Thursday, June 09, 2005

Win32.Glieder.AG aks Trojan.Tooso.B is One Mean Virus to Watch

Tooso.B is a trojan that is well worth being worried about. We discussed it on last week's show, which is archived here. The virus -- technically it is a trojan -- is injected into machines in multiple file downloads. It changes the payload file names, moves them around, and disables many antivirus and spyware removal programs.

NOD32, an AV product we endorse and resell to help cover the costs of On Computers Live!, is able to detect the Gleider/Tooso.B trojan. Symantec's enterprise anti-virus client detected the trojan after it was self-installed on one of my machines, but Symantec's trojan tool does not successfully do the job of removal. Computer Associates and McAfee are not in this hunt yet.

Here's the problem: once infected, we know of no tool that will remove this trojan short of wiping the hard drive and reinstalling Windows, a fate equivalent to a technology death sentence for most readers. As there appear to be many variants of this trojan, manual removal instructions will be worthless if you should be looking for differently names payload files.

Co-host Jack Imsdahl writes "According to F-Prot, whom I have contacted, the code for the trojan is likely to have been injected in two parts, thus foiling scanners, or at the least making their job harder. And, it apparently uses it's "call home" feature to rename files randomly. This is educated conjecture and F-Prot is not confident enough to publish this, yet. Removal is one thing, prevention another. I believe that some of the "unknown code, possibly malicious" warnings NOD has recently given me are from just such a trojan. I think it can be prevented with much more surety than it can be removed."

Since Gleider/Tooso.B can "call home", download files, and execute them in an environment with AV security turned off, readers should be very cautious in preventing infection. We are aware of problems out there, but the press has not yet picked up on the threat.

Recommendations
  • turn off system restore feature in Windows
  • scan your hard drive frequently with the latest virus definitions
  • use a top-notch firewall. I dropped Microsoft's SP2 firewall for a free copy of ZoneAlarm to monitor network traffic, looking for the port to block to prevent the trojan from phoning home.
  • Visit your anti-virus supplier's web site frequently looking for updates to Gleider/Tooso.B removal tools

Be careful out there!

-- Peter S. Kastner and Jack Imsdahl

No comments:

Post a Comment

All comments are moderated.

Note: Only a member of this blog may post a comment.