Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

Infection with tenga.a virus

- - - - -

  • Please log in to reply
87 replies to this topic

#1
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • OS:98SE
  • Country: Country Flag
About 3 weeks ago my laptop got the worst virus infection ever, with the tenga.a virus http://forum.kaspers....php/t7172.html and http://www.f-secure....s/tenga_a.shtml It was much worse than the infection I had 14 years ago with One-Half, which slowly but steadily encrypted cylinders of my HDD.

The tenga.a infection has shattered my mistaken belief that Win98 is not vulnerable to infection anymore, in 2010. Tenga.a came out around 2005 http://www.viruslist...W_never_say_die

Tenga.a infects most .exe files it can find. It has infected all FAT32-based Win98/2k/XP operating systems on my multi-booting laptop. Only one operating system/partition, an NTFS-WinXP rarely accessed, was not infected. The most serious damage was the infection of one 192GB partition of an external 1TB USB HDD, which contained about 100GB of software downloads + installable programs, many not backed up because it was a work disk.

I became aware of the tenga.a infection maybe after 5 hours, when I noticed that the disk access light kept showing activity, even when I was doing nothing on the laptop. But then it was too late, the infection had spread across operating systems/partitions, also to the attached USB HDD.

I still have no idea how I got the virus, with maybe a thousand .exe files infected. Maybe it was my bad habit of double-clicking even on suspicious files in a special test windows, and then restoring a clean test windows. Double-clicking on an infected file may have initiated the infection of a .exe on another partition, of another operating system, and started in this way an infection across operating systems.

Getting the laptop clean again was relatively easy, I had to restore all partitions/operating systems/directories from backup onto a clean virgin HDD. The major problem was to recover the infected installation sources on the USB HDD; some of them may have been lost for good.

Here some lessons I learnt from this infection:
1) Virus infection is still a real danger under Windows 98
2) The only defense against viruses like Tenga.a, if using only occasional on-demand scanning, is a very good backup and recovery procedure.
3) Don't rely on USB HDDs as a backup storage media of software because of their vulnerability to virus infections
4) Backing up installation sources onto write-once media (CD-R, DVD-R) is still an absolute must
5) Installation sources should always be backed up also into an additional .rar or .iso file, which are not as easily infected as .exe
6) It is very important to document the actual download locations of software, in case it has to be downloaded again
7) About 10% of my time with the computer is spent creating, archiving and deleting backups. This is time well spent and has saved my neck already a couple of times.
8) A spare blank HDD, of the same size as in the computer, also comes very handy if a complete HDD has to be restored from backup
9) Maybe I should look again into UDF-formatted HDDs, as supplementary backup devices which can be set to read-only and are therefore not vulnerable to virus infection.


How to remove advertisement from MSFN

#2
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Super Moderator
  • 5,782 posts
  • OS:98SE
  • Country: Country Flag

Donator

I'm sorry to hear of your system's infection. And glad to see you were able to recover fast.
I agree with most of the preventive measures you've just spelled out.

I wish to add just two or three more measures to the list:
I)Full disk dumb sector-by-sector current images of the current installation burnt to read-only optical media
(I use multi DVD+R DL images, and intend to move on to Blu-Ray soon), not older than two or three months, six in the worst case. Or that plus monthly dumb sector-by-sector current images of every partition, where feasible.
II)Up to date virus scanner on the XP partition, performing a daily scan of all the partitions (I use AVG 9).

and, if possible

III)A completely independent machine, with its installation backed up on optical media to use as a sandbox.
(I still don't have one, but that's my next move).

#3
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • OS:98SE
  • Country: Country Flag

glad to see you were able to recover fast.

Getting all operating systems back to work as before took about 5 hours, from a 4-week-old backup. I am away from the US currently, so I will be able to know for sure whether I lost data on the 1 TB USB HDD when I am back in the US in June. I may have made a backup of the 192GB work partition there, before my trip, but I am not sure, I usually make backups before leaving/entering the US, there are horror stories about confiscated laptops etc.

I wish to add just two or three more measures to the list:
I)Full disk dumb sector-by-sector current images of the current installation burnt to read-only optical media
(I use multi DVD+R DL images, and intend to move on to Blu-Ray soon), not older than two or three months, six in the worst case. Or that plus monthly dumb sector-by-sector current images of every partition, where feasible.

Yes, a forensic .gho image would be excellent, but storing it onto a USB HDD might be good enough, viruses probably don't infect .gho image files on re-writable media. The tenga.a virus did not infect .iso, .rar, only executable 32-bit .exe files. I have a good .gho image of my desktop in the US, but unfortunately not of my old Inspiron laptop, which got infected, so restoring the internal HDD took quite some time. Creating a .gho image of the recovered laptop is on the top of my list now.

