PDA

View Full Version : Clever stuff!


stevenamills
08-22-2008, 12:01 AM
I seem to spend half my time removing AntivirusXXXX. Hey it pays some of the bills.

I was removing 2009 this morning and got a BSOD - didn't think much about it, except to curse Bill Gates and move on.

The second time it happened, I paid more attention. The BSOD said it was due to an unregistered Antivirus 2009, then it performed a "Core Dump" and then restarted Windows - complete with splash screen. All totally bogus. What I was doing was still there. Oh - It even changed video modes.

The "social engineering" aspects of these things are getting better and better. I have to admit that a smiled and gave a slight tip of the hat to the authors. One of the days, I expect the computer will spew pea soup.

Later.....
Steve

koonter
08-22-2008, 01:45 AM
i just got a call less then 10 minuets ago. a client i had a while back calls me up freaking out. his computer just got infected with a massive virus (his words) the screen was changing color, virus and spyware alerts, the whole nine yards. thing is its 3 AM and he lives in jerusalem (an hour drive) i tell him forget it i dont even want overtime i just started my weekend and i had ended our client - tech relationship because of his temper so i was now going to hang up the phone. i did give him a peice of advice "turn off your computer and dont touch it until a tech gets there".

not sure why im sharing this except that it is 3 am and the end of a hard week. YAY!!!

NYJimbo
08-22-2008, 02:26 AM
The second time it happened, I paid more attention. The BSOD said it was due to an unregistered Antivirus 2009, then it performed a "Core Dump" and then restarted Windows - complete with splash screen. All totally bogus. What I was doing was still there. Oh - It even changed video modes.



This is really fascinating. Most people cant handle the most basic virus situations and now we are seeing this ?.

I said in another post that this stuff is only getting worse. Pretty soon they're going to have to teach internet security to kids in grade school just so they can stay ahead of this crap.

MHCG
08-22-2008, 03:38 AM
That is pretty advanced. What is a regular joe supposed to do against that kind of thing?

gunslinger
08-22-2008, 05:37 AM
That is pretty advanced. What is a regular joe supposed to do against that kind of thing?

Get a Mac and use Firefox. :D

NYJimbo
08-22-2008, 05:42 AM
I know the older smitfraud used to do a simple BSOD but nothing this complex. Whats next?.

JohnG
08-22-2008, 02:24 PM
That is pretty advanced. What is a regular joe supposed to do against that kind of thing?
Simple...call one of us! :D

bitznpcz
08-22-2008, 02:35 PM
a client received one of these fake AV programmes as an email attachment. Very clever the BSOD effect!

This variant was XPSecurityCenter.exe

malwarebytes soon took care of it though - running AV now to finish off.

seedubya
08-22-2008, 03:34 PM
that BSOD that everyone is seeing with this particualar malware is in fact this
http://technet.microsoft.com/en-us/sysinternals/bb897558.aspx

it has been around for years and was a favourite of mine when working with other IT professionals :)

NYJimbo
08-22-2008, 03:46 PM
that BSOD that everyone is seeing with this particualar malware is in fact this
http://technet.microsoft.com/en-us/sysinternals/bb897558.aspx

it has been around for years and was a favourite of mine when working with other IT professionals :)

But that's just a screen saver, the BSOD we are talking about is in a virus package and probably has more than just the BSOD to fool people.

stevenamills
08-22-2008, 03:49 PM
You're right - that one has been around for years, but it is not what's happening with Antivirus 2009. That screen actually references an "unregistered Antivirus 2009" and is active. It shows the memory dump and and a log on screen.


Steve

Crgky127
08-22-2008, 04:36 PM
Some of the 09 variations are also spoofing Windows Security Center. Looking like a new program that came from MS is one thing, but impersonating an existing program is a quite a step up. Most of my customers knew that AntivirusXP wasn't legit, but there's no way they can tell the Security Center was fake. Mainstream computer users really have no hope of staying clean without our help. Programs like Mcafee and Norton having so much advertising and deals with OEMs doesn't help either. (Neither of them stopped it, Mcafee deleted a couple files, but didn't fix it, Norton figured it was a better AV program than Norton, so it let it continue.)

TimeCode
08-22-2008, 04:37 PM
This seems intense. I can't wait to see a computer with this thing on my repair bench!

NYJimbo
08-22-2008, 05:05 PM
This seems intense. I can't wait to see a computer with this thing on my repair bench!

Trust me, you wont have to wait very long. :D

seedubya
08-22-2008, 05:07 PM
Norton figured it was a better AV program than Norton, so it let it continue.)

