A really good informative article, it covered every aspect of the scam and gives insight to those of us who are not IT professionals, one of the reasons I read the Reg daily.

"This should serve as a dire warning to all: be extremely careful what you trust, and question everything that looks even remotely suspicious. For example, no website can run an anti-malware scan on your computer simply by your visiting the site. Any site that purports to do so is almost certainly run by criminal gangs."

Trandmicro's Housecall can. Although technically it does ask you to authorise a plugin first, be it ActiveX or Java.

Very good Jesper, well done.

I saw this Malware on a friends PC recently. He told me his Norton was just about at the end of its subscription term and he thought it was connected to that. Starting from that assumption, it was very very believable to watch.

I can't recall what gave it away.. I think probably it was because I installed AVG (sans linkscanner) ready to replace the machine hog Norton anyway, and it found almost nothing except: Fake_AntiVirus.

Once that was sorted the machine was much happier. Norton was slugging it far more than this Antivirus 2008 was, though. Something is wrong when the evil stuff is less hassle than the real stuff...

Thanks for a great article.

I'm sick and tired of removing this rubbish from client's computers.

Two of them have cancelled credit cards after realising that they'd been scammed.

One of the card providers stated that they'd had quite a few issues with these b**tards. I have to wonder why they don't block the transactions if they already know it's a scam?

I found this particularly interesting, having removed XP Antivirus from my sister's computer a month or two ago.

I hadn't seen the process by which it infected, and it did have me a little confused, since I'd never touched her computer before, and she claimed she'd been infected by a virus.

She said she had AntiVirus software, but didn't know what it was called, after playing around a bit, I realised it was a fake anti-virus app and was sufficiently impressed, further interrogations of her boyfriend indicated he had removed Norton AntiVirus a week prior to the infection.

Unfortunately I didn't get to see the infection process, or how detailed it actually is, and am now wondering whether the fake "Security Center" is still on her PC.

She now has AVG Free on there, a full system scan reported no threats, so hopefully she is clean.

A very interesting and detailed article indeed.

Thanks for the effort to bring this to light.

Where's the difference to so-called "legitimate" anti-virus vendors?

That software doesn't seem to do anything malicious, but essentially every "legitimate" anti-virus package has been found to have buffer overruns, thus executing code placed in files they scan. In this day and age this cannot be an accident. Ways to prevent buffer overflows have been known for decades now and ways to exploit them are at least known since around 2000.

The spelling and grammar goes wrong earlier than you suggest - even in the 2nd dialog there's a reference to PC "freezes and creahes" (which I guess are supposed to be "crashes"). At this point, anyone reading carefully should have sirens going off in their heads.

Thanks for a well-researched article though, it was a pleasure to read.

This was good work, made for an interesting read, and just goes to show how sophisticated the techniques have become.

Thank you.

I've recently spent a couple of days clearing the very same off a machine owned by a colleague (not that it took that long, but I wanted to make sure any recent "updates" were detected properly by the AV / anti-spyware)

Small note to anyone else with the same problem - isolate the machine from the internet, and get the files you need to clean it from a different PC - these damn things are updated on an almost daily basis, so the "good guys" have a very hard time keeping up with the latest variant.

In no particular order, but starting with Sysclean (Trend Micro), throw Spybot S&D, Vundofix, Blacklight (a rootkit detection util from f-secure), Smitfraudfix, and last but by no means least, Spywareblaster at it to detect, clear, and lock down the machine.

Also, in terms of free AV, for the paranoid - get Avira, for the normal user, get Avast (and the MacLoverOSX skin), and my least favourite freebie, AVG (previous experience fixing machines for people tells me to trust it as much as Norton...)

Congrats on a great write-up ! :-)

I have seen a few users machines catch a variant of this malware from infected email attachments and also from .exe's downloaded via bittorent.

In the cases I saw, running the attachment or d/l file just installed the exploit and ran the xpantivirus2008 automatically, popped up the viruses found message.

It installed an executable in \windows\system32, and this thing would run at start up - not from registry run keys, or the start menu start folder nor as a service. I assume it patched some standard system exe to launch itself?

MacAfee detected it but could not remove it. Booted into safe mode, I could not remove it manually. There were open handles to the file.

It also would periodically pop up a system modal dialog with a test entry field and an alphanumeric code, and then demand the user type the code into the text box and click OK. This had enormous annoyance value.

Alas I cannot remember what MacAfee called it right now.

Someone I know managed to install this software (or something very similar) and after a few attempts to remove it themselves, they were also misguided enough to pay the $45 in the hope that it would stop bothering them so frequently. Paying didn't make any difference and they got me to remove it about a month later. They also said that there were no other charges on their credit card. Perhaps the number of people who pay the $45 is already high enough and the scammers don't want to 'kill the golden goose' by making more obviously fraudulent transactions.

BTW my wife also managed to stumble onto one of these pages and I can tell you the endless popups are just as annoying even in Linux. She now knows how to use 'xkill' to escape from such nonsense.

Or does thing also download other malware variants ??

Been seeing a lot of these coming through the workshop in the last week or so and by all accounts its an absolute pig to remove completely. The lads have said they need to use at least 3 tools to nuke it and other random crap that seems to be getting downloaded. One bloke claims he got infected via a spam email and had not been surfing at all that day.

Oh and well written article.

Thanks

Kev

Perhaps you might like to have another look at some of the dialogue boxes earlier in the sequence- they do actually include spelling errors, general syntax errors and elemental grammatical errors. For example:

Figure 2 (the initial warning): Crashes is misspelt "Creahes".

Figure 4: Strange syntax: "It is strongly recommended to remove *them* immediately".

Figure 5: Dont is missing its apostrophe

Figure 7: "By clicking Continue button you accepting our terms and conditions". I imagine they intended to say "you are" or "you're". An obvious grammatical error.

Figure 8 (the terms and conditions): Random use of capital letters, and multiple examples of words which would normally be combined together or hyphenated

Figure 10 (Support Forum): "If you have any questions regarding XP Antivirus for need any assistance......." Atrocious grammar

Figure 11: "Windows Security Center reports that "XP Antivirus" is inable." Strange- "inable"- what are they trying to say?

Figures 15 and 16: Repitition of "inable". Spelling error "unathorised"

Figure 17: "to get you system....." "troyans" (hmmm- think they were really getting sloppy at this stage)

In the interests of fairness- the AVG screenshot with its "Accessed file is unwanted" is atrocious English too. "Unwanted"- ehh? Poor file...... I had no idea files had feelings......

You'd never guess I worked in quality control on localisation duties for a while?

S.

"It turns out that the malware actually failed to install on Windows Vista "

I knew there was a reason I bought Vista...

I'm sharing this one.