II)Up to date virus scanner on the XP partition, performing a daily scan of all the partitions (I use AVG 9).

I have up-to-date Kaspersky AVP v6.0.2.621 under both Win98 and WinXP, but I only scan new downloads. The infection happened very quickly, maybe 5 hours before I noticed it and ran Kaspersky, so a daily scan might not have been timely enough. Also, it was a 5-year-old virus, so a current virus signature update was not needed to detect tenga.a. I just don't know how I got tenga.a, and I suspect that only a continuously running virus-scanner could have prevented the infection :w00t: .

Kaspersky is actually able to disinfect tenga-infected files. Unfortunately, the disinfected files are not identical to the original files. Some .exe files are completely destroyed by tenga, e.g. reduced from 2MB to 30kB, so the disinfected file is of no use. Other disinfected .exe files/archives differ from the original .exe, but extract the identical files as the original .exe.

III)A completely independent machine.

Yes. I had a 2nd identical Inspiron laptop with me, but only with a HDD which had older software on it, of about 2 years ago. I recovered the infected laptop with the help of this 2nd laptop: I partitioning a blank HDD in a USB enclosure connected to laptop #2, inserted the freshly partitioned HDD into laptop #1, installed DOS from a boot floppy, put the HDD back into the USB enclosure, extracted .rar partition backups (from the infected USB HDD, but the .rars were not infected!) onto the HDD, put the HDD back into laptop #1, re-installed System Commander (from a CD burnt on laptop #2 from a .iso on the infected USB HDD!) Without the 2nd laptop recovery of laptop #1 would have been much more difficult.

#4
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Super Moderator
  • 5,782 posts
  • OS:98SE
  • Country: Country Flag

Donator

[far away offtopic]
Multibooter, since you have many SDHC cards, you might find interesting this SATA II SDHC RAID:
Sharkoon's Flexi-Drive S2S
[/far away offtopic]

#5
Guest_wsxedcrfv_*

Guest_wsxedcrfv_*
  • Guests

Here some lessons I learnt from this infection:
1) Virus infection is still a real danger under Windows 98


You didn't say which OS was in use at the time of the infection, so unless you know that it was Win-98 then I don't think it's valid to say that win-98 is in "real danger" (practically speaking) from unassisted infection techniques.

You didn't say if you have an AV solution on the PC in question, nor what you used to identify the malware once you suspected something was wrong.

Did you make note of the time and date-stamp of the offending infector files? I would have submitted them to virus total and post the result URL here for us to see just which AV packages would have detected it.

If you made note of the time and date stamp of the offending files, then it would be a matter of simply searching the drive for any files created/modified around the same time to see what you were doing around the time of initial infection.

Just to add some additional information: Tenga spreads between systems by exploiting the RPC vulnerability described by MS03-026. Interestingly, Microsoft lists various NT-based OS's as being vulnerable, but only lists Windows ME as non-vulnerable. Microsoft says nothing about Windows 98 (even though this bulletin is dated July 2003).

So Windows 98 is not vulnerable to the worm-like method this virus uses to spread between systems. Either you intentionally ran the infector file by mistake, or your PC was running an NT-based OS that was not patched against MS03-026 (which would mean that you were infected via network connection, possibly from another machine on your own local lan, or from a non-firewalled WAN connection).

From what I read about Tenga, it only infects PE files (packed executable) and adds 3kb of additional code to the files. It should be relatively easy to remove those 3kb and restore the files to their pre-infection state. I've also read where it renames all .doc files to .scr.

Edited by wsxedcrfv, 20 March 2010 - 08:35 PM.


#6
herbalist

herbalist

    paranoid independent

  • Member
  • PipPipPipPipPip
  • 726 posts
  • OS:98
  • Country: Country Flag
I'm sorry to hear that you got hit but I am relieved to hear that you've realized that 98 is still vulnerable and not immune to attack. A good backup system for both system and data should be part of any system protection against both infection and hardware failure. That said, neither is any help against malware that steals passwords or logs keystrokes. The other problem with relying on backups is knowing when you're infected. Even on 98, malware is not always visible in process monitors. The only sure solution is default-deny and knowing every process that's allowed on your main system, and install new software on a separate test system first. It's a bit of a hassle, but much less so than cleaning up after an infection.

#7
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • OS:98SE
  • Country: Country Flag

You didn't say which OS was in use at the time of the infection, so unless you know that it was Win-98 then I don't think it's valid to say that win-98 is in "real danger" (practically speaking) from unassisted infection techniques.

