Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 09-12-2008, 09:54 AM
nonchalant's Avatar
nonchalant nonchalant is offline
 
Join Date: Oct 2007
Location: Oz
Posts: 611
nonchalant is on a distinguished road
Default Antivirus XP 2008/Smart Antivirus 2009

Ok I know theres been a few posts on this site about this spyware/virus, but Ive just had another call from a customer who had this on his PC a month ago and he has it again. Now I put TrustPort Antivirus on his PC last time I formatted, and I know it detects this malware but what I am wondering is how it got in the first place? This particular customer claims he only visits reputable websites and is careful about what he opens in his email, so Im curious.

Someone posted here saying it comes in as an email attachment but has anyone heard of any other methods it uses to infect a system?
Reply With Quote
  #2  
Old 09-12-2008, 02:27 PM
Jm Boyd Jm Boyd is offline
 
Join Date: Apr 2008
Posts: 97
Jm Boyd is an unknown quantity at this point
Send a message via Yahoo to Jm Boyd
Default

The majority of the time it finds its way on to a machine by means of a “drive by” install from a website or by downloading it via a P2P networking thinking it to be that song they are looking for……
Reply With Quote
  #3  
Old 09-12-2008, 03:01 PM
Joe The PC Doc Joe The PC Doc is offline
 
Join Date: Nov 2007
Posts: 59
Joe The PC Doc is an unknown quantity at this point
Default

I have been wondering the same thing too. This virus has really increased my business lately, and I have customers of all types calling me about this.

Not exactly sure where it's coming from, however I did notice something I though peculiar.

I was at a customer's place working on removing this virus, and I was downloading Malwarebyte's Anti-Malware I believe.

Anyways, after clicking the download link, I was redirected to download.com, brought to you by C-net right? Should be a trustworthy site.

I click the download link, and it pops open to the "wait five seconds for download to begin page" where most websites have a sponsored link for you to click while you wait... Sure enough, the sponsored link "Vista Antivirus 2008". I obviously didn't click it, but I was pretty surprised.

It seems to me that this smitfraud maker really has sunk some deep hooks in the internet if they are paying download sites to sponsor their trojan.
Reply With Quote
  #4  
Old 09-12-2008, 04:26 PM
NYJimbo's Avatar
NYJimbo NYJimbo is offline
 
Join Date: Jul 2008
Location: Long Island, you know, like the iced tea.
Posts: 6,117
NYJimbo is just really niceNYJimbo is just really niceNYJimbo is just really niceNYJimbo is just really niceNYJimbo is just really nice
Default

Quote:
Originally Posted by Joe The PC Doc View Post
I click the download link, and it pops open to the "wait five seconds for download to begin page" where most websites have a sponsored link for you to click while you wait... Sure enough, the sponsored link "Vista Antivirus 2008". I obviously didn't click it, but I was pretty surprised.

It seems to me that this smitfraud maker really has sunk some deep hooks in the internet if they are paying download sites to sponsor their trojan.
We had a similiar problem with a customers machine recently, however it turned out that his hosts file was changed to have certain popular file sites route to fake hacker sites. Very clever.
Reply With Quote
  #5  
Old 09-12-2008, 05:33 PM
TimeCode's Avatar
TimeCode TimeCode is offline
 
Join Date: Jul 2008
Location: Pomona, CA
Posts: 1,260
TimeCode is on a distinguished road
Default Good one!

Quote:
Originally Posted by NYJImbo View Post
We had a similiar problem with a customers machine recently, however it turned out that his hosts file was changed to have certain popular file sites route to fake hacker sites. Very clever.
I think we'll all be a bit more careful when removing that one now. We'll have to check the entire HOSTS file. That could take some time if they have spybot installed and actually do the protective process. (I can't remember what its called...) It can become quite large.
__________________
Tim
Reply With Quote
  #6  
Old 09-12-2008, 05:52 PM
compudoc compudoc is offline
 
Join Date: May 2008
Posts: 22
compudoc is an unknown quantity at this point
Thumbs down

this virus is a cash cow for us....get so many of these lately. everyone ive done, even removed one yesterday, was from an email link. Now not sure on all of em, but so far most users saying it poped up after checking email.
Reply With Quote
  #7  
Old 09-12-2008, 05:55 PM
Blues's Avatar
Blues Blues is offline
 