Very informative!

i have been inundated with these things at the university where i work.

they come in thru bad blog spam, myspace bot spam, phishing emails, the works.

some of them pop up phony bluescreens, complete with fake restarts of windows, either via fullscreen animated GIFs, or by using a BSOD screen saver.

the only way i was able to spot one infection was that the "bluescreen" completed it's dump of physical memory and "restarted" windows. think about that for a minute. it's called the blue screen of death because it's the last action your computer takes before it locks up solid. there is no coming back.

someone has poured a lot of time and energy (and presumably money) into these scams.

these are not students playing a prank. this isn't some lonely guy in his mom's basement. these are real programmers at work, and they are probably backed by someone with money. this is not an automated attack that you can fix with automated tools. new versions are hitting every day, manually re-engineered to slide past anti-virus and anti-spyware tools. this is a human powered attack and it requires a human powered counter attack.

this isn't crime. this isn't a random act by an individual or a group. this is a coordinated attack by a growing group of motivated professionals. this is a war.

This is not news to me. I have this attack vector sussed. I have been through all you described on a VM of my own. Did you by any chance RE the software that the user is prompted to download and discover what the malware actually does other than entice a user to provide card details to the scammers?

I am not smart enough yet to reverse the code that this malware installs and with clever obfuscation, debugger detection and encryption techniques often used to hide the purpose of such malware, I may never be smart enough to be do so. I am not brilliant, just smarter than the average bear.

To be honest, I sussed it was nasty as soon as I was prompted to download it, which I did and AV scanned, this produced a negative result, but I still knew it was bad and deleted it. I never tried to install or RE the code however. I will download again (if I can find it) and play with it in Olly and IDA tomorrow. btw the executable I was offered was AV2009Install_77011807.exe. I presume the same team are responsible.

I encountered this scam last week at work when I had to remove some spyware from a lusers machine in another office (eventually we ended up scrapping the machine and replacing it).

I will definitely be recommending this article to both colleagues and friends ( I might even see if I can't get my boss to make some sort of notice for the company. Well written and helpful to both IT professionals and users. I hope we see more of this sort of writing.

Figure 11 :-

"Windows Security Center reports that 'XP antivirus' is inable."

Inable?

"Note : Windows detect unregistered version of 'XP antivirus'

detected?

"A reputable site will present you with product information and then leave the downloading decision up to you, not force it upon you."

Tried downloading the free version of AVG recently?

Nice article though I have been getting these 'warnings' for years. Whilst this one is a 'cunning plan' I suspect its probably overkill for the sort of person that thinks you can visit a website and it can really immediately detect malware. They are doomed anyway

I saw this not too long ago, and the analysis is nicely done.

I run both Lavasot AdAware and Webroot Spysweeper (which actually work GREAT running concurrently, and I even schedule them to scan nightly at the same time). I've also got Trend Micro running for AV security, and all my e-mail passes not only through g-mail's filters, but 2 others as well in a multiple forward process. Using an e-mail alias doesn't hurt, and I have not had a single spam in my personal account in 2 years.

I've always used Alt-F4 to kill windows, just a habit, but it avoids clicking. When I need to kill something, it's also typically easier to kill it from the task bar than the window itself. Also, using Opera, pop-ups are easy to avoid and windows designed to look like IE prompts are easy to spot.

This is an impressivley complex scam, and I'm sure they'll refine the spelling errors and other consistancies to make it more impressive. If I wasn't an IT admin, I might fall for this one myself.

I'm so paranoid using a PC that I NEVER click on a link, but always copy and paste the link into the browser. I've trained most of my family (including parents, cousins, and more, to do the same.)

On a Mac, I'd have none of these concerns. Any malware would likely not work at all. Any pop-ups targeting Windows this way would be VERY obvois indeed, and any malware i might inadvertantly download would not run.

I have removed this malware from too many machines in the last month or so, ranging from home PC of friends and family, to corporate machines, that have corporate AV installed on them.

I find that Malwarebytes Antimalware (malwarebytes.org) program removes the program with out any problems. You dont need to buy anything (unless you want continuous protection - but I run it once a week to keep an eye on things)

I hope that this will help others in the fight against the crap that is out there

I forget exactly what else this installed (I left the results in a text file on their screen), but...

Sysclean (with the additional spyware definitions) picked up 18 viruses / malware components - but failed to clean it up properly.

Spybot S&D then picked up a further 20 traces, and IIRC a couple more a day or two later once more updates were available - there were at least 14 different malware components, mainly of the credit card sniffing variety.

One thing that worried me was Blacklight initially showed three components which may have been rootkits - but by the same token, may have been legit subsystem drivers for audio / video (it was a Packard Bell Easynote). After a couple of days and a couple of scans / updates with Spybot S&D, I ran it again but it came up clear.

I have come across this particular infection a lot over the last couple of months on various PC's, I have found that the easiest way to remove this is to use Malware Bytes Anti-Malware. Run a full scan using the free version, remove everything it finds and you should be good to go.

Another issue I've found is that some machines infected with this also have a secondary infection which turns your machine into a mass mailer spewing out thousands of spam emails (this may or may not be related to the first infection). So as well as doing the above, make sure the PC has up to date anti-virus software and run a full scan. I can confirm that Norton is able to successfully remove the secondary infection, whereas Malware Bytes Anti-Malware only removes the first.

A 2-week trial version of Norton Anti-Virus 2008 can be downloaded for free if necessary, a quick Google search should point you in the right direction for Symantec's Norton trial products.

Good luck.

Thanks for linking to my forum in your article. I thought it was very well written and detailed.

Also something I see\do on a daily basis. Installing this junk and assiting others remove it.

Andrew Barr is correct that Malwarebyte Anti-Malware does a superb job in removal of these nasties.

I would also point out that Smitfraud Fix does the same thing, tho not targeted to as many other types of infections as MBAM.

And to update I have another thread where I post all the latest rogue sites and software I find from many other sources. The one you linked to is out of date as it was no longer viable for them to keep the database updated:

http://www.temerc.com/forums/viewtopic.php?f=26&t=5053

Thanks again for the mention!

It brings back memories since when I was using Windows and Internet Explorer.

Please continue to enjoy your Windows experience, you have no way to escape.

That thing's only permitted for companies whose products pass Windows Logo testing, and pay a premium to Microsoft. Seeing that logo on one of the screen shots constitutes copyright violation. Not to mention misrepresentation or whatever the landshark-friendly phrase is for that.

Where's Microsoft's landshark team when you really need them?

I knew there was a reason I don't permit administrator access to any PCs...

By the way, seeing BigFix on one of the doubleclick.net ads at the bottom of this suggests Jesper is the pot calling the kettle black. Better review your ad contracts, El Reg.

I saw this on a friends PC recently too. It was obvious immediately from the name that it was dubious. Firstly it had 'XP' in the name which no legitimate company would do for fear of being sued by MS. Secondly there are only a handful of legitimate antivirus / antimalware tools available.