I just don't know under which operating system I got infected. I am switching quite frequently between operating systems, but 90% of the time I am using Win98, 10% WinXP. I can definitely exclude that I got the tenga virus via a network under WinXP since I am currently outside of the US and have changed IP settings, passwords, etc only under Win98, not under WinXP; I have currently no network/internet access under WinXP. I have not installed any new software under WinXP since I made the last clean backup and in general don't test-install software under WinXP, only under a special test-Win98. So everything points in the direction of Win98 as the first infected operating system .

Also, a 2nd WinXP on an NTFS partition did not get infected at all, which is kind of a puzzle, maybe because I use this specific operating system selection only very rarely, or because the infection started under Win98 and tenga.a could not see the NTFS partition under Win98, or because I detected the infection early on, before the infected WinXP on the FAT32 partition could infect the not-yet infected WinXP on the NTFS partition.

This tenga.a seems to be an interesting little program. If you want to investigate whether or how Tenga.a infects under Win98, send me a PM, I have enough copies. :)

You didn't say if you have an AV solution on the PC in question, nor what you used to identify the malware once you suspected something was wrong.

I did have, and still have, Kaspersky AV v6 with a current signature on Win98. Tenga.a was specifically detected when I ran under Win98 an on-demand scan with Kaspersky of the whole computer (except for the WinXP on the NTFS partition, invisible under Win98).

Unfortunately I initially selected maybe the first 30 infected files to be deleted, instead of having them disinfected or skipping them, so the original culprit may have been deleted. After I got aware of the extent of the infection I selected disinfection, and after a while I just stopped. When I tried to reboot, none of my Win9x/Win2k/WinXP operating system selections worked anymore, too many critical .exe files had been deleted/disinfected, only the NTFS-based WinXP still worked.

I still have the infected internal HDD, now completely disinfected by Kaspersky, and the still-infected external USB HDD (1TB), where I did not let Kaspersky delete or disinfect files. It is very easy to know, without Kaspersky, which files on the external USB HDD are infected, by just looking at the modification date: all .exe files with a modification date between Feb-28 and Mar-3 on the USB HDD are infected with tenga.

Did you make note of the time and date-stamp of the offending infector files?

There must be more than a thousand infected .exe files on the infected internal HDD and on the infected USB HDD, so it's quite time consuming to find out which .exe file got infected first. What alo complicates matters is that when Kaspersky AV identifies an instance of tenga.a, it changes the modification date of the infected .exe to the current date, even if I selected "skip".

It was very easy to identify with Beyond Compare which .exe files were infected, they all had modification dates between Feb-28 and Mar-3 (Mar-3 was the last time I ran Kasperksy on the infected internal HDD and the external USB HDD, Feb-28 was probably the date of infection). In order to repair the infected installation sources on the USB HDD I first made a copy of them, then replaced on the copy the infected .exe files, as identified with their modification date, with the corresponding .exes from other backups/rars/isos. For about 90% of the infected installation sources I had on the USB HDD also an untainted .rar file containing the whole good installation source rared up as a 2nd instance, so recreating a good installation source from the rars was not a problem. About 10% of the infected installation sources, where I had no 2nd .rar instance, I had to download again from the Internet. This was relatively fast with FlashGet because I usually document the exact download URL (not just the html download page) of files downloaded. Maybe 10 installation sources, however, did not exist anymore under their original download URL, including software purchased from Digital River, and were lost for good, unless I can find backups when I am back in the US.

BTW, I was very careful and did not get re-infected when I worked with the clean restored internal HDD on the attached infected USB HDD and on the infected internal HDD inserted into the right-bay HDD module of my laptop.

I would have submitted them to virus total and post the result URL here for us to see just which AV packages would have detected it.

Since tenga.a is an old virus, I would assume that all AV packages detect it.

Tenga spreads between systems by exploiting the RPC vulnerability described by MS03-026. Interestingly, Microsoft lists various NT-based OS's as being vulnerable, but only lists Windows ME as non-vulnerable. Microsoft says nothing about Windows 98 (even though this bulletin is dated July 2003).

When was Tenga detected for the first time? In 2003 or in 2005?

So Windows 98 is not vulnerable to the worm-like method this virus uses to spread between systems. Either you intentionally ran the infector file by mistake, or your PC was running an NT-based OS that was not patched against MS03-026 (which would mean that you were infected via network connection, possibly from another machine on your own local lan, or from a non-firewalled WAN connection).

