My Trojan War Becomes a Quagmire

Paul Thurrott continues his saga about the Trojan that is lurking on his laptop.

Paul Thurrott

June 8, 2004

6 Min Read
ITPro Today logo in a gray background | ITPro Today

For the past 2 weeks, I've been discussing my first major electronic Trojan horse attack, which appears to have lodged some sort of self-replicating code in a Windows XP Service Pack 2 (SP2)-based laptop. After describing the attack in detail last week ( http://www.winnetmag.com/article/articleid/42845/42845.html ), I received an astonishing 200+ email messages from readers, all chock-full of advice about how I might combat the Trojan. Words can't begin to express my thanks for the level and quality of these responses. I've said it before, and it's still as true as ever: Windows & .NET Magazine UPDATE readers are an incredible lot, and thanks so much for all the help.

So I spent the better part of last week going through the tips and advice one email message at a time, trying to figure out how to wipe out the Trojan without wiping out the system, a tactic I refer to sarcastically as "nuking it from space," an allusion to the 1986 sci-fi movie classic "Aliens." And frankly, I'd have wiped the partition out a week ago and started over, but I feel a certain obligation to see whether I can't fix the machine--for two reasons: Solving the problem might help others (and it's clear from all the email I've received that this sort of attack is a big concern); and Microsoft has gotten involved because it's readying the security-centric XP SP2 release, which doesn't offer a complete solution for this new type of threat (though, frankly, Windows Firewall could have prevented it from happening in the first place). I'm willing to help the company with a solution, I suppose, but it's difficult to remotely fix this sort of problem, and I'm not excited to pack up the machine and ship it to Redmond if it comes to that.

But sadly, I can't claim to have made much progress in the past week, although I've certainly tried just about everything. It's hard to explain how frustrating this problem has been, though I get the feeling many of you have experienced this same frustration, based on your email messages. What's interesting is that, though many people appear to have had similar attacks, none involved the same files, registry settings, or other attributes, suggesting that this attack is a bit more sophisticated than your standard Trojan attack.

There have been a few glimmers of hope. Eugene Curran recommended an excellent product--Tiny Software's Tiny Personal Firewall (TPF--http://www.tinysoftware.com)--that mitigates the problems the malicious software (malware) causes but doesn't remove the offending code: While TPF is running, the registry doesn't automatically spawn references to TV Media (tvm.exe) after I manually delete the references, and Microsoft Internet Explorer's (IE's) home page isn't hijacked by http://www.allaboutsearching.com, which are the two remaining symptoms at this time. But when I turn off or disable TPF, these symptoms return. TPF has given me a somewhat acceptable way to use the machine while I wait for a fix, but the offending launch code is still hiding somewhere on my machine, and it's wearing on me. (Tvm.exe doesn't exist, however, so the hidden launch code can't actually do anything.)

Here's why I think TPF works: The latest version of the firewall, TPF 5.5 build 1332, includes a unique new feature that, according to the company, "adds robust protection against all unknown spyware which based their existence on injecting malicious code into applications you normally trust." Also, TPF is a two-way firewall, compared with XP SP2's inbound-only Windows Firewall, so it prevents installed Trojans from doing any damage after the fact. This is a feature SP2's Windows Firewall sorely lacks.

Through various means, I've managed to eliminate parts of the attack's effects. The references to POLL EACH in the registry are gone and haven't returned. The inscrutable blehdefyreal toolbar in IE is also gone, although I wish that Microsoft had provided an automated way to remove such add-ons in XP SP2's new Manage Add-on tool for IE 6.0, which can only enable or disable (but not remove) IE add-ons. But the TV Media references (but not the tvm.exe application) and IE home-page hijacking, as previously mentioned, remain.

I don't understand why it's impossible to find the hidden process that's making changes to this system. With all the registry and process watchers I've tried and all the antispyware utilities I've run, it should be a fairly straightforward process to find the thing and rip it out. But I've had no luck at all.

Therefore, I'll need to postpone the conclusion to this sad little epic to yet another week: Some experts at Microsoft are investigating the problem, and I hope to have a more definitive conclusion and perhaps a step-by-step guide to fixing this sort of problem sometime soon. Again, thanks to everyone who wrote me: Your help is very much appreciated. I wish I had better news.

Users and Administrators
On a related note, several readers mentioned that they hoped I hadn't been running the laptop with an Administrator-level account. Sadly, on a nonmanaged XP machine today, it isn't realistic to run without Administrator privileges. Unlike UNIX and UNIX-like systems such as Linux and Apple Computer's Mac OS X, Windows isn't very useable with a non-Administrator account, largely because so many applications are ignorant of rights and were written to work only with Administrator-level accounts. This is particularly problematic in a home environment, in which XP Home Edition's crippled Limited Account type, designed for children and less-technical users, is virtually useless. The machines I use are all using XP Professional Edition, of course, but the net effect is the same: Unless and until Microsoft changes the way local user accounts work and gets application and driver writers to sign on board, it's not possible to take this obvious step toward securing an unmanaged Windows system unless you're willing to give up a lot of functionality.

By comparison, consider how simple tasks in Mac OS X work. Even if you log on with an Administrator account, some tasks, such as running Software Update Services (SUS) or installing applications, require you to provide your password again, interactively, when you run them. This approach is a simple yet effective way to ensure that you intend to perform an activity that will change configuration settings or potentially damage the system. In Windows, the lame Run As option, virtually hidden under a right-click menu that typical users will never know about, is a poor substitute. As with the lack of spyware tools and a true two-way firewall in XP SP2, this is an area in which Microsoft needs to invest in the future.

About the Author

Paul Thurrott

Paul Thurrott is senior technical analyst for Windows IT Pro. He writes the SuperSite for Windows, a weekly editorial for Windows IT Pro UPDATE, and a daily Windows news and information newsletter called WinInfo Daily UPDATE.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like