I second the above post, MBAM seemed to do a pretty good job of clearing this.

It is quite ironic that there are many more fake anti-malware/virus apps than there are legitimate ones. People have had it drummed into them for years that the need an antivirus and now they are more than happy to download and pay for this crap.

I have recently had to remove variants of this from several computers. The ones that I have seen do attempt to connect via internet to something. Unplug the CAT5 until you remove it. It is also resistant to most manual removal attemtps. I had to boot the recovery console from the Windoze CD to be able to delete all of it's parts. Some of it lives in the browser cache, Windows, and system32 folders in XP. Just sort folder contents by date, and they become obvious. I'm a bit sorry I didn't keep a sample to feed to my dis-assembler. Perhaps it can be hacked to feed bad data back to these crooks.

...And you guys with the MACS... Stop snickering!! They will be aiming at you next.

Tux... Because he's mostly immune (for now)

"Obviously the criminals are well aware that users are incredibly desensitized to warnings and the more warnings they get, the less they pay attention to them."

Better ramp up the frequency of those warnings in Windows 7. It has to be even more secure than Vista after all.

Seen this thing on a client's PC lately. Another nice touch is that it actually integrates into the Control Panel (without doing anything there, of course - except leading you to the GiveMeMoney.com website...)

"I'm sick and tired of removing this rubbish from client's computers."

You should start asking them to pay you for it. You'd make a fortune!

Mines the one "Windows Cleanup $200, Linux installs free" on the back.

Those boys have at least one other bit of malware, Antivirus Vista 2008.

And they'll try to install their stuff on anything that gets in range. I've had two attempts to install their malware on my Macs, running Safari. Naturally I just laughed when a WinXP box popped up and declared that I had been infected by what were clearly Windows viruses... I clicked 'close', and the thing tried to download anyway. As it was an .exe file, it couldn't actually do anything on my Mac, but if I'd been using a WinBox I'd have been in trouble.

www.bleepingcomputer.com/malware-removal/remove-antivirus-xp-2008 is one of many sites which gives tutorials (in this case, wrapped with a plug for their own stuff) on how to remove that pig. The list of executables and registry keys which need to be removed is quite sobering.

Michael C - "On a Mac, I'd have none of these concerns. Any malware would likely not work at all. Any pop-ups targeting Windows this way would be VERY obvois indeed, and any malware i might inadvertantly download would not run."

madra - "it's one of those articles were us mac & linux users can have a good belly laugh at you sad windoze drones and your pestilent OS - we havenae had one for a while!"

What I find interesting about this particular form of malware is that the methods they are employing don't necessarily rely on any particular flaws in Windows' code. They are employing flaws in the computer literacy of Windows' users. It seems that the payload they are trying to deliver is a constant harassment of the user to pay for some software via a dodgy website with their credit card. If 95% of computer users were using Ubuntu, I could still see this same scam working.

The Javascript, the animated .gifs, the duplicated system dialogs, and the software installation could all be accomplished on Linux (especially Ubuntu) or Mac simply by giving the mark some helpful instructions to enter their password in the next dialog box that pops up. The scam isn't attacking the system's security - it's getting the user to do all the work. Since Ubuntu helpfully doesn't use a root password, the user just enters his/her own limited user password to also perform system-wide installations and configuration changes.

All that said, this article hammered home some thoughts I've had recently. All the talk about "is Linux ready for the desktop?" or "what Linux needs to do to become the dominant OS" starts with the assumption that that would be good for the existing users of Linux. I think I've decided that I'm happy with all the idiots staying on Windows. There's the old saying that Linux is only secure because it's not popular, and no one writes malware for it. I've never agreed with that - Linux (and OS X) are more secure than Windows by design. But there's another saying that system security is only as good as the hardware's physical security. When the user sitting in front of the box is the box's worst enemy, it doesn't matter what OS it's running.

Yes, the hardware support and compatibility would be great if 95% of the world ran Linux. But all the Russian gangsters would then start writing this kind of crap for it and I'd still be cleaning it off of my family's machines - hopefully before they'd given their credit card details to a website in Botswana. The social engineering aspects would be harder to pull off than your typical ActiveX exploit, but they'd still have enough success to make it worth their effort.

While I do not want to bash TrendMicro's HouseScan - it is still not possible to have your PC scanned for malware just by visiting a website. You still need to actively install some piece of software, be it ActiveX, a Java applet or whatever.

Just considering what it means to scan your machine for malware (namely reading every single file to do a heuristic comparison against known patterns), I would rather think that's quite a good thing (even if it won't work against dangerous semi-knowledge as exposed by most users...).

If that is not needed anymore nowadays, then Windows(tm) is worse than I thought...

(that you have to be running Windwoes), you have to be running Internet Exploder, allow popups, and allow scripts in order for this to work. Committing each of those three (four if you prefer) idiocies concurrently is akin to dropping your pants in the middle of Main Street, bending over and shouting TAKE ME - I'M YOURS - It hardly leaves you in a position to complain about a sore anus.

Paris - because she knows what happens when you drop your pants.

Would a custom Windows theme make it easier for ordinary clients to detect this kind of thing?

i too have had to clean this, the worst was in the computer belonging to the father of one of my neighbours. He'd left it on his system for 3 MONTHS. It had downloaded other trojans. Finally it got to the point where his computer was running XP slower than a P2-333 with 128Mb ram. It was also giving porn popups constantly, and 1-pixel IE windows.

After 4 days of trying to remove this crap(and i did remove over 1,500 trojan and virii and adware files, I just said, 'enough' Pulled all the documents off onto a memstick, and wiped the hard drive. The computer also finally got it's first taste of XP with a service pack (yes, it was XP without SP1 let alone 2, although it was bought after 2 came out - lazy HP)

The only time i've seen a system that infected before, was one belonging to a friend, one that had been used by her 15yo step-daughter (who had opened every spam email, every exe, gone for every trojan she cuold, on pupose). That is how bad this spyware gets.

Not by anything said in this article, but when you stop and think about it, what kind of cockamamie system is it that would make this rather elaborate scam seem real, pray tell?

I can hardly begin to guess the conceptual flaws in the design of Windows that would need correction to put a stop to this kind of thing. Perhaps instead of having OS and applications on writable disks they should be on read-only media? Perhaps the computer itself should NEVER undertake any task on its own, demanding explicit user instruction to start anything at all. (And, yes, that might mean, inter alia, start network connection, start font rasterizer, etc.) Perhaps the fundamental issue is that desktop OSes and applications have been designed with an implicit assumption that the world is a nice place, instead of always asking "how can someone misuse or subvert this or that feature?" Perhaps the adoption of an architecture that allows—nay panders to—applications to hook themselves deeply into the guts is wrong. (IOW, what kind of system even allows rootkits? Why does Windows still use the old hamburger or mixmaster way down in its guts to allow deep hooking?) I really don't know.