I don't know. I usually only double-click on an unknown file after having checked it with Kaspersky, and only in a test-win98 which then gets wiped out + restored from a clean backup. I never use any MS patches, my gut feeling is that the cure is worse than the disease.

I remember having manually deleted a file dl.exe from \Win98\, possibly days before I noticed the tenga infection, because I hadn't seen it before in \Win98\. dl.exe is actually a part of tenga.a. Could it be that tenga.a contains a timer which starts to activate at the end of the month (Feb-28 = end of month), and that the actual infection occurred much earlier?

The infected laptop was connected via a peer-to-peer Win98 wireless network to another identical laptop running eMule under Win98. The eMule laptop was not infected, so the infection could not have come from the WLAN network or the eMule computer. I am using the Tiny Personal Firewall v2.0.14 on both laptops, and Tiny did not inform of any calling out from the infected laptop.

From what I read about Tenga, it only infects PE files (packed executable) and adds 3kb of additional code to the files. It should be relatively easy to remove those 3kb and restore the files to their pre-infection state. I've also read where it renames all .doc files to .scr.

I checked with Beyond Compare Hex Viewer, Tenga also makes minor changes in the initial part of the file. Kaspersky can disinfect a tenga-infected file, but the disinfected files always differed somewhere from the original uninfected files.

Usually the infected files were about 3kb bigger, with stuff mainly added at the end. Some infected .exe files, however, were really damaged (e.g. reduced from 2MB to 30kb), a few infected files were even a little smaller than the original uninfected file.

#8
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • OS:98SE
  • Country: Country Flag

I am relieved to hear that you've realized that 98 is still vulnerable and not immune to attack.

Vulnerable to old viruses like Tenga, but Win98 has probably a very low vulnerability to new malware.

I am still puzzled on how I got this Tenga infection. It's quite unlikely that such an old virus still exists in the wild. The last WildList if have seen which mentions Tenga.a is of March 2007 http://www.wildlist....List/200703.htm , with a stated date of Feb-2006.

I have been fiddling around during the past year with my old software archives, stuff from many years ago. Maybe I got the infection from old stuff in my archives, maybe some Jurassic-Park-type self-inflicted pain. Maybe I was not aware of the danger lurking in old software archives.

In any case this tenga infection shows that an old virus can still be a pain years later. I wonder whether Tenga runs under Vista/Win7. Because of its ability to infect USB HDDs and across operating systems it's still a very dangerous little program.

The only sure solution is default-deny and knowing every process that's allowed on your main system, and install new software on a separate test system first. It's a bit of a hassle, but much less so than cleaning up after an infection.

This will take a lot of time, and may be good on a system to which few new applications are added. My Win98 may eventually become such a system, but currently I am still installing a lot of new stuff under Win98.

I have budgeted about 5% of my time on the computer for virus-checking and virus-problems, so I view the Tenga infection just as an eventual use of previously budgeted time, and as an interesting intellectual exercise. The time lost getting the laptop back up again was not serious, in contrast to the time lost recovering data on the infected USB HDD.

I am not yet sure how my experience with Tenga will change my precautionary measures against future malware infections; maybe I'll just have to make more frequent backups of new, not-yet-processed downloads stored on my USB HDDs.

Edited by Multibooter, 21 March 2010 - 06:38 AM.


#9
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • OS:98SE
  • Country: Country Flag

[far away offtopic]
Multibooter, since you have many SDHC cards, you might find interesting this SATA II SDHC RAID:
Sharkoon's Flexi-Drive S2S
[/far away offtopic]

@dencorso, [off topic]I had built myself a similar device a year and a half ago, as an "eMule download station", using a multi-card reader cum hub + 3 SDHC cards. I had used it for about 6 months, then rejected it, because eMule took about 10 minutes to start up and 10 minutes to shut down with it, my download list had between 1000-1500 files, my SDHC cards were just slow (fine during download, even at 200kB/s, but slow during startup and shut down of eMule). A 2nd HDD in the right-bay module of my laptop is much superior, also the regular internal HDD.[/off topic]

BTW, not that far away offtopic, since files damaged by tenga on the USB HDD were on such a device. In the back of my mind I have been pondering whether tenga may have been planted recently onto eMule, to destroy extracted downloads. Some people may have been loading eMule with malware, about 90% of the downloads are now infected, especially shareware stuff, maybe intentionally as a malguided defensive measure.

#10
Guest_wsxedcrfv_*

Guest_wsxedcrfv_*
  • Guests

I'm sorry to hear that you got hit but I am relieved to hear that you've realized that 98 is still vulnerable and not immune to attack.

