A malware with my name

There’s a malware circulating that contains my name in its version information. I’m, of course, not the author (putting one’s own name in the version info would be brilliant). I’m clarifying, as three people already contacted me about it since yesterday.

It was probably done on purpose and it’s not the result of a random generation of different version info, as I suspect. What the author/s of this malware ignore, is that they made me stumble on an additional technique against malware, that’ll probably damage their business and force them to work more.

Given my very limited amount of spare time, it’s too soon to discuss this.

15 thoughts on “A malware with my name”

  1. Hello!

    I was just about to email you notifying you of this exact issue I ran into last night.

    I had done some research on you before I opened the program thinking it was safe as you have some good credentials from what I could find. I was sure you would not be stupid enough to create a program that was malware and attach your name to it.

    I guess that makes me the stupid one for not thinking that it could have been forged.

    Anyways, I am running MS Essentials Virus Scans and MBAM from malwarebytes and so far nothing has been found. Will have to take some further steps to ensure I have not been infected.

    If you want the file I download, then you can contact me via the supplied email for this post.

    Thanks and hope this scoundrel does not drag your name through the mud.

  2. Hello Brad,
    I’m sorry about what happened to you. But I can’t guarantee for files downloaded in places other than my personal webpage.
    I have the malware itself (which has been sent to me by the first person who contacted me), maybe you also have the dropper and could send me that.
    If you look in the Run key in the registry you should be able to find a 3 letter executable, which most surely is the malware. Delete the key, terminate the process, delete the file and that should be it, actually.

  3. Well how do I get rid of it? I can’t find it anywhere and neither can my anti-malware software. Where is its location/how exactly do i locate and delete it? I got into the registry, what would it specifically be called?

    Thanks,
    Tayler

  4. Well, look in the registry in the run and the location can be easily spot the task manager (or task explorer). Just look for a 3-letter named process like “klb.exe”. It uses random letters. Kill it, remove the file, remove the entry in the registry (Run) and that should be it.
    I haven’t executed it, but it’s not very difficult.

  5. Hey Daniel,

    It might already be a bit late to tell you;but anyway, you can safely run the malware version of your software in a program called “Sandboxie”. I think it’s just a fun thing to be able to do; running malware without infecting your computer. It’s just a thought, but if you haven’t seen your program’s doppelganger as-of-yet, I strongly believe it will help you.

  6. Hello POPTARTCAT,
    thanks, I know sandboxie. 🙂
    On x64 the safety sandboxie provides is limited (so be careful), but anyway I would never run any kind of malware on my system, even if sandboxed. Better to use a virtual machine.

  7. hi guys,, couldnt help but notice we all saw the same name attached to this cank malware,, however this was quite a good 1 and took me about 4 hours to remove it froma customers pc, regardless of google info,, however, my trustee mbam got the better of it thru safe mode, but just wanted to clarify, that its blatantly obvious that daniel pistelli wouldnt put his name to sucj a stupid malware,, ( if u created a virus eg, conficker, would u REALLY put ur name to it??? ) I DONT THINK SO,, !!,, however,, top marks for whoever DID create this,, as,, to be honest,, im a pc engineer, and it STILL took me 4 hours to rid its infection,, so well done,, thats 4 hours of my life i aint getting back, and round a complete strangers house no less,, ,, unlucky daniel that ppl are slating u for this malware,, id look into that if i was u,, see if there was a way u can stop that,,

    1. There’s no way to stop something like this I’m afraid 🙂
      However, it really didn’t create much of a problem, few people complained to me.
      I don’t think that many really think as you said that a real malware writer would sign with his own name its creature.

  8. Don’t come here with your MS false positives, this guy is cool.

    If you’re using MS essentials, then you’re using malware.

    NO ONE NEEDS an Anti-virus/anti-malware, at least anyone who is a REAL IT specialist.

    For scriptkiddies: IF you are coding in .net find a GOOD commercial/self-made obfuscator, there gui hack solved.

    Set the registry permission on the ‘run’/runonce key to read only( for everyone)

    If you do this in the services key it will require a restart (drivers/services). <–this isn't advisible since some programs require you install drivers, but it's good protection for existing services, and to prevent malware.

    On the Windows NT key (winlogon/userinit), only allow the system access to read and write, and set your username and other accounts to read only.

Leave a Reply

Your email address will not be published. Required fields are marked *