There's something very very wrong somewhere. The entire desktop computer industry took a wrong turn somewhere, a long time ago.

PS # 1: And before the Mac & Linux fanboys start chortling, let me assert that those systems are just as prone to this kind of scam as Windows is.

PS # 2: Actually, I had one of these pop up on my bareback-except-for-hardware-firewall Win98 box a year or so ago. I almost fell for it but suddenly realized "why is a dialog box on a very plain vanilla Win98 machine displayed using XP chrome?"

...as there is no way for a standard user to differentiate between legitimate operational messages coming from the system and spoofed ones coming from some low-life application. Nor is there a way for a user to know whether the "OK" for some system operation he just gave will actually be sent to the system or to said low-life application instead.

Microsoft could have forced the industry to take the approach of a "Windows" key that really, on the hardware level and in visually clear style, "opened up" the innards for repair and maintenance. Instead ... we have a Windows key that opens up a Start Menu .... oh and hardware-mandated copy protection .... and see-through window borders or some equally retarded shite (btw. KDE4, I'm also looking at you)

When I first looked at the web site name my internal parser saw:

www.x-panti-virus.com

I think I need another pint.

Paris 'cause she patented the panti virus.

Firstly, nice article, and thanks for sharing your obvious hard work with the rest of us.

I took the time to read the text on the screendumps you showed, and right from the start the hairs were standing up on the back of my neck : malware. The text read like the poor english manuals for the electrical goods you bought from tandy 15-20 years ago. The graphics were quite convincing. If they get the english right ...

I've been caught myself way back when I was using w98 and did not understand computer security. So I trashed the machine and lost some of my data (not recently backed up) to clean it up, and be sure. I think it fair to say 'gee thanks bill' for the crap that entailed, but the fact remains that it *could* happen on any system.

Now I use my Penguin friend for all online stuff, as I don't trust bills crap. This is not smugness, just bitter experience.

Regardless of the operating system you use, and the security software you use, there *ARE* weaknesses in your system, and they *WILL* be found. Security software may not be current to the threat and will not necessarily protect. Using the admin account on your machine when online is idiotic as any crapware gets admin privileges, so don't do it.

Therefore *PLEASE* think about what you are doing, where you surf, and don't bloody use an admin account while doing it !

No legitimate coder leaves bugs in code at time of release. How many have looked back at their code of say 6 months ago and thought on occasion WTF was I doing when I wrote that ? Bugs slip through sometimes by hiding in plain sight. The only way to address this is to install the updates and thank all involved in finding the issue and resolving it.

Paris cos you're bound to get 'infected' while surfing for/on paris ...

Who invited the googlebots?

"A 2-week trial version of Norton Anti-Virus 2008 can be downloaded for free if necessary"

BWAHAHAHA.... don't know which would be worse to be infested with. At least XPAntivirus wouldn't be quite the memory hog or system crasher that Norton is.

I don't think even Paris would fall for that.

First, thank you for the diligent research and interesting presentation. I have been laughing about that popup for months, since I run UBUNTU (Ultimate Edition of course) on my laptop exclusively now (forced into this because vista and linux are the only to OSs that will see a sata hd with phoenix bios, and vista is not an option).

These popups keep showing up since the JS does not check the operating system. It is very nice to be on Linux where I am happy able to ignore them. That being said I was also very interested to read the article.

Next, may I recommend eeye by blink for those running M$ Windoze (anything besides Vista...not out yet). It is great! I have pointed many of my friends to it, and they are all very pleased. I have not checked this malware against it, but I would expect it to rank as high if not better then any of the other major products (and is cheaper too)

I had one hell of a time removing this from my PC the very first time I discovered it lurking around. Fortunately, I was a bit more clued up back then than your average new PC owner so I had a working knowledge on how to deal with it.

Just to throw my 2 cents in, SuperAntiSpyware dealt with this and any possible re-infections lurking around on the PC first time around. It worked for me where others like AVG and Spybot have failed in the past.

I came across the same kind of stuff a lot recently, only the pop-ups were triggered by banner ads. I did a bit of analysis (not as extented as yours), and it finally didn't bother me at all as, well, I know better than running Windows, and it didn't seem to be a botnet stuff (not even ransomware) so as far as I'm involved (both as user and sysadmin) it fits nicely in the "not gonna cause me any harm nor extra work" category. If anything, it will drive people towards less shitty behaviours and/or OSes. Heck, I might even send these pirates money myself, they're essentially doing MY "teaching" work in my place, using efficient techniques that would get me fired. I did send a few emails though, to the (legitimate) sites which were serving the malicious ads, including details on files, incriminated servers and all the relevant stuff, but they apparently couldn't be arsed. Too bad for their most clueless clients. I don't really mind. Serves them Win lusers right. ;-)

What bothers me slightly more is that a luser in my working place installed the same kind of stuff on a shared computer (NOTE: I wasn't the one giving them admin privilege), and it seemed to trick that hopeless piece of shite that Norton is into downloading its database from a malicious server. I was in a hurry whttp://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/comments/hen fixing that, so I didn'nt do any analysis and boldly suppressed every possible piece of evidence in the cowboy-like Norton-removing process. Dumb me.

Recently had a PC brought to me that'd been running Win2k and IE6. In addition to this fake scanner, it or additional malware had done such lovely things as disable control panel, disable Task Manager, hook something into Explorer and hide all drive letters in My Computer.

Probably more I didn't notice, at that point my only concern was yanking the drive out to get a few of the client's files off on another system then wiping the drive to put a new image on it.

are we going to do about it. I use Linux I don't care I have people using MS windows and they won't know how to deal with this people are important not OS's they are going to be hurt until those of us who actually have some control of the network they use do something. Great article btw and a decent reason for truce lets put the Win Vs Linux crap out of the picture until we put these scum bags to flight.This is too much it's time for pitchforks and torches it's our network lets give them a taste of it.

She (see title) recently had a web page that matches the image in the article (page 2) load on her laptop. She stopped what she was doing and asked me to look at it.

Once I got past the "what did you install?", "are you sure?", "did you do x?", "are you sure?"... It is very authentic looking. But the app was already renamed to xp antivirus 2009.

I guess she got the upgraded version.

It looked very good. It caused me to leave the browser as it was; check the registry, check file system, download two anti virus programs (nod32) to check the system, etc.

The laptop was not infected, but the badware still caused me to waste time fighting it.

I have seen the other variations too, but only over the last three weeks. It is always from a google search result. It is usually a deceptively worded javascript confirmation box that wants to confirm that I want to navigate away from a page.

In some of these cases, alt+F4 would not kill the browser. I had to go into task manager to kill the browser to get rid of it.