In this particular case, Windows 98 is/was immune to direct infection. Tenga leverages a fault in the RPC service to spread between systems. Win9x/me does not have any such service to exploit. There have been many RPC vulnerabilities discovered in the NT-based family of Windows over the past 10 years.

How exactly the original infector file got onto Multibooter's system is not clear, but there can be only two ways: (1) A desirable file was obtained by Multibooter from the internet (torrent, shareware, freeware, etc) and this file was already infected with Tenga. (2) Multibooter was running some NT-based OS on his system (win-2k or XP) - and the OS was not patched for this RPC exploit. The PC would have needed to be connected to the internet - but no web-browsing or any user-directed web-activity would have been required. The exploit would have penetrated the NT-OS and installed itself (perhaps in the autoexec, or the win.ini files of his win-98 system files). Multibooter claims that he doesn't use his XP-side for web-surfing, but he doesn't say if he disconnects the network cable from his PC while he's using XP.

#11
Guest_wsxedcrfv_*

Guest_wsxedcrfv_*
  • Guests

I am still puzzled on how I got this Tenga infection. It's quite unlikely that such an old virus still exists in the wild.

If you had an Anti-virus application running during the acquisition and execution of this virus, then it should have been detected immediately during the initial acquisition / downloading of the infected file, or as the virus was active and writing itself to your existing .exe files.

Most antivirus programs (as far as I know) have the ability to intercept all instances of file-creation or file-opening events and automatically scan new files or files that are being opened by applications. This includes web-cached files, etc.

Is it possible that your system was booted into DOS, and you first ran the infected file from that OS - and not windows?

The initial infection event must have occurred soon after you acquired some new file or files or moved/copied some new file(s) to your PC - perhaps from external media (CD, floppy disk, etc) or from an internet download, or via lan connection to another local PC, or via RPC exploit while running XP. If you remember coping some files to your PC from an external source just prior to the infection starting, then you should perform an on-demand scan of that source.

#12
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • OS:98SE
  • Country: Country Flag

If you had an Anti-virus application running during the acquisition and execution of this virus...

No, I only make ooccasional on-demand scans, I don't have a virus checker running all the time.

Is it possible that your system was booted into DOS, and you first ran the infected file from that OS - and not windows?

No, I had not booted into DOS around Feb-28.

The initial infection event must have occurred soon after you acquired some new file or files or moved/copied some new file(s) to your PC - perhaps from external media (CD, floppy disk, etc) or from an internet download, or via lan connection to another local PC, or via RPC exploit while running XP. If you remember coping some files to your PC from an external source just prior to the infection starting, then you should perform an on-demand scan of that source.

On Feb-28 I had moved downloaded files via WLAN under Win98 from the eMule laptop (it's a dedicated laptop running only eMule under Win98, WinXP is hardly ever used there) to the later infected laptop (Win98)

#13
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • OS:98SE
  • Country: Country Flag

In this particular case, Windows 98 is/was immune to direct infection. Tenga leverages a fault in the RPC service to spread between systems. Win9x/me does not have any such service to exploit.

Win98 was not immune to infection. At Win98 startup 2 files infected with tenga were run via the Win98 registry. By infecting most .exe files, and thereby also by chance those which are run thru the Win98 registry at startup, Tenga was active every time Win98 was loaded. I assume the same happened under WinXP and Win2k.

How exactly the original infector file got onto Multibooter's system is not clear, but there can be only two ways: (1) A desirable file was obtained by Multibooter from the internet (torrent, shareware, freeware, etc) and this file was already infected with Tenga.

Yes. It may also have come from my old software archive on CDs, DVD, HDDs on which I was working around that time. Maybe I had archived stuff years ago, at a time when Kaspersky didn't detect Tenga yet. Eventually I will find out. It may also have come out of some old infected email boxes, which I had tried to clean before archiving, around Feb-28, see my posting http://www.msfn.org/...post__p__912130

(2) Multibooter was running some NT-based OS on his system (win-2k or XP) - and the OS was not patched for this RPC exploit. The PC would have needed to be connected to the internet - but no web-browsing or any user-directed web-activity would have been required. The exploit would have penetrated the NT-OS and installed itself (perhaps in the autoexec, or the win.ini files of his win-98 system files). Multibooter claims that he doesn't use his XP-side for web-surfing, but he doesn't say if he disconnects the network cable from his PC while he's using XP.

My WinXP is SP2, without any patches added. WinXP was definitely not connected to the Internet, nor was the infected laptop connected to the WLAN router via cable. I am currently away from the US, were most of my computer tools and resources are located, so I always eject the USB 2.0 WLAN card before running WinXP (my old laptop has no built-in WLAN card), to make sure that there is no Internet or network connection under WinXP which could infect WinXP.

