A relatively peaceful weekend from Friday but with another ‘incident’ in Windows XP.
My friend Roy, came to me with a “Scareware Virus” called MS Removal Tool. (My first thought was – what a good idea – maybe Ubuntu…) But no, this turned into a ‘major mission’ to remove and recover control of his PC. It would not allow him to use any of the standard anti-virus measures nor run any diagnostic software like ‘Task Manager’.
How did he get it?
Very simple, he went to a web site that had been ‘click-jacked’ and without him knowing, the ‘virus’ was installed on his PC. He was using Internet Explorer and he has Microsoft’s Security Essentials. Unfortunately both are side-tracked and bypassed by this rogue software.
This is the same category of malware that disrupted another client’s PC recently. There it was called ‘AntiVir’. It would not allow the user to remove the virus without going into ‘safe mode’. This is not the easiest of methods for an inexperienced user who may have never seen ‘Press F8 to enter safe mode.’
[Since this time, a few more of my clients have come to me to ‘remove’ the ‘ScareWare’ worms and virri.]
Live Security Platinum is the latest ‘scareware’ worm to hit here in SA [2012]
This worm/trojan puts up a ‘front’ and shows you a scanning of your hard disk with a load of virii etc. While loading its ‘hooks’ into your system to ‘own’ (pwn) it.
Live Security Platinum – ThreatExpert submission [2012-07]
http://www.threatexpert.com/report.aspx?md5=e5602b9c25da9a41cf555b8e35af9742
This submission is dated 11th July 2012. So it is quite ‘up to date’.
New and Improved Worms and Virii are being made right now.
‘Scareware’ does more ‘damage’ to user confidence and productivity than previous types. It also carries with it a ‘payload’ of worms and virii. Most are detectable but some are variations that have not yet been ‘captured’ in the wild.
[The ‘variation on a theme’ seems to be prevalent as well. Meaning that old and workable virusii can be ‘recycled’ into new and even more upsetting variations. In the ‘process’ they are disguised so that the latest anti-virus products do not recognise them.]
“Data Recovery” – what a joke!
This was to be expected. As more and more ‘black hats’ discover the usefulness of ‘bots’ and worms that really can do ‘damage’, they are getting to release these on the day of your anti-virus ‘update’. Otherwise known as ‘zero day exploits’.
DO UPDATE YOUR Microsoft Security Essentials when you can.
DO NOT HAVE TWO OR MORE Anti-Virus products installed on your PC. The Microsoft Security Essentials, formerly called ‘Windows Defender’ works. Don’t accept Mcafee as part of ADOBE’s update. You will have to de-install it later if you do.
Sent at 8:45 AM on Thursday
John: I see my M$ sec essentials has gone from 411 to 601 in a few days. Your contribution I am sure has helped ‘update’ it…
This is on my ‘no 2’ PC not my ‘no 1’ PC. This one was updated yesterday. And this morning. Thanks Nick!
Now you should start using FireFox and or Chrome. Also update Internet Exploder to the latest possible version.
Sent at 9:20 AM on Thursday
John: I think you should run ‘Windows Update’ as well now. The IE8 version has just ‘re-installed’ the activeX control for IE8 and Windows Update. I think that the previous version has been ‘compromised’.
Yes! Install it.
[Alternate ‘Data Recovery’ removal instructions:
1. First of all, you need to unhide the files and folders. Select Run… from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter cmd and hit Enter or click OK.
At the command prompt, enter attrib -h /s /d and hit Enter. Now, you should see all your files and folders. NOTE: you may have to repeat this step because the malware may hide your files again. — This does work. But does not remove all the ‘hooks’. ]
‘By the rivers of Babylon’ – To ‘remove’ Babylon…
Open a dos shell, or execute “RegEdit” through the launch menu.
Find the key: [taint there! WinXP]
HKEY_LOCAL_MACHINE
…
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerAbout URLsTabs
and change the entry that points to babylon search, to the one you desire (be it google, bing, or whatever).”
Alternate removal: run
C:Program FilesBabylonBabylon-ProUtilsuninstbb.exe
Microsoft Security Advisory (2719615)
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
Published: Tuesday, June 12, 2012
http://technet.microsoft.com/en-us/security/advisory/2719615
[reply to email from client]
Hi Steven
Thank you for the nice compliments. I have never liked making money from the misery of others. The sort of virii and worms we have today have a far more devastating impact on the running of a business than last century.
Your ‘incident’ has actually taught me a new way of counteracting the ‘scareware’. I can now boot the infested PC with a memory stick or CD. Then copy the Microsoft ‘search and destroy’ software to the hard disk. Also at that time, I can remove any obvious infestation. Files that are placed as a ‘payload’ by the scareware. Then rebooting into safe mode with networking, I run the msert program. The program can be deleted now as it only works for 10 days. Requiring an update at that time. If you had let it alone, the PC would have ‘announced’ itself on the Internet as a PC that can be ‘owned’ and run as part of the extensive networks of ‘Bots’. These ‘Botnets’ are used to deny access to major servers and spam vast numbers of recipients. All operating without your knowledge and participation.
Little wonder that ‘organised crime’ have found this more profitable than drugs!
All of the best for the future.
Best regards
John Brock
————————————————————————–
Tools of the trade
Various web sites offer software ‘tools’ that will ‘get rid of’ this malware. One is:
Spyware doctor
http://www.spyware-experts.com/ms-removal-tool/
another is:
MalwareBytes Anti-malware
http://www.malwarebytes.org/
There are a lot of others, too numerous to go into here. Some give manual methods for removal. But state that this will be limited in effectiveness as the ‘virus’ changes the file names and registry entries on a daily basis. This also confirms the conclusion that I had come to, that no single anti-malware product is going to be 100% effective.
What did I use?
I used the latest ‘Hiren’s Boot CD’ to boot his PC into mini Windows XP. [You can download it from: http://www.hirensbootcd.org/download/] Then I ran three of the malware removal tools on that CD. All ran and said that they had completed a ‘removal’ or ‘clean’. We then rebooted into his Windows XP and ran ‘msert’.
That is Microsoft’s Safety Scanner tool that you can download from:
http://www.microsoft.com/security/scanner/en-za/default.aspx
This ‘tool’ runs, scans and removes with an up to date malware table. It ‘expires’ in 10 days so that you will always need to download the latest version.
When we rebooted his PC into Windows, we found no trace of the virus. Thank goodness.