Antivirus XP 2008/Smart Antivirus 2009

[nonchalant]

Ok I know theres been a few posts on this site about this spyware/virus, but Ive just had another call from a customer who had this on his PC a month ago and he has it again. Now I put TrustPort Antivirus on his PC last time I formatted, and I know it detects this malware but what I am wondering is how it got in the first place? This particular customer claims he only visits reputable websites and is careful about what he opens in his email, so Im curious.

Someone posted here saying it comes in as an email attachment but has anyone heard of any other methods it uses to infect a system?

[Jm Boyd]

The majority of the time it finds its way on to a machine by means of a “drive by” install from a website or by downloading it via a P2P networking thinking it to be that song they are looking for……

[Joe The PC Doc]

I have been wondering the same thing too. This virus has really increased my business lately, and I have customers of all types calling me about this.

Not exactly sure where it's coming from, however I did notice something I though peculiar.

I was at a customer's place working on removing this virus, and I was downloading Malwarebyte's Anti-Malware I believe.

Anyways, after clicking the download link, I was redirected to download.com, brought to you by C-net right? Should be a trustworthy site.

I click the download link, and it pops open to the "wait five seconds for download to begin page" where most websites have a sponsored link for you to click while you wait... Sure enough, the sponsored link "Vista Antivirus 2008". I obviously didn't click it, but I was pretty surprised.

It seems to me that this smitfraud maker really has sunk some deep hooks in the internet if they are paying download sites to sponsor their trojan.

[NYJimbo]

Quote:

Originally Posted by Joe The PC Doc

I click the download link, and it pops open to the "wait five seconds for download to begin page" where most websites have a sponsored link for you to click while you wait... Sure enough, the sponsored link "Vista Antivirus 2008". I obviously didn't click it, but I was pretty surprised.

It seems to me that this smitfraud maker really has sunk some deep hooks in the internet if they are paying download sites to sponsor their trojan.

We had a similiar problem with a customers machine recently, however it turned out that his hosts file was changed to have certain popular file sites route to fake hacker sites. Very clever.

[TimeCode]

Quote:

Originally Posted by NYJImbo

We had a similiar problem with a customers machine recently, however it turned out that his hosts file was changed to have certain popular file sites route to fake hacker sites. Very clever.

I think we'll all be a bit more careful when removing that one now. We'll have to check the entire HOSTS file. That could take some time if they have spybot installed and actually do the protective process. (I can't remember what its called...) It can become quite large.

[compudoc]

this virus is a cash cow for us....get so many of these lately. everyone ive done, even removed one yesterday, was from an email link. Now not sure on all of em, but so far most users saying it poped up after checking email.

[Blues]

I don't check the host file in the sense that I don't look beyond to see if it is as a normal default one would be. To me a normal host file has 1 entry for the local host so anything else can just be wiped as far as I am concerned.

[iptech]

Quote:

Originally Posted by NYJImbo

We had a similiar problem with a customers machine recently, however it turned out that his hosts file was changed to have certain popular file sites route to fake hacker sites. Very clever.

This is quite common with malware infections, they will either try and redirect your internet traffic to their 'sponsor' sites and they will also try to redirect you away from anti-malware/anti-virus sites so you can't download update definitions of run online scans.

Be careful about deleting all entries from the hosts file though, many anti-spyware programs such as Spybot S&D will add entries to the hosts file to prevent your browser being redirected to known malware sites and redirect any such request back to the localhost (127.0.0.1). Some ad-blockers also use the same principle.

[Crgky127]

Maybe one of the reputable sites was a CNN fake with a video that needed a 'codec'. Gmail blocks this spam by the way.

[nonchalant]

Quote:

Originally Posted by Joe The PC Doc

I was redirected to download.com, brought to you by C-net right? Should be a trustworthy site.

I click the download link, and it pops open to the "wait five seconds for download to begin page" where most websites have a sponsored link for you to click while you wait... Sure enough, the sponsored link "Vista Antivirus 2008". I obviously didn't click it, but I was pretty surprised.

I downloaded a program from download.com some years ago (before I was in my own business). After the d/l finished the webpage closed. Bit odd I thought, but not too worry, and clicked the program to run it. Fortunately my AV popped up to block it. Out of curiosity I quarantined the virus and looked up its technical details. Turned out to be the 'Jack the Ripper' virus. Apparently the very first time you execute this virus it immediately deletes the first 200mb of your hard drive. Nice.

And as for increasing business, yea this antivirus xp 2008 has kept me flat out this last month or so..

EDIT: Probably one thing worth mentioning also is I recall googling antiviruses a couple of weeks ago, and clicking one of the links (first main page of results interstingly) Firefox blocked the site saying it contained malicious software. Indications were it was antivirus xp 2008, so this is one other way I know that this malware infiltrates unsecure systems. It was interesting also that google was actually allowing such a site in their search results.

And heres a few posts were its also mentioned how this malware has infiltrated google and gmail http://www.dslreports.com/forum/r20915298-antivirus-xp-2008-from-gmail and http://www.zimbio.com/Spyware/articl...+Ads+Appearing

Check out the screenshots on this one! http://swoofware.com/blog/2008/06/29...-2009-round-2/ (amazing...)

Heres a nice BSOD screensaver it runs http://www.youtube.com/watch?v=mqOZLLp-S3k

This could be become a much bigger problem for your average home user before it gets any better..

The following quote was taken from http://ask-leo.com/c012643.html

"Don't feel alone in this scenario.
I run the IT side of things for a restaurant company and we also run Defender, Windows Firewall as well as the corporate version of Trend Micro on every workstation. We have seen this virus slip through all those layers as well as our Exchange AV solution and still infect machines that are locked down with no program install rights to the users on the machines at the time of infection. Looking at our exchange logs I see nothing to indicate that was the source of infection".