I have had these badware results on google searches that return only 60 - 200 results, so I suspect that it is widespread and targets text from (at least) newsgroup posts and tech mailing lists.

The wording of the text box and the "I give up, I'll click OK" factor, would lead me to think that this xp antivirus may already be widespread.

And

@ "Firstly it had 'XP' in the name which no legitimate company would do for fear of being sued by MS. Secondly there are only a handful of legitimate antivirus / antimalware tools available."

1. XP: Athlon XP

2. legitimate antivirus: There are none.

I find you have two options when it comes to removing those damn things. The first is System Restore, which is amazingly robust. It saves you reformatting and reinstalling, which coincidentally is option two.

I don't consider option 3 because when you download one, others come. By that time, cleanup just isn't an option.

Will Vista ever get enough installations to become a malware target?

Now lets count some Linux installations. How about your router? Your satnav? Your search engine's data centres? The Register? Linux also shows up in traffic control signals, mobile phones, video games, tivo, XO, Eee, ...

Despite the large number of high value linux installations, the only attack which came close to damaging my computers was in an email: "Welcome to the Linux Email Virus. This virus works on the trust system. Please forward his email to all your friends and delete a few files." (I do not get to see most of the scams because I disable javascript and animations.)

Scamware authors are going to have fun detecting the distribution, the window manager, style, window decorations and the colour scheme so the can display a fake system message. Then they have to get a user to type the root password. My users have enough trouble remembering their own passwords. They probably could not type (let alone remember) the root password.

If a linux user sees "Your computer is infected with a virus" dialog box, she will race through scepticism and become incredulous. Scammers will to have to sell something else to get into the linux market. Software is not an obvious choice because distributions have more software than a sane person could try out. "Send us some cash or the penguin gets tarred and feathered"?

Pedantry: http://linuxmafia.com/~rick/faq/plural-of-virus.html Octopedes!

There is a great deal of info out there concerning this malware and related so called AV products: http://malware-test-lab.blogspot.com/2008_08_01_archive.html is just one such page of info. Removal of this malware is also well documented:Scroogle is your friend ;-)

I was going to infect a VM with XPAntivirus2008/AV2009 and track it's behaviour, but as there is already a great deal of info about this scam and is well documented, I'll not bother attempting to recreate the great work of others and I'll will get on with something else instead. Besdies, my current RE skills fall far short of being able to dissect this file to any useful extent.

...although I am not the sharpest tool in the box when it come to the deeper technical stuff, I did spot the fakery when Windows (as in M$) dialogue boxes started popping up on my Linux box.

That's odd! I thought.

Good article - thanks for the briefing.

D.

The screenshot at the top of page 3 slays me:

"100% FREE" - yeah, right!

Saw this come into around 6 PC's at a site we look after. Trend failed to pick it up and we think it came in as a new phishing e-mail that wasnt picked up by the scanners. THE USERS CLICKED ON THE LINK ... no matter how good your security is you cant stop things like this! We now use sophos at this site.

After it started to pop up we saw other things happening .. browser hijacks of the google toolbar that sent you somewhere that 'looked' like the google homepage and it even had www.google.com as the address. Also hijacked the ie7 internal search that did the same thing.

The scam may work more if it hadnt kept popping up quite so often from the tray that it started to annoy the users. They didnt tell us and it wasnt detected for around 2 days.

In the end we had to use SDFix from safe mode to remove it from each PC and then re-educated the users not to click links in e-mails they didnt expect (almost ran out of power for my taser).

There is one piece of good news .. the single vista pc with UAC turned on at the site stopped this from happening even after the user clicked the link the UAC poped up and the user had the good scence to click NO .. all the others where on xp sp3.

Paris as even she now knows not to click on iffy links in e-mails.

It's already been pointed out that this is not so much a technical cracking job as a social engineering racket, and it'd be straightforward (given the effort these thugs are clearly willing to invest) to use the browser user-agent string to make transparent Mac and Linux versions too.

And Mac (or any OS) users can be PEBCAKs too; a few weeks I tore a strip off my mom when, FOR THE FOURTH TIME, I found out that her Macbook Pro was running with NO PASSWORD WHATSOEVER, and then she asked me to set the password to an identical string to her user name, which is her real name! Needless to say I lectured her long and hard about that; which will probably mean she doesn't have her cheeks to the wind for system hijacking for, oh, a few weeks.............. until she gets tired of typing in a password again! *banghead*

I use Windows, Mac's & Linux boxes and think that instead of the various fanboi's gloating, they should be looking to help inexperienced users identify this sort of scam. I've seen this in scam in several forms and would add the the following, turn off System Restore before removing this malware as some variants hide there and re-install themselves next time the PC starts up, creating a vicious circle.

Personally I think this sort of scam is targeting the gullible, after all when you buy a PC what is one of the main selling points, ease of use. People buy a PC because it's easy to use, they can plug it in, fire it up and almost immediately start browsing the net knowing they are protected by the free AVS that comes pre-installed, 31 days later they have a PC full of viruses. Users have an obligation to learn about the product they're using and retailers have an obligation to let customers know about the risks of "ignorant" and uneducated use of PCs on the net.

I think this whole scenario is summed up by what a friends daughter, who works at one of the major electronics retailer in the UK, told me, "we only sell Norton to help boost our after market warrenties & service contracts because Norton attracts viruses" This was after refusing to put an AVS on her laptop. 2 weeks later I got to repair the virus ridden lappy.

If she represents the attitude of the sales staff and the retailers, this sort of ignorance and scam will never be eradicated.

Hope I've not rambled to much.

Is there any chance of this article being done as a downloadable PDF as it needs circulating as widely as possible.

I issued a security advisory to all our clients because AntivirusXP2008 and XPSecurityCenter look so authentic(at first glance). One of our clients had unfortunately already paid for it ;(. Another which I have to deal with on Monday, got it from a codec that installed itself from a pirate copy of Verve - Fourth. (I know, I know)

Also be on the look-out for e-mails from UPS/FedEx saying they couldn't deliver a package - open the attachment to find out more!

CAN WE NOT JUST BAN HYPERLINKS FROM E-MAILS?

I found the easiest way to deal with these (and Vundo/Virtumonde), was to run the following download in safe mode and then finish off with Spybot/AV of your choice.

http://downloads.andymanchesta.com/RemovalTools/SDFix_ReadMe.htm

The Microsoft Scanner at http://onecare.live.com/scan also finds it and is a handy way of checking it has gone.

@Adnim - Scroogle is indeed your friend ;p

@Goat Jam - Can I purchase one of these jackets?

The article was fascinating and deeply informative.

But why do I have an awful feeling that the authors of this malware are reading this and working on a new and improved version?