The Tenga infection cannot have occurred earlier under WinXP in the US, where the laptop does have internet access under WinXP, because the system backup I made just before leaving was clean.

Edited by Multibooter, 21 March 2010 - 11:43 AM.


#14
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Super Moderator
  • 5,782 posts
  • OS:98SE
  • Country: Country Flag

Donator

I've got two comments:

[ot]The Sharkoon's Flexi-Drive S2S is a true hardware RAID, so it's bound to be fast, if used with the right SDHC cards... I had those SanDisk Extreme III SDHC 16GiB, which are the so called 30 MB/s edition, and that under real world conditions really attain sequential reads of just over 20 MB/s... Under RAID0 that would be 6x times faster, bordering on the limits of the SATA I connection you'd have to use for 98SE to be able to recognize it. Then again, the MTBF would be about 500,000 h, i. e.: 1/6 of that of the individual cards (>3,000,000 h, according to SanDisk).[/ot]

You should consider adding SP3 to your XP. I'm using it since about one month after release, and it's very stable and trouble-free.

#15
Guest_wsxedcrfv_*

Guest_wsxedcrfv_*
  • Guests

You should consider adding SP3 to your XP. I'm using it since about one month after release, and it's very stable and trouble-free.

The fact that he's running XP-SP2 with no additional updates or patches isin't what I'd call smart. SP2 is dated to August 2004 - which predates this Tenga virus. So the system would be vulnerable to Tenga if it had a live (and non-nat'd) internet connection.

With regard to SP2, I've never understood what the difference is between an SP2 system that's been kept up-to date with all available patches vs an SP3 system in a similar update state. I'm under the impression that both systems would be equally patched or equally protected from all known exploits.

I still say that win-98 was "hit" by this Tenga only because the system is occasionally booted with a horribly-vulnerable version of XP. Any system that is single-booted only into Win-98 would not have been vulnerable to Tenga just by virtue of having a live internet connection. It would have taken user-assistance to execute Tenga on a Win-98 system, by way of running a file that was already infected.

#16
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • OS:98SE
  • Country: Country Flag

The fact that he's running XP-SP2 with no additional updates or patches isin't what I'd call smart... I still say that win-98 was "hit" by this Tenga only because the system is occasionally booted with a horribly-vulnerable version of XP.

I beg to disagree. My feeling is that by updating with new patches I mainly update spyware and spyware-vulnerabilities to the newest state. My feeling is that not just a search engine, but many big corporations cooperate with the NSA. I view infections with NSA-induced spyware as dangerous, and infections with a virus like Tenga as an entertaining nuisance.

I am just choosing between the lesser of two evils, and am fully aware of the risks, which I try to reduce by very intensive backups, by using ex-Soviet malware detectors, by having the WLAN-card removed when using WinXP, by using WinXP as little as possible and by installing a minimum of closed-source US-software created after 11-Sept-2001.

So the system would be vulnerable to Tenga if it had a live (and non-nat'd) internet connection

The router had always NAT on. Tiny Personal Firewall v2.0.14 is always on under Win98 and WinXP and did not report any calling out.

I have checked the still-infected 1TB USB HDD, Tenga.a seems to be a very efficient little program: Tenga infected on one partition 5329 .exe files on the USB HDD on Feb-28 between 9:04 PM and 9:07 PM, i.e. about 1700 files per minutes, with my old 700MHz laptop.

On the infected internal HDD, now disinfected, I have found on C:\ a file DL.exe with the modification date of Mar-1 9:18AM. It was not an exe file, just a renamed ASCII file with the following content:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://utenti.multim...">here</a>.</p>
</body></html>

The URL in my DL.exe differs from the URL listed in http://quickheal.co....rts-tenga-a.asp
[http://]utenti.lycos.it/[REMOVED]/dl.exe
[http://]utenti.lycos.it/[REMOVED]/CBACK.EXE
[http://]utenti.lycos.it/[REMOVED]/GAELICUM.EXE
When I tried to manually download dl.exe from multimania.it, I got a 404; multimania.it had the page title "Lycos Tripod".
I did not find cback.exe or gaelicum.exe on the formerly infected HDD. Maybe Tenga was unable to execute all its work on my laptop.

Here another observation: Just around the time the USB HDD was infected, I was in Win98 and then tried to boot into WinXP, but somehow couldn't, or WinXP didn't come up properly, I don't remember anymore. In any case, I modified boot.ini, and after the 2nd or 3rd attempt WinXP came up Ok again, no idea why. During my attempts to boot into WinXP I most likely had the infected USB HDD connected (but the old BIOS of my laptop does not see USB devices connected at boot time).

