I installed a virus today and you can too

So today I wanted to install Open Office suite in my Windows 7 OS which is running in Virtualbox as a guest in openSUSE host. Sorry, I hope I have all the capital letters, logos, hyphens and things in order.

I search the web via google box in firefox via Windows 7 in guest and come up with Open office download. I download which only takes a couple 10 seconds and then I start the install. I am sure it popped up a box to check whether I want to install, It is Open Office. Who would not click next…

After a few seconds there was some really crazy java like widgets/window decorations and a reset of the windows desktop and I realized that this was NOT a normal open office install.
I started killing every thing I could and un-installing and ran the anti-virus scan etc…
This is the first day so I will have to see what happens, my guess is I will have to kill the whole drive and start over. That is what I had to do to my sisters windows computer, new hard drive was the only way.

Bottom line, I actually downloaded a malicious program and installed it sans the security. There are some good fakes out there apparently.

On 2013-05-02 03:56, anika200 wrote:
>
> So today I wanted to install Open Office suite in my Windows 7 OS which
> is running in Virtualbox as a guest in openSUSE host. Sorry, I hope I
> have all the capital letters, logos, hyphens and things in order.

Why do you want to run openoffice in a Windows guest, when it will run
faster and better in the Linux host outside?

> I search the web via google box in firefox via Windows 7 in guest and
> come up with Open office download.

And what link was that?

When I want to install some Windows software, I typically search on the
Wikipedia article, and there I locate the official or master link to
that software, not just any google search.

Anyway, the place would be “www.openoffice.org”. The current US English
file is named
Apache_OpenOffice_incubating_3.4.1_Win_x86_install_en-US.exe, and has
130 MB.

> This is the first day so I will have to see what happens, my guess is I
> will have to kill the whole drive and start over. That is what I had to
> do to my sisters windows computer, new hard drive was the only way.

Well, you installed in a guest system. Your real hard disk is intact,
you only need to reinstall the guest. Or better, if you took an snapshot
in virtualbox, just restore it and you are back at the start point.


Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

Didn’t the 10 sec download trigger some bells ?
Also be careful about https://forums.opensuse.org/english/other-forums/community-fun/general-chit-chat/486517-spyware-poses-firefox.html

On 05/02/2013 03:56 AM, anika200 wrote:
> I search the web via google

blindly following anything google can find is not a good strategy to
follow if security is important.

at least when googling for stuff, look to see WHERE you are before
downloading.


dd

Fake sites:-


http://download.openoffice.fm/free/
http://www.openofficefreedownload.org/

Original

http://www.openoffice.org/download/ 

Yes it did, right after I saw the wierd java like install splash screen I immediately thought about the short download. I then started to shut things down but by then things were already whipping onto the hard drive.

Its a long story involving estimate/quote software that I was originally using under Linux and finally got fed up and was trying to take everytthing into Windows
via and Excel import form on a Windows software, you do not want to really know about the whole deal.

Well, you installed in a guest system. Your real hard disk is intact,
you only need to reinstall the guest. Or better, if you took an snapshot
in virtualbox, just restore it and you are back at the start point.

Yes, I am wondering now what I should do?
I mean everything seems normal in the OS but I am guessing the virus is already in there doing whatever malware does.
Would it be safe to extract any data from the virtualbox machine?

Yes, obviously this is what should be done. :frowning: Yesterday I was doing what felt like a million things at once and just dropped the ball, I think it happens to everybody.

On Thu, 02 May 2013 01:56:02 +0000, anika200 wrote:

> I search the web via google box in firefox via Windows 7 in guest and
> come up with Open office download. I download which only takes a couple
> 10 seconds and then I start the install. I am sure it popped up a box to
> check whether I want to install, It is Open Office. Who would not click
> next…

Certainly I wouldn’t, because I’d download OpenOffice from the proper
place (openoffice.org) rather than using Google to find it.

But you see, this is the problem with just running everything as your
administrative user.

You might be able to extract the data from the VM safely. But what did
you do to determine that you actually had a virus? Did you have Antivirus
running in the VM?

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

> I think it happens to everybody.

even me: once i thought i had made a mistake, but i was wrong! :wink:


dd

rotfl!rotfl!rotfl!rotfl!

Well if you were using VMware Workstation you could roll back to a previous
clean snapshot. : ) Barring that you could possibly recover from a windows
restore point.

On 2013-05-02 22:49, GofBorg wrote:
> Well if you were using VMware Workstation you could roll back to a previous
> clean snapshot. : )

He was using virtualbox which also has that feature.


Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

On 2013-05-02 16:16, anika200 wrote:
> Yes, I am wondering now what I should do?
> I mean everything seems normal in the OS but I am guessing the virus is
> already in there doing whatever malware does.
> Would it be safe to extract any data from the virtualbox machine?

Data, yes, probably.

However, some data files, like office files, may contain macros which
run when you open the file. LO also has macros, but by default they do
not run.

Or, you may run an antivirus. Some can run from outside Windows,
bootable CDs.


Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

>> Well if you were using VMware Workstation you could roll back to a
>> previous clean snapshot. : )
>
> He was using virtualbox which also has that feature.

I see. Cool.

On 2013-05-03 19:42, GofBorg wrote:
>>> Well if you were using VMware Workstation you could roll back to a
>>> previous clean snapshot. : )
>>
>> He was using virtualbox which also has that feature.
>
> I see. Cool.

Indeed.

Previously I used vmware server, which also had it. They stopped
maintaining it, so I had to use player instead, which doesn’t have it,
and it a sore miss.


Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

Anika,

Do you keep a copy of your VM’s in a separate backup HDD? You could just delete your now bad VM & replace with the backup. I can say this because I did the same thing only with VLC on a Win7 guest. It was totally ruined of course but the backup I had on that HDD saved mucho headaches.
As to how this happened yes we all do this. What comes to my mind is a sig of one of our members Knurpht
Anything that can go wrong…will teach us.

Yes :):), I have a snapshot from 2/26/13. I will try to roll back. Stinks because I have done a bunch of updates etc… recently in preparing to move my business stuff back over to Windows.

Ha, glad to see I am not the only one. I plan on implementing weekly Virtualbox snapshots and a backup to external drive weekly.

Why don’t you just boot into safe mode on windows then run a scanner like Malwarebytes Anti-Malware - http://www.malwarebytes.org
It’s excellent at detecting malware.

I would do this before thinking of restoring backups or snapshots, incase you lost a file(s) or program(s) from rolling back to a snapshot.