1

I just watched this malware do a man in the middle attack on one of my clients paying for a service using their credit card and cannot find any source to confirm it is in fact Sunspot so I can verify post removal process. No anti-viruses detect it! http://www.net-security.org/malware_news.php?id=1719 Any ideas?

Cameron McGrane
  • 385

1 Answers1

1

I would look at the two registry keys mentioned in the article you posted, this is where it launches from.

Once installed, Sunspot is started either by "rundll32.exe" via

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

or via 

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components.

It uses CBT hooking to load its DLL into the browser (Internet Explorer/Firefox).

Or better yet use a browser it does not "hook", like Chrome Browser

Moab
  • 58,308
  • Yeh, I checked HKCU\RUN was clear and HKLM\Install Components had too many CLSIDs and folders distinguish. What do you mean by hook? – Cameron McGrane Jul 12 '11 at 20:21
  • "It uses CBT hooking to load its DLL into the browser (Internet Explorer/Firefox)." Its a term use to describe injecting a process or dll into another program or process, some are legitimate, some are malware. – Moab Jul 12 '11 at 22:35
  • You would have to look through all the install component keys for something that does not look legitimate in the right pane, use google when needed, I have only 24 installed components in my reg key. You will be looking for a dll or path to a dll that is not legitimate windows dll. Did you try the System Sweeper I recommended? – Moab Jul 12 '11 at 22:40
  • I used System Sweeper which successfully removed the malware. – Cameron McGrane Aug 15 '11 at 07:36
  • I like that scanner boot cd, its a good one. Glad you got it removed....http://superuser.com/questions/100360/what-to-do-if-my-computer-is-infected-by-a-virus-or-a-malware/157533#157533 – Moab Aug 15 '11 at 15:29