Most likely Tenga had started under Win98 and had then infected, under Win98, some critical system files on the FAT32 WinXP partition, so that WinXP had trouble starting up.

On my laptop the various operating systems have common access to standalone programs, i.e. there is a single instance of standalone programs, which are accessed under the various operating systems by creating a destop shortcut there. For example, I am using uptime.exe. I run it under Win98 and under WinXP via a desktop shortcut to C:\MiscUtil\uptime.exe. So if C:\MiscUtil\uptime.exe is infected, the infection will spread to other operating systems whenever I click on the shortcut to Uptime under that operating system. The original idea was to avoid duplicate copies of standalone programs, but this may actually be an unsafe practice in a multibooting environment.

One of my interests in this topic is to explore "How to prevent cross-operating system infections in a multibooting environment". A virus which could encrypt modern HDDs, similar to ancient One-Half http://www.csie.ntu....IN/ONEHAL~1.HTM , which I mentioned in the introduction to this topic, could be just as much of a nuisance as Tenga. BTW, it would be interesting to know whether ancient One-Half can infect modern 1TB HDDs.

It would have taken user-assistance to execute Tenga on a Win-98 system, by way of running a file that was already infected.

This is also what I suspect, that I must have double-clicked on an infected file. But this is absolutely against my practices, to which I strictly adhere: I ALWAYS check downloads or stuff from my archive with Kaspersky before running it, and Kaspersky does detect Tenga. It is still a puzzle how I got this virus, under which operating system Tenga started and how it spread from one operating system to the next.

#17
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,042 posts
  • OS:none specified
  • Country: Country Flag

I beg to disagree. My feeling is that by updating with new patches I mainly update spyware and spyware-vulnerabilities to the newest state. My feeling is that not just a search engine, but many big corporations cooperate with the NSA. I view infections with NSA-induced spyware as dangerous, and infections with a virus like Tenga as an entertaining nuisance.

Do I smell some good ol' conspiracy theory? :unsure:

There may be "good" and "bad" companies:
http://yro.slashdot....7/07/18/1434229
http://yro.slashdot..../199223&tid=158
http://news.cnet.com..._3-6197020.html
http://news.cnet.com..._3-6196990.html

jaclaz

#18
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • OS:98SE
  • Country: Country Flag

Do I smell some good ol' conspiracy theory? :unsure:

http://www.mondoraro...targato-regime/
Maybe the Iranian and Chinese governments are not only for censorship, but also want to stop Poodle's data gathering. Paranoid concerns with national sovereignty, seeing data-gathering arms of the NFA everywhere? :D

BTW, http://news.cnet.com...-police-spyware is 404

Although I don't think it's likely, I have also been considering whether the Tenga infection was a targeted installation. ISPs seem to be able to access connected computers with relative ease, I assume a connected computer is just a client in the ISP's network. I am not sure how much Win98 protects against a snooping ISP.

#19
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,042 posts
  • OS:none specified
  • Country: Country Flag

BTW, http://news.cnet.com...-police-spyware is 404


Sure it is. :(

The makers of the Board software expressly made their parser for posted URL's in such a way as to break them at commas, in order to prevent users from reading pages like:
hxxp://news.cnet.com/Security-firms-on-police-spyware,-in-their-own-words/2100-7348_3-6196990.html
(or maybe it was FBI or NSA forcing CNET to use these malformed URLs? :unsure:)

Let's see if they got to TinyUrl too:
http://tinyurl.com/cnc3d3

Good :), they missed it. ;)

jaclaz

#20
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • OS:98SE
  • Country: Country Flag

Maybe the Iranian and Chinese governments are not only for censorship, but also want to stop Poodle's data gathering.

Huh, what a typo :D , I surely didn't want to allude to Mao's "the imperialists and their running dogs" http://www.marxists....-book/ch05.htm. I just came by chance across this news from the bbc: "Google provided US intelligence agencies with a record of its search engine results, the state-run news agency Xinhua said." http://news.bbc.co.u...ess/8581393.stm
"On Sunday, state media in China attacked Google for what they described as the company's "intricate ties" with the US government." http://news.bbc.co.u...fic/8582233.stm

Edited by Multibooter, 23 March 2010 - 02:03 AM.


#21
Queue

Queue

    Member

  • Member
  • PipPip
  • 164 posts

...and how it spread from one operating system to the next.