Norton was right, at least if you paid for AV 2009 it would remove itself, which is one more virus than Norton would remove

Also, with regard to what version of the screensaver it is, they've hacked the Sysinternals one, the only reason I know is that, on a couple of systems I've had in, I've seen it referenced in Autoruns under the "Winlogon" tab under its proper name

compudoc
08-22-2008, 11:03 PM
these are getting very common now, i remove about 4-6 fake antivirus programs a week!!! Tried rogue remover, did nothing, been using combofix, smitfraud fix, hijack this, followed with antivirus and adware sweeps. Have to disable system restore, reset ie settings, clear java cache (javabyteverify :( ).....lots of fun to remove....but a cash cow for me!!!!! Ive seen such a jump in these and vundo varients, that i pretty much just do virus removals now, even changed my site to maximize virus searches!! A few hints, if combofix wont run, rename it, then try again, and if you cant get any apps to run, reach for your ubcd4win first, run some scans, then try again. Another tip, keep seeing vundo/virtumonde viruses that turn off the task bar and desktop icons, just hit cntrl alt delete, task manager, file, new task, then enter explorer.exe. whew!! too much to list.

stevenamills
08-22-2008, 11:14 PM
these are getting very common now, i remove about 4-6 fake antivirus programs a week!!! Tried rogue remover, did nothing, been using combofix, smitfraud fix, hijack this, followed with antivirus and adware sweeps. Have to disable system restore, reset ie settings, clear java cache (javabyteverify :( ).....lots of fun to remove....but a cash cow for me!!!!! Ive seen such a jump in these and vundo varients, that i pretty much just do virus removals now, even changed my site to maximize virus searches!! A few hints, if combofix wont run, rename it, then try again, and if you cant get any apps to run, reach for your ubcd4win first, run some scans, then try again. Another tip, keep seeing vundo/virtumonde viruses that turn off the task bar and desktop icons, just hit cntrl alt delete, task manager, file, new task, then enter explorer.exe. whew!! too much to list.

The only one I can add to the list is Malwarebytes.

Great tips also. Do you find UBCDWin scans more efficient than some of the standalone bootdisks such as bitdefender.

Steve

stevenamills
08-28-2008, 05:40 PM
A few hints, if combofix wont run, rename it, then try again, and if you cant get any apps to run, reach for your ubcd4win first, run some scans, then try again.

This tip came in handy yesterday while cleaning AV2008. Combofix kept reporting "Rootkit found - must reboot" (wording may not be exact) and the only option was to reboot. The message came far too fast to be real I thought.

A year or so ago, CF became vulnerable to a rootkit that would cause it to muck up your system directory and was pulled from the market for a fix. I thought it could possibly be the remnants of some protective code from that episode, but it doesn't appeared to be - just AV2008 grabbing the input and issuing a bogus message AFAI can tell.

I renamed Cf to -------.exe (it's a family board, so I'll leave it to your imagination!) Everything worked as it should. I now keep a renamed CF on my USB drive.

Anybody else seeing this?

Steve

TimeCode
08-28-2008, 07:51 PM
Trust me, you wont have to wait very long. :D
I got it last night! It's on the bench right now and I'm creating a new UBCD as we speak. =)

This is going to be a fun one... The PC won't finish booting in either standard or safe mode (I gave it over 30 minutes) so I used the new UBCD. The screen resolution is horrible (yes I did attempt to change it. There must be no drivers for the videocard.) so I can't even see the entire screen of SuperAntiSpyware and the color is only 4 bit. It has so far found 8 instances of Rogue.Antivirus XP 2008 as well as others.

Got it pretty clean. It will boot now and I don't see any obvious traces of it but I am still looking. Ran the SuperAntiSpyware and removed what it found then ran ComboFix, SmitfraudFix, Rogue Remover, HJT, SuperAntiSpyware again and Avira. I also removed the system restore and reset it. I think I'm about done.

TimeCode
09-11-2008, 06:49 AM
Hmm, I wonder if avast will remove this virus. I suppose we will have to wait to see when we get one in. Has anyone tried avast antivirus on this, or use avast in general?
I was waiting to get mine then I got a few of them at once. Fun stuff. =)
I've never used Avast but I've seen guys here reference it. I use Avira and love it but I'm always up for a good recommendation...

GreyWolf
09-12-2008, 06:58 AM
I don't own the site but if you take a look at http://spywareremove.com/ there are lost of manual remove methods for lots of spywares...

And for those who worry about going on links without knowing about it.. just use google type the url in the search and use the cache... but as much as I can see and that I've used some of the repair tricks it seems to be a pretty stable web site..

Shawn