It is great that in this day, 50 odd years into the computer age, we end up having to rely on our knowledge of english gramar in order to outwit malware writers. Maybe A-Level should be a requiste for computer science courses at university!

With any luck when the malware writers realise they need better English they will rely on the MS Word grammar checker - Ever tried writing a subjunctive sentence without it complaining?

Let's face it, there is a sizable number of people do not need Windows, Mac OS or Linux on their PC, they need a java-enabled browser and a memory stick. My mum (80 this year) uses her computer for browsing the net and playing solitaire. If I could find a web-based version of Solitaire I would buy her a decent browser-based thin client.

I laugh when people say who poorly educated users are, and that it is all their fault. A tool should do exactly what it needs to do, and no more. And that is the problem with most OS's. They are designed to be one-size-fits-all and end up as no-size-fits-none.

Well done, Jesper

Aside from the fanboi flame wars erupting in previous coments, let's get back to basics for a moment. This multi-layered techno-social engineering scam demonstrates 2 things:

1) the criminal business case to invest time & effort into coding such a Byzantine maze of tricks and traps for the ignorant (not in the perjoative sense of the word) masses is sound

2) the home computing paradigm is not sound, upon which the case in 1) above is based

I can think of no other purchase we make where we are seemingly willing to accept all the risk of vulnerabilities; nobody would buy a car if they knew that no matter what they did the clutch would burst into flames next Tuesday, &c

The balance of liability for malfunction between vendor and purchaser is so distorted in favour of the former in this computing malarkey compared to any other aspect of modern commerce it is almost beyond belief.

How have we, at a societal level, seemingly blundered blindfold into such a mess?

Now how best, at a societal level, are we to procede to redress this ridiculous imbalance?

The answer must lie in persuading legislatures to produce sotware liability laws. Lobby your MP, AM, deputy, representative, congressman - whatever title (s)he may have in your country - the computer software vendors must be legislated into taking financial liability for the flaws and faults in their products.

OBTW: "not part of user acceptance test plan" - precious ;-) - a coffee spluttering moment

I too have had to fix the work boxes which are perpetually infected with virii as well as this style of Malware. Funnily enough the A/V and Firewall solutions I install at the end of one shift are magically removed from the boxes and a host of cr*p progs installed by my next shift. I think i will lock them down so tight next time that all the management can do is open notepad and calculator....

These are varying attacks as some come off with AVG others have extra programs installed in seemingly random places hooked through programs in /system32/

When I got faced with the last time I just said fu*k it and just wiped the machines so as not to have my day wasted just set the reinstall and get on with more pressing matters.

Great article i may print it off and conveniently leave it my the managements main box with a front cover saying something like "only for the tech savvy" as they like to think they are at least then they might learn and I can go back to doing the companies web development and hammering their bandwidth lol.

I have been cleaning at least 2 PC's a day of this from various home and business customers. It's getting through Symantec, Trend, Norton and AVG. I fix it using SDFix, Spybot and an AVG scan in safe mode.

Another reason why Windows 7 should not be a rehash of Vista!

I've saved this article as a .pdf to my personal archive and with permission from the Register can send it out to those who want it and can't .pdf it for themselves.

Trust me, this Mac user knows damn well that this kind of thing could _easily_ be made to work on Macs. It tried to download itself onto _my_ Mac and failed only because Macs don't do .exe! If it had been an .app, it would at least have attempted to run, though it'd not have got very far with me as I'd not have given it permission to install. Others, however, _would_ have done so. There's a Mac-specific trojan running around some (mostly p0rn) sites which tries to get you to install it by pretending to be a codec. If you're silly enough to do so, you just had your DNS highjacked. Congratulations. Every ever so often I see screams for help from people who've been hit by that, but who somehow aren't clear on exactly how the trojan got on their system in the first place. Trust me, laddie, we know _exactly_ how you got it.

Another Mac-specific trojan was the small (120 kB, IIRC) file which pretended to be the installer for Office 2004 (which takes up 600 MB...). What it really did was erase your home folder. I hope you had a backup... That trojan hung around p2p nets for several months around the release of Office 2004, and caught many, ah, bargain-hunting, yes, that's the phrase, not 'thieving scumbag', in-duh-viduals.

Everyone has to keep an eye out for trojans. Beware of geeks bearing gifts.

I've set up the computers for my parents, two sisters, and two aunts. All of 'em got passwords set when I did the setup. The passwords were all at least eight characters, included at least one capital letter, one number, and one symbol, and were based on family history which _they_ would know but which outsiders would have problems figuring out. (God bless Uncle Mick for providing a wealth of possible incidents.) I didn't tell 'em how to remove the passwords. I made it clear that if they figured out how to do that, and Something Happened to their system which would have been prevented by having a password, _I_ would not be fixing things.

Yes, any practical password can be broken, in any of several technical and social engineering ways. Yes, I've tried to educate them in possible social engineering tactics. No, I'm not sure if it has sunk in.

@ Bob Merkin "If 95% of computer users were using Ubuntu, I could still see this same scam working."

There's two simple rules that protect Ubuntu users from this. And they are easily understood.

1) You never need to give your password for normal day-to-day use

2) Only ever install software using the Ubuntu package manager

Ubuntu's default is that the system does not undertake any admin tasks on its own but always demands explicit user instruction. As long as the two rules are followed (and notice it takes more effort not to follow them) Ubuntu users enjoy a high level of protection even against social engineering scams like this one.

It really is easier for the naive to use Ubuntu safely, and it's well worth being clear on the reasons for this.

I hope you make a lot of money from consultancy jobs after this article. It was very well written and should be printed out and put up on every Health and Safety noticeboard in the country.

@Shane McCarrick: When you point out other people's grammatical errors, you really shouldn't introduce your own, i.e.:

"Figure 8 (the terms and conditions): Random use of capital letters, and multiple examples of words which would normally be combined together or hyphenated"

"Combined together" ? How tautological is that?

Any one will do, as long as it's stab-proof.

Any app that uses !!! when a simple ! will do is immediately suspicious.

As a mobile tech, I see quite a few bugs like this and others which can be difficult to remove from a live system. Quite often a fast fix is to instead use a USB to IDE / SATA cable attached to a laptop with good malware detection software, and connect this directly to the hard disk in the sick PC. (This particular bug is not detected by Norton 360 but is by AVG free.)

Occasionally this doesn't quite solve the problem as there can be issues with missing files - like the fake svchost.exe that if taken away makes Windows say it can't find explorer.exe - even though it's there. Googling usually helps solve any remaining problems as it's usually just a few changes to the registry to remove the computer's addiction to the now missing drug.

Such cables can be had for about $40AU via eBay Hong Kong http://tinyurl.com/usb-ide-sata - although their supplied power supplies can be a little dangerous - better to leave the HDD in the customer's PC and power it from said PC - and for added safety if possible not connect your laptop to power at the same time, just in case there's a fault in either power supply relative to ground.

