bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: 
1 edit | Anatomy of a Malware Scam: XP Antivirus 2008
Just a great analysis by Jesper Johannson, screenshot by screenshot: »www.theregister.co.uk/2008/08/22···int.html |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | Interesting article, thank you
Cudni |
|
Agent Smith
join:2008-07-07
New York | reply to bcastner
i Know i hate when pop ups like that happen incuding myspace or other sites everytime that happens i always change my pw. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
| reply to bcastner
Excellent article! This is a particularly well-written piece that shows how far the malware writers have come in terms of quality and potential effectiveness. I could see conscientious, reasonably experienced users being snagged by this stuff.
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
 ·Verizon Online DSL
| reply to bcastner
I forgot to include advice about what to do when you have a popup such as this Zlob infector.
As Jesper shows, the last thing you want to do is to click anything on the screen. Use Task Manager, Processes tab, and kill the browser instance.
Some practical advice of how to get out of a popup situation such as discussed by Jesper: »msmvps.com/blogs/harrywaldron/ar···xit.aspx
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
|
|
EvilByDesire
Premium
join:2002-09-03
Grotto | funny thing is 2 people i know had that program installed, among other things, and it was a real bitch to remove...
--
...Wicked Night Demon... |
|
Tsume
join:2004-02-23
Johnson City, TN
·Embarq
·ViaTalk
·Comcast
| reply to bcastner
Very informative article... though the author comments on the "flawless English" (up until the tray icons) when there actually are major grammatical mistakes in EVERY window presented by the malware. I guess I'm just nitpicking though.
Example : Author says "The malware is actually quite well written, looking very professional." about "By clicking Continue button you accepting our terms and conditions."
clicking Continue button = clicking on the "Continue" button (or continuing)
you = you're (or you are)
Anyone with a 3rd grade English education should notice those mistakes and red-flag them immediately. No reputable software vendor destroys proper grammar like that.
--
"Did you know that when one little panda pulls on another little panda's underwear, that's sexual harassment? That makes me a sa-a-a-a-ad panda." --Sexual Harassment Panda |
|
Sindows 7
join:2006-09-13
Hope, BC
1 edit | reply to bcastner
Soon as you see this piece of crap, open process explorer and kill it immediately.
»technet.microsoft.com/en-us/sysi···653.aspx
Mod Note: Edited to fix blown margins |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
1 edit | reply to bcastner
I went to the link provided and partially read his post. Running XPPro w/sp3 fully updated. Running AVAST Pro and CBOC. Neither one peeped. Edit: Oh and run Hostsman using MVPS Host file.
Coincidentally a little while later I was doing a Google search for cell coverage in Durango, Co. On page 2 of the links I ended up with something like Johannson was showing on his analysis. When I initially clicked on the link I got this dialog popup in the lower right hand corner.
At first the dialog was all the way in the corner of the screen which hid the minimized Firefox session I was in. I had thought the whole screen might have been one big image but I was able to move the dialog box out of the corner revealing where the browser windows had been minimized too. I had two tabs open but I could not move or maximize the browser window with the warning dialog in view. I used Task Manager to close the browser which got rid of everything. This appeared to be exactly what Johannson was talking about.
I then performed a scan using several Anti-Malware Apps but nothing was detected.
While this computer was running scans I went to another system and went back to the same link(I think). Again using Firefox but this time I got a different popup.
I don't need to post the link. You can see that in the screenshot I posted. I tried it twice and got the same popup each time. That one obviously shows a AV2009 install attempt. If you read all the link it looks like it is supposed to be showing coverage for Alltel service.
Again I used Task Manager to kill the browser rather than selecting Cancel or the "X" to close the dialog box. |
|
fw
join:2005-09-18 | reply to bcastner
Recently had to deal with this shit on someone's PC; SmitFraudFix takes care of it.
»siri.geekstogo.com/SmitfraudFix.php |
|
freeze
Magic Murder Bag
Premium
join:2001-05-13
Columbus, OH |  reply to bcastner
Malware crews really seem to have improved their QC over the years. I wonder what the numbers are on how many get infected, or worse, how many give their CC number. |
|
Portmonkey
scurvy
Premium
join:2004-04-09
Southern IL
| reply to bcastner
Wow. They put a little time and effort into this. I wonder how many people actually pay? At 49 bucks a pop or more, it almost boggles the mind as to how much they are potentially stealing from people.
--
"...eat Spam from the can, watch late night C-Span, and rock out to old school Duran Duran..." |
|
MysticGogeta
The Robot Devil
Premium
join:2005-03-14
League City, TX
clubs: | reply to bcastner
Another reason to use FireFox with Adblock Plus |
|
Fubar
join:2001-02-20
Phoenix, AZ
| reply to fw
As well as Combofix, SuperANtispyware, SDfix etx....
For the general consumer I would suggest they use SuperAntiSpyware |
|
delugg
join:2002-01-30
New York, NY
| reply to bcastner
Thanks very much for posting that link. And thanks to those who posted specific tools to fix systems infected with this and a lot of other malware.
-Mike
--
Most people are about as happy as they make up their minds to be. -Abraham Lincoln (1809 - 1865) |
|
n1zuk
My wood is stacked
Premium
join:2001-10-24
South Burlington, VT
·Future Nine Corpor..
·ViaTalk
·Comcast
| reply to bcastner
This made me smile:
quote:
It makes it clear how much you will be charged to install the malware, and even uses the boilerplate language about how safe it is to submit your credit card to them because no criminals will be able to read the encrypted transmission; until it reaches the criminals who asked for it, of course.
They are my chickens. I don't want anyone plucking them other than me. 
--
New to Forum Life? Click here and learn. |
|
B
Premium,MVM
join:2000-10-28
1 edit | reply to bcastner
I dealt with an "Antivirus 2009" infection quite recently.
It was pretty easy to kill without using any specific tools at all.
Just searched for recently created files, kill the .EXE, checked the registry startups, checked the startup group (last two might not be necessary), and most importantly killed most of your IE "add-ons". It seemed to masquerade as one or more "Google Inc." add-ons.
I was surprised how (relatively) easy it was to shut the thing down. What I found hilarious was how blatantly it takes over Google, using fake ActiveX prompts claiming "Google" demands you activate Antivirus 2009 for your protection...
-- B
--
In a realm outside causality and function |
|
tenorsaw1
join:2003-07-10
Brooklyn, NY
·ViaTalk
1 edit | reply to MysticGogeta
said by MysticGogeta  :Another reason to use FireFox with Adblock Plus That doesn't seem to help. I'm running Adblock Plus and it still popped up up. I was just testing to see if anything would happen. I'm also on a Mac, so I wasn't too worried about testing it. |
|
bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
clubs: | I believe "NoScript" can help in Firefox. |
|
doppler
join:2003-03-31
Blue Point, NY
| reply to bcastner
This is one nasty POS.
Smitfraud remove didn't do the trick. SPYBOT S&D had
limited success. I was only able to remove it after several
hour of wasting my time, with the google found search results.
Fortunately for me, the machine it was on, booted up rather
slowly. I was able to delete the processes that held in
place, the locked file. Trying to delete the process's after
a completed boot cycle will not work. Each process monitors
the other and restarts if deleted. I had to be fast since
you can only delete 1 process at a time in task manager.
Once the process's were removed, SPYBOT S&D took care of
the rest. A reboot required (by SBS&D)does not work. Must
remove the file by hand or let spybot remove it (without a
reboot required).
This is one nasty POS. Sorry it needs repeating. |
|
