says, someone have ripped one of your software called “Driver List”
    by a guys called Martik.
    You can see the rip on his blog here: http://martik-scorp.blogspot.com/2010/12/show-me-loaded-drivers.html
    renamed the title etc and says he have coded it, in reallity he have just hacked your GUI with a ressource editor…

    regards
    __
    /Xylitol

  8. lol says:

    haw haw he “hacked” the gui lol….

    your software is beautiful.

    no matter….

  9. POPTARTCAT says:

    Hey Daniel,

    It might already be a bit late to tell you;but anyway, you can safely run the malware version of your software in a program called “Sandboxie”. I think it’s just a fun thing to be able to do; running malware without infecting your computer. It’s just a thought, but if you haven’t seen your program’s doppelganger as-of-yet, I strongly believe it will help you.

  10. Hello POPTARTCAT,
    thanks, I know sandboxie. :)
    On x64 the safety sandboxie provides is limited (so be careful), but anyway I would never run any kind of malware on my system, even if sandboxed. Better to use a virtual machine.

  11. dougal holloway says:

    hi guys,, couldnt help but notice we all saw the same name attached to this cank malware,, however this was quite a good 1 and took me about 4 hours to remove it froma customers pc, regardless of google info,, however, my trustee mbam got the better of it thru safe mode, but just wanted to clarify, that its blatantly obvious that daniel pistelli wouldnt put his name to sucj a stupid malware,, ( if u created a virus eg, conficker, would u REALLY put ur name to it??? ) I DONT THINK SO,, !!,, however,, top marks for whoever DID create this,, as,, to be honest,, im a pc engineer, and it STILL took me 4 hours to rid its infection,, so well done,, thats 4 hours of my life i aint getting back, and round a complete strangers house no less,, ,, unlucky daniel that ppl are slating u for this malware,, id look into that if i was u,, see if there was a way u can stop that,,

  12. There’s no way to stop something like this I’m afraid :)
    However, it really didn’t create much of a problem, few people complained to me.
    I don’t think that many really think as you said that a real malware writer would sign with his own name its creature.

  13. lol says:

    Don’t come here with your MS false positives, this guy is cool.

    If you’re using MS essentials, then you’re using malware.

    NO ONE NEEDS an Anti-virus/anti-malware, at least anyone who is a REAL IT specialist.

    For scriptkiddies: IF you are coding in .net find a GOOD commercial/self-made obfuscator, there gui hack solved.

    Set the registry permission on the ‘run’/runonce key to read only( for everyone)

    If you do this in the services key it will require a restart (drivers/services). <–this isn't advisible since some programs require you install drivers, but it's good protection for existing services, and to prevent malware.

    On the Windows NT key (winlogon/userinit), only allow the system access to read and write, and set your username and other accounts to read only.

  14. Zarko says:

    Daniel can you tell me some personal information about you if you can, it interest me :) ?

  15. Sure, just ask me what you are interested to know. :)

Leave a Reply

Your email address will not be published. Required fields are marked *



*