What if, and I know this sounds CRAZY, but what if these jerks actually used their outstanding talents to write helpful software and *gasp* sold it for profit. It boggles the mind.

Excellent and thorough article. Thank you.

If you pay the $49 likes I Ask then I go to gud Schoul an Fiexs me EnGrish!

yous neeed gud Virus Ware! Pay $49 then I can go 2 ScHoul lern the EnGrish!

you paaay now!

And don't let your users be admin, either.

Ultimately this is just a particularly well executed non-exploit click-to-be-pwned (that's not shy about asking for credit card details). And click-to-be-pwned is stifled if it can't run its installer and hasn't got an exploit.

Or am I missing something? I guess it could install in a non-admin profile, but It won't wreck the whole install.

Nice article, but really depressing. This level of training can never be communicated to the ordinary user. So don't let them be admin.

In the past week, links to a site called "answers-video.com" have been dropped by spambots on the Yahoo Answers site. When clicked, these gave an excellent copy of an Answers page, with a media player and a dialogue box suggesting download of the codec to see videos. These eventually led to the usual AntiVIrus2008.

In this attack, the site answers-video was registered to a Chinese address

Alex

Jeinoe 48-33

Oien

Xizang,8736622

CN

Tel. +5.7466920044

but when clicked, the download came from a site called ANTIVIRUSXP08.NET , with a Russian address

Protect Details, Inc

Domain Manager

29 Kompozitorov st.

Saint Petersburg

,194358

RU

Tel. +7.8129342271

Both are registered by Estdomains, a registrar with a Russian language website.This offers among other things domain cloaking and domain forwarding.

Further searches around these sites revealed contact names also known to be associated with fake drug sites, and formerly (before they went "respectable") porn sites.

This malware has indeed been around for a long time. I recall seeing earlier and cruder versions of it as far back as Windows 98.

Back then, when paid for and downloaded, the "anti-virus" program turned out to be a mixed payload of assorted keyloggers and other usage trackers - which are openly advertised on some sites as "network marketing tools" . Considering today's version is more sophisticated, it is conceivable that payload space in them is actually sold to third parties, or that data gathered by their own spyware is on-sold to others.

It always was more than just a demand for money. At best, the stolen data was used for emailing the victim (and everyone on his contacts list) with spam for other products.

I also have it on good authority that the inescapable "trap" dialogue box was first trialled and used on porn sites.....which some of the people associated with this latest scam were also involved with.

Facebook, YouTube and MySpace were also infected with link-drops in the past 2 weeks, from the same sources.

Colin I notice you recommend Avast as a good free anti-virus for personal use.

The one you mean is Avast! with the exclamation mark. This is indeed excellent and I recommend it to many users.

BUT, this too has its fake malware clone, called just Avast, and downloadable from a site called vvvvvv.Avast.com (those w's are all v's).

" I'm sure they'll refine the spelling errors and other consistancies " ;)

Time to get our operating systems on proms and our programs on plug-in cartridges again?

Paris, as she's programmed to accept plug-ins.

Great analysis of the software itself.

The article only barely touches the tip of the iceberg as far as methods of distribution for this sort of malware, though. The gang responsible for this fake antivirus software appears to be either the same group, or a group working with, the gang responsible for the W32/Zlob Trojan, and they've built quite a sophisticated network for distributing and redirecting surfers to sites that try to download both Zlob and fake antivirus software:

http://tacit.livejournal.com/240750.html

Sites like virus-securityscanner.com are often linked to by the traffic handling sites that are in turn linked to from compromised Web sites, blog spam, and hijacked Web forums, and those same redirection sites also direct visitors to sites that attempt to trick users into downloading W32/Zlob, often disguised as movie player CODECs.

This very, very strongly suggests to me that the same people are responsible for both the fake antivirus software and for the Zlob Trojan.

"Advocating that you should stop using anti-malware software is irresponsible. If people were to actually take that advice, we would be overrun with malware in short order."

We are *already* overrun with malware!

Thanks for the excellent article, and I'm sure the criminals are grateful too for the free spell check.

Linux and Mac users should also be concerned about Windows security - everyone has to deal with the effluent from compromised machines, regardless of form or flavour, whether they are spam or DDoS sources or virtual internets running scam sites etc. etc.

From my perspective as network admin and bot warrior, it appears the whole net is pWneD. :(

Regarding loss of your drive letters, Task Manager, Control panel, look up "smitfraudfix" - a relative's machine had that little problem (along with XP Antivirus 2008), and between AVG Free, Spybot Search & Destroy and MBAM the machine is now thankfully clean (at least as far as all three of those are concerned).

I can see the authors of these web sites reading this article and now thinking "Oh wow. These idiots are making excellent suggestions! YES! Let's do the same thing for Ubuntu and for Mac OS X. Also, let's hire someone who can actually speak english to translate for us. Let's change everything now and we'll be rich tommorow!"

Good for them. Lazy organized crime gangs aren't as stupid as we think they are.

Thanks Jesper for a well written and presented article, it was interesting to see how determined the malware writers were to get money out of the victim.

To all those above who give detailed explanations about how they are protected from such scams, consider this. You are not 'average' users, you have some vague idea about how computers work. For 99% of the population, computers are a flashy tool that just works regardless of what OS is installed. Social engineering of this type will always strike home when the user has some vague notion about virii etc.

Personally I dont have an answer to this sort of attack, the obvious answer is to educate users but to be really succesful this would involve a 'licence' to own a computer.

As long as computers are sold in 'white goods' stores then there is going to be a steady stream of customers for 'Antivirus 2008' and its ilk.

One of our users (on one of the few mahcines with power user rights on it) managed to download xp antivirus. Trend microscan didn't detect a problem even when the browser had been taken over, however spybot fixed the problem

God, working as a technician remotely I see this bugger atleast 3 times a day and its increasing fast. I have gotten to the point now when someone calls with a "possible" virus i ask them first and foremost "Popups in the lower left, trying to get you to install *****antivirus200*?" atleast 99% of the time I get a yes.

Lately, and what I didnt see mentioned in this article, was the fact there is a newer varient out there that removed all icons from start and the desktop including locking down the registry editor and task mangler.

All in all, again well done Jesper.

/though I think we all know that there are people out there who will continue to not learn

Another reason why Windos is declining. The idea of installing software on Windows is getting to be more of a joke as time passes.

Better off with a browser and to use web services such as Gmail and Google docs.

I recently removed this crap from a relative's machine.

It had turned off System Restore, effectively deleting all the restore points.

My neighbor had this problem with "Vista Antivirus 2008", so people on that operating system needn't feel safe.

What really annoys me is that banks haven't added this credit card processor to their list of dubious operators and thus give you a call before proceeding with the transaction.