Join Date: Jun 2006
Location: Tennessee, US
Posts: 1,606
Blues is on a distinguished road
Default

I don't check the host file in the sense that I don't look beyond to see if it is as a normal default one would be. To me a normal host file has 1 entry for the local host so anything else can just be wiped as far as I am concerned.
Reply With Quote
  #8  
Old 09-12-2008, 07:36 PM
iptech iptech is offline
Banned
 
Join Date: Sep 2008
Location: PC Biz
Posts: 2,069
iptech is on the way
Default

Quote:
Originally Posted by NYJImbo View Post
We had a similiar problem with a customers machine recently, however it turned out that his hosts file was changed to have certain popular file sites route to fake hacker sites. Very clever.
This is quite common with malware infections, they will either try and redirect your internet traffic to their 'sponsor' sites and they will also try to redirect you away from anti-malware/anti-virus sites so you can't download update definitions of run online scans.

Be careful about deleting all entries from the hosts file though, many anti-spyware programs such as Spybot S&D will add entries to the hosts file to prevent your browser being redirected to known malware sites and redirect any such request back to the localhost (127.0.0.1). Some ad-blockers also use the same principle.
Reply With Quote
  #9  
Old 09-12-2008, 09:02 PM
Crgky127 Crgky127 is offline
 
Join Date: Feb 2008
Posts: 598
Crgky127 is an unknown quantity at this point
Default

Maybe one of the reputable sites was a CNN fake with a video that needed a 'codec'. Gmail blocks this spam by the way.
Reply With Quote
  #10  
Old 09-12-2008, 11:34 PM
nonchalant's Avatar
nonchalant nonchalant is offline
 
Join Date: Oct 2007
Location: Oz
Posts: 611
nonchalant is on a distinguished road
Default

Quote:
Originally Posted by Joe The PC Doc View Post
I was redirected to download.com, brought to you by C-net right? Should be a trustworthy site.

I click the download link, and it pops open to the "wait five seconds for download to begin page" where most websites have a sponsored link for you to click while you wait... Sure enough, the sponsored link "Vista Antivirus 2008". I obviously didn't click it, but I was pretty surprised.
I downloaded a program from download.com some years ago (before I was in my own business). After the d/l finished the webpage closed. Bit odd I thought, but not too worry, and clicked the program to run it. Fortunately my AV popped up to block it. Out of curiosity I quarantined the virus and looked up its technical details. Turned out to be the 'Jack the Ripper' virus. Apparently the very first time you execute this virus it immediately deletes the first 200mb of your hard drive. Nice.

And as for increasing business, yea this antivirus xp 2008 has kept me flat out this last month or so..

EDIT: Probably one thing worth mentioning also is I recall googling antiviruses a couple of weeks ago, and clicking one of the links (first main page of results interstingly) Firefox blocked the site saying it contained malicious software. Indications were it was antivirus xp 2008, so this is one other way I know that this malware infiltrates unsecure systems. It was interesting also that google was actually allowing such a site in their search results.

And heres a few posts were its also mentioned how this malware has infiltrated google and gmail http://www.dslreports.com/forum/r20915298-antivirus-xp-2008-from-gmail and http://www.zimbio.com/Spyware/articl...+Ads+Appearing

Check out the screenshots on this one! http://swoofware.com/blog/2008/06/29...-2009-round-2/ (amazing...)

Heres a nice BSOD screensaver it runs http://www.youtube.com/watch?v=mqOZLLp-S3k

This could be become a much bigger problem for your average home user before it gets any better..

The following quote was taken from http://ask-leo.com/c012643.html

"Don't feel alone in this scenario.
I run the IT side of things for a restaurant company and we also run Defender, Windows Firewall as well as the corporate version of Trend Micro on every workstation. We have seen this virus slip through all those layers as well as our Exchange AV solution and still infect machines that are locked down with no program install rights to the users on the machines at the time of infection. Looking at our exchange logs I see nothing to indicate that was the source of infection".

Last edited by nonchalant; 09-13-2008 at 12:25 AM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:42 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.