S.M.A.R.T Virus ( Aleuron.E ) hides in a Hidden Partition

Last week a client had gotten the virus that make it appear that you are having hd disk failures (SMART HDD failure) Normally removal of this virus has been simple and well documented as found at reputable websites such as here . And as such, I had removed the virus for the client successfully, or so I thought. a few hours later, he calls me and tells me that is antivirus program, Microsoft Security Essentials is popping up and capturing the “Aleuron.E “ virus and every time he clicks remove,  it pops backup within seconds with the same virus.

 Later that day he drops by with the pc in hand and figure it cannot be that hard, I will simply remove the virus with a root kit remover.   

I proceeded to run the normal tools that I have linked on my site www.cci.net/support   I first tried TDSSKILLER,  the amazing and  reliable tool and this time finds no root kit,  then I went to McAfee and gave STINGER a try as I had an occurrence where it found root kit when TDSSKILLER did not,   still nothing was found.   Hmm I then went thru all the tools, Norton Security sweep, Microsoft Scanner, and lastly COMBOFIX.   But, no positive results,   Microsoft AV is still popping up with the "Aleuron.E " virus warning

So, then I got out the Windows Xp cdrom and booted from it and ran FIXMBR hoping that I can rewrite the master boot record to overwrite the virus, but after the restart, it was still there.

Finally, I brought up the “Disk Manager” in Windows and noticed an “unused” partition at the very end of Drive C.   It was very small, well under 100mb and did not seem to be formatted or have a drive letter associated with it.   But this is where the virus lived.   I highlighted the partition and deleted it.     Rebooted the pc, did a final sweep with my virus scanner tools and verified that it was CLEAN.   

We can expect to see more viruses using this technique. 

Spam Confidential 12-10-2009

PHISHING ALERT

link contains http://online.cdc.gov.yttt4l.co.im/h1n1..... Notice that the link has cdc.gov in the link but it continues to yttt41.co.im ( co.im is for domains in the Isle of Man) If it were to really to go cdc.gov you would see something more like http://online.cdc.gov/index.html

-----Original Message-----

From: Centers for Disease Control and Prevention [mailto:cdc-message-id:46024med@cdcmails.gov]

Sent: Tuesday, December 01, 2009 6:59 AM

To:

Subject: Governmental registration program on the H1N1 vaccination



You have received this e-mail because of the launching of State Vaccination H1N1 Program.

You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The Vaccination is not obligatory, but every person that has reached the age of 18 has to have his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for the vaccinated people and the not-vaccinated ones. This profile is used for the registering system of vaccinated and not-vaccinated people.

Create your Personal H1N1 Vaccination Profile using the link:

Create Personal Profile link contains  http://online.cdc.gov.yttt4l.co.im/h1n1.....  Notice that the link has cdc.gov in the link  but it continues to yttt41.co.im ( co.im is for domains in the Isle of Man)   If it were to really to go cdc.gov you would see something more like http://online.cdc.gov/index.html    


________________________________________

Centers for Disease Control and Prevention (CDC) • 1600 Clifton Rd • Atlanta GA 30333 • 800-CDC-INFO (800-232-4636)

Rsync With Delta Copy.

In my earlier articles I talked about the need to have backups of your valuable information. One very popular method is to synchronize your data to a computer at a remote location. You can subscribe to a remote data replication/backup service like Carbonite.com or if like many who already have access to a second computer in your home or business, you can do the same yourself for free. I will show you how to setup such a service “Rsync” using the open source (free) Delta Copy software.

Lean and Mean, Microsoft Security Essentials Just released

Lean and Mean, Microsoft has just released to the public a great free and effective antivirus / anti=malware solution for your Windows Xp - Vista and Windows 7 computer.  Download from the Microsoft Security Essentials Website    If you have doubts please check out this first look article from Ars Technica

it's finally here - Free ANTIVIRUS protection from Microsoft

From Microsoft and it is FREE!!! This is what many have been waiting for and those that have installed it are impressed.

Here is a review from the computer trade publication Computer World It is lightweight , uses less horsepower to run and promises to be excellent. Now there is no excuse for not having AV loaded on your system. Did I mention FREE???

Here is the catch,, the free beta is limited to a set number. Get it here

Conficker test

Using basic knowledge of the blacklisting that Conficker employs to avoid attempting to infect IPs that belong to popular Anti-Virus and security firms (including Microsoft), the Conficker Working Group whipped up this very simple test to see if you can load content from the various pages. If you can see all of the images, you're more than likely Conficker-free.
CONFICKER -- Check to see if you are infected

Thanks to
Joe Stewart from the Conficker Working Group
http://www.confickerworkinggroup.org/

Anatomy of a hoax virus warning email

key words to look for in emails that tell you to panic

I checked with Norton Anti-Virus, and they are gearing up for this virus!
Hoax like wording because: Norton / Microsoft,/ CNN /etc do not gear up for viruses and assure ably if you call Norton, Microsoft, etc you will not get anyone to make a public statement such as this

I checked Snopes (URL above:), and it is for real!!
Hoax like wording because: the letter writer knows that most will never check with snopes for if they did, they would have found it to be a hoax or not listed.

Get this E-mail message sent around to your contacts ASAP.
Hoax like wording because: yes, that is the purpose of the email. to see it cause panic

PLEASE FORWARD THIS WARNING AMONG FRIENDS, FAMILY AND CONTACTS!
Hoax like wording because: please send it to everyone

You should be alert during the next few days. Do not open any message with an attachment entitled 'POSTCARD FROM HALLMARK,' regardless of who sent it to you. It is a virus which opens A POSTCARD IMAGE, which 'burns' thewhole hard disc C of your computer.
Hoax like wording because: viruses today do not destroy equipment, viruses are used today to steal your identity and control your computer, The last thing that they want to do is destroy your hardware for that would prevent them from using you for thier deeds

This virus will be received from someone who has your e-mail address in his/her contact list. This is the reason why you need to send this e-mail to all your contacts It is better to receive this message 25 times than to receive the virus and open it.
Hoax like wording because: yes please don't annoy them once. send them the same hoax every day if you can

If you receive a mail called' POSTCARD,' even though sent to you by a friend, do not open it! Shut down your computer immediately .
Hoax like wording because: even better, shut down your pc when you receive mail, any email, ( except from me of course)

This is the worst virus announced by CNN. It has been classified by Microsoft as the most destructive virus ever. This virus was discovered recently by McAfee, and there is no repair yet for this kind of virus. This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept.
Hoax like wording because: According to John Stewart of Comedy Central Daily Show, Cable News like CNN and CNBC cannot even keep track of financial news properly, now you think they would be in the Virus news space? In fact, MSFT, CNN, McAfee would never make a press release such as this, and if they did, you would not need the email.

COPY THIS E-MAIL, AND SEND IT TO YOUR FRIENDS. REMEMBER: IF YOU SEND IT TO THEM, YOU WILL BENEFIT ALL OF US.
Hoax like wording because: how many times does this email remind us to send it to everyone? hmmm.....