This is the easiest part of the puzzle: tenga is a real, classic virus, where it searches for all executables on the computer and copies itself into them. It infected files that were related to the other versions of Windows on the same machine; they were executables so it infected them.

It's also no mystery why it didn't infect the NTFS partition: the initial mass spreading occured when you were booted into Win98 and Win98 had no way to interact with the NTFS partition as a file system.

What could be a mystery is if you successfully booted into an infected WinNT environment, why the NTFS partition wasn't infected then. The virus may only search for executables to infect under certain circumstances which failed to occur.

---

As for how you were infected initially: you could have downloaded and run a program that wasn't detected as malicious by your anti-virus, which then downloaded a tenga-infected executable and ran it. Just a possibility, but I am inclined to think the wound was self-inflicted (as in, you ran a program that led to the infection), due to how tenga spreads (over a network) and how you handle WinXP (in regards to the internet).

---

As for the conspiracy theories, namely about ISPs, unless you have Windows configured poorly, they would have no more power to force files onto your computer than any random person on the internet.

You are welcome to conspiracy theories, though I think you're just shooting yourself in the foot. But that's what freedom's about: you can shoot yourself in the foot if you want to, and I can think that you shouldn't if I want to.

And, thank you for sharing your experience with us, it's always encouraging to hear when people's backup schemes DO prove worth it, and what you went through.

Queue

P.S. - I bleeping hate the new forum style, particularly when using it from IE6.

#22
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • OS:98SE
  • Country: Country Flag
Note by dencorso: The contents of this post have been lost. The two snippets of text below are all we have left at the moment, from its original content.


[...]I am using Firefox v2.0.0.20 and Opera v9.64... If you turn off Java + JavaScript, msfn.org comes up really fast, without ads, though I am not sure whether you can post when they are off.[...]

[...]Are there any files created by Windows which contain lists of recently accessed files? It might be useful to delete such files, for preventing the spread of potential infections with other malware. I would doubt that Tenga can search the registry or index.dat.[...]

Edited by dencorso, 27 March 2010 - 08:27 AM.


#23
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,042 posts
  • OS:none specified
  • Country: Country Flag

Are there any files created by Windows which contain lists of recently accessed files? It might be useful to delete such files, for preventing the spread of potential infections with other malware. I would doubt that Tenga can search the registry or index.dat.

You cannot say.
MRU is in Registry.
NTFS normally updates last accessed time in the filesystem.
Use this - in case you feel dangerously exposed ;):
http://www.nirsoft.n...n_after_me.html


jaclaz

#24
Multibooter

Multibooter

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 896 posts
  • OS:98SE
  • Country: Country Flag

Tenga spreads between systems by exploiting the RPC vulnerability described by MS03-026. Interestingly, Microsoft lists various NT-based OS's as being vulnerable, but only lists Windows ME as non-vulnerable. Microsoft says nothing about Windows 98 (even though this bulletin is dated July 2003). So Windows 98 is not vulnerable to the worm-like method this virus uses to spread between systems.

Here is Panda's opinion:
"Affected platforms: Windows XP/2000/NT/ME/98/95 [NOTE: WinME is specifically included here!]
First detected on: July 14, 2005"
"Tenga.A shows a very a complex infection routine, which it uses in order to infect all the executable files on the computer, excepting NTOSKRNL.EXE. It is even capable of infecting files belonging to the operating system, as it disables the characteristic known as Windows File Protection.
Tenga.A spreads by attacking IP addresses, in which it tries to exploit the vulnerability RPC DCOM. Additionally, as Tenga.A infects files, it could also reach computers when the infected files are distributed through any of the typical means of tranmission, which include, among others, floppy disks, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer file sharing programs (P2P), etc."

http://www.pandasecu...da=particulares

Tenga.a seems indeed an interesting little program, but I haven't found info yet on how exactly it picks the files to be infected. Panda is wrong here because Tenga did not infect all the .exe files on my computer, only some of them.

P.S.: excellent info here on how Tenga infects files (the best I found so far):
http://www.pandasecu...rmation/Tenga.A
Also, panda updated their info page about Tenga.a yesterday, so this virus seems to be still of current interest.

Edited by Multibooter, 23 March 2010 - 10:20 AM.


#25
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,042 posts
  • OS:none specified
  • Country: Country Flag

Tenga.a seems indeed an interesting little program, but I haven't found info yet on how exactly it picks the files to be infected. Panda is wrong here because Tenga did not infect all the .exe files on my computer, only some of them.

Maybe it had not enough time, it may well have a "list of priorities" and only infect a few files per session, for all we know. ;)

jaclaz




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN