or “How I Spent My Weekend Off”

Well, they finally got me. Sort of. I was on my way out the door yesterday and happened to notice a peculiar yellow window open on my monitor. It wasn’t really the color of the window itself that concerned me, but the gashes of red sitting halfway down. Apparently, Norton had picked up a couple baddies and was unable to repair them. These guys apparently go by VerifierBug.class-3cf04223-5c5c2887 and VerifierBug.class-b3547f5-6c48aa62 and were purportedly some type of Trojan.

I looked them up and found several relevant forum threads, but no one seemed to have had any real trouble. A few people found them in virus scans, but no damage done. I quarantined and deleted the files, ran Norton again, and then ran a few out-of-box virus scans courtesy of TrendMicro HouseCall and PandaScan. Then I updated my copies of AVERT Stinger and AdAware (both freeware) and ran those. Everything came up clean except for a couple data miners in AdAware.

All better, right?

I decided to run a scan on my dad’s system, since it’s on the network and running the same OS. Part way through the scan, the system went down and never came back up. It wouldn’t boot at all. Couldn’t start from last good configuration, couldn’t do anything helpful in Safe Mode. Ran FIXBOOT and FIXMBR in the Windows Recovery Console and that didn’t help either. After a while fishing around, it seemed that at least one file from CONFIG/SYSTEM/ was missing or corrupt. Sounds virusy to me.

We ended up reloading the OS, having it get damaged, and then reloading it again. Both systems now run and test clean and the non-XP systems on the network are unaffected.

What I discovered

In a word: nothing. Every indication is that one of the two systems picked up a Trojan class virus and that both systems were infected. Because the VerifierBug files I identified and killed were never found on the damaged system, and since those files are apparently not known to damage SYSTEM files, we really can’t be sure they caused any of this.

Here’s what I do know: Virii that fall into the VerifierBug class are related to the Java Virtual Machine. This means that they probably get into your system through a piece of software running a Java Applet that appeared to be safe. The nature of a Trojan is that the file itself is almost impossible to detect as a malicious item, until it either attacks another file or directory, or begins to write a new file or replicate itself. It seems most likely that a file like this was picked up through a P2P network. I’m sad to say, that I did run Kazaa a couple weeks ago and I did find a couple suspicious files in my download folder. My only guess is that they caused the problem.

Anybody have any input? Please chime in.

UPDATE: (9-8-03) - My dad’s computer tanked again last night. It now hangs at the Windows loading screen, assumably searching for a missing or corrupt sys file. Ugh.