How did what appears to be a virus get on my computer? (explanation of situation enclosed)

Question

My system is Windows XP SP3, updated with the latest patches.

The PC is connected to a Cisco 877 ADSL router, which does NAT from the internal network to its single static public IP address. There are no forwarded ports, and the router's management console can only be accessed from the inside.

I was doing two things: working on a remote office machine via VPN and browsing some web pages on the Cisco web site.

The remote network is absolutely safe (it's a lab network, four virtual servers, no publicly accessible services and no users at all; also, none of what I'm going to describe ever happened there).

The Cisco web site... well, I suppose is quite safe, too.

Suddenly, something happened.

Strange popups appears anywhere; programs claiming they're "antimalware", "antispyware" et so on begins autoinstalling; fake Windows Update and Security Center icons pop up in the system tray. svchost.exe began crashing repeatedly. Then, finally, after some minutes of this... BSOD.

And, upon rebooting, BSOD again. Even in safe mode.

Ok, that was obviously some virus/trojan/whatever. I had to install a new copy of Windows on another partition to clean things up. I found strange executables, services and DLLs almost anywhere. Amongst the other things, user32.dll and ndis.sys had been replaced. A fake software called "Antimalware Doctor" had been installed. There were services with completely random names or even GUIDs (!), and also ones called "IpSect" and "Darkness". There were executable files without an .exe extension. There were even two boot-class drivers, which I'm quite sure are the ones that finally caused the system to crash.

A true massacre.

Ok, now the questions:

• What the hell was that?!? It was something more than a simple virus!
• How did it manage to attack my computer, as I am behind a firewall and was not doing anything even only potentially harmful on the web at the time?

Answer 1

This sounds very like a problem I had recently with XP Antispyware, a Java-based exploit that turns off your firewall and antivirus, claims to have detected hundreds of virus infections, adds fake security centre icons to the taskbar, and prevents the launch of .exe programs so that you can't run antimalware software.

There is a fix, but you have to know what you're doing - not obvious - and run a little script on the registry to kill the .exe blocker, or it just keeps coming back. Then you have to get rid of the bad Java plugin in your browser.

Read all about it at: http://lifehacker.com/5499124/how-to-remove-xp-antispyware . This was a lifesaver for me. I am very careful about viruses etc. and have been lucky so far, but this one was on the machine before I realised what had happened. I still don't know where I picked it up.

Answer 2

Looks like it was "Neprodoor": http://www.prevx.com/blog/115/Neprodoor-flies-beyond-the-radar.html

I managed to clean almost everything by working from a fresh Windows installation on another disk... but that beast installed literally tens of malwares on the system, and I still had a broken Windows Update (like a hosts redirect, but the hosts file was empty) and some ad sites popping up now and then.

I ended up formatting and reinstalling... couldn't trust the system anymore. Oh, well, it was time to move to Windows 7 :-)

But I still don't know how did it get in... ?!?