You should turn that off anyway when removing the above, as it infects the restore points too!

Only turn it back on once you are sure you have got rid of it.

"What really annoys me is that banks haven't added this credit card processor to their list of dubious operators and thus give you a call before proceeding with the transaction."

These guys are sophisticated. They know what they're doing. They use fraudulently obtained information through identity theft, they open vendor accounts in their names, do their scams and pull out their profits before their accounts get shut down. They know that it can take weeks and even months for any financial services institution to detect that the accounts are being used fraudulently. Then the organized crime gang simply repeats the process. They most likely have tens of thousands and possibly millions of identity theft victims to choose from where they're getting thousands of fresh new ones everyday.

I'd say, the best way to nip this type of activity in the bud is to go after their web hosts (which themselves are probably involved in the scam), then perhaps even their uplink providers. Doing a traceroute shows exactly where and when data flows throughout the internet and can be followed through IP addresses. It is actually very possible to pull the plug on their web sites anywhere along the traceroute.

Why isn't anyone using this technique to track the criminals? Why aren't sysadmins in their uplinks pulling the plug on them? Maybe they're too busy browsing computer websites and forums and comment groups boasting about how superior they are on their macs and ubuntu systems. Tsk tsk.

"I'd say, the best way to nip this type of activity in the bud is to go after their web hosts (which themselves are probably involved in the scam), then perhaps even their uplink providers. Doing a traceroute shows exactly where and when data flows throughout the internet and can be followed through IP addresses. It is actually very possible to pull the plug on their web sites anywhere along the traceroute.

Why isn't anyone using this technique to track the criminals?"

Oh, many people are, believe me.

The majority of these sites are hosted in the former Soviet Union, where they're beyond the reach of US law enforcement. I've seen these sites hosted on ISPs in Latvia, Moldova, and other former Soviet-bloc countries.

The political reality is that law enforcement in these places simply does not care. In fact, it's quite likely that law enforcement in these countries, such as it is, is highly corrupt and easily susceptible to influence from these same organized crime gangs. The Storm gang even appears to have allies in the highest levels of Russian government, for instance.

In many cases, these Eastern European ISPs receive their connectivity from an American outfit called WV Fiber (wvfiber dot com). WV Fiber responds to abuse reports by saying "We're not doing anything wrong; it's the ISP in Latvia that has the problem, not us." (When they respond to abuse complaints at all, that is. Mostly, they don't.)

Similarly, the domain registrar of choice, EST Domains, is headquartered in the US but responds to abuse complaints (on those rare occasions when they respond at all) by saying "Take it up with the hosting company, not us. We're not hosting them, we're merely providing registration service. What they do with it isn't our problem."

Worth keping this item high priority for a while a least. Just found it on a non-newbie's machine [though not too technical].

Was surfing on I.E. which I recommended not to anyway - does this lot operate in FireFox?

I actually prefer Linux (Kubuntu) - I'm afraid they will soon be learning how easy it is to use. This really is getting to be a chore, I can't charge family and friends :(

I often use the method you describe to remove stubborn infections. Also, looking in the System32 directory (sorted by date) for recent files that don't look "kosher" is a good idea. One thing I'd add though... if you mount infected drives on other Windows boxes, be sure to turn off all autoruns with the group policy editor before plugging in the drive. All it takes is an 'autorun.inf' file coupled with a malware file at the root of the drive to compromise your healthy machine. Machines that were infected by flash drives often sport these on all drives/partitions.

Title says it all really.

I have a computer shop and in the last 4 weeks have had around 1 system a week coming in with this infection. In at least one case the person had paid for the privilege of infecting their system.

holding up against a wall and stoning is too good for the people who perpetuate these sort of scams

If that first dialog pops up--the "CLICK HERE FOR FREE VIRUS SCAN" followed by the animated "scanning" gif--does that mean I've already got the virus, or is that just the come-on that tries to get me to hit "okay"?

"No software that pushes the purchase decision so heavily in your face is likely to be legitimate."

Aaaaha! So Vista is not legitimate.

"Advocating that you should stop using anti-malware software is irresponsible."

Beg to differ. And you proved the point yourself. The box was safe until the moment YOU opted in on the scam by installing their fakeware. A simple "close browser" would have dealt with the menace. So, no anti-malware safe, dumb (l)user is not.

Nice article tough, even if a bit on the old side. This type of scam has been doing the rounds for years. Kudos to the malware writers too. Better graphics, decent English, and now the malware doesn't break down the box signaling its very existence. All in all, a 500% improvement.

In the end, all is good in the land. Users get ripped off by scamers for being clueless and uneducated, THEN they get ripped off by techies to fix the problem. How can it get any better?

Mine's the one i bought with money from (l)users for fixing their "small mistakes".

Is it just me who thinks that all these articles in the IT press that recommend AVG are just malware trying to get you to give money to the makers of AVG.

Strangely AVG is only ever mentioned in situations were only a moron would have installed the "malware" it is detecting.

Always, always, always do your day-to-day work on a net-connected Windows machine as a Limited User. This page is required reading for everyone running Windows as admin:

http://blogs.msdn.com/aaron_margosis/pages/TOC.aspx

I've had two friends' machines grind to a halt with Norton AV. By removing Norton and setting them up with Limited User Accounts, I've given their old machines a new lease of life.

Tux, because DSL and Xubuntu can put a spring in the step of even older machines.

Windows has flaws, yes. So does all the software I write, and I bet just about all the software the majority of readers of Register write as well.

You wouldn't buy a car if you knew its clutch would burst into flames... no, but would you buy a car if you knew its clutch would burst into flames if someone drilled a hole in it and inserted a match. Well, yeah - who would do such a dastardly thing, and is it the clutch manufcaturer's fault if someone did?

Isn't this more analogous to the windows situation? The virus writers drill a hole and light a match. The clutch is fine until someone crawls under your car.

Very interesting article.

Would this scam have worked on Mac for example? If 90% of PCs were running Mac OS X, could a site create a fake OSX window, and convince the user they need to install the software? OK, so no security centre, apart from that?

Is the very fact that most Mac/Linux users feel like they don't need Antivirus software likely to mean they ignore the fake warning? Does this mean Antivirus software is in it's self a security problem?

There are legit online virus checkers that make you pay to remove threats (I think McAfee or Norton do this).

Maybe requiring users to press Ctrl Alt + Del to confirm UAC actions will help? Or maybe Apple's iPhone strategy of reviewing and signing all software before it can run will end up dominating desktop operating systems.

A nice read. Thanks Jesper.

Peter: actually, it's even more than that. It's like saying that if someone digs a big hole and puts up a sign saying "FREE CANDY INSIDE", then it's Ford's fault that people keep driving their cars into the hole, and this wouldn't happen if only everyone drove Toyotas.

Yesterday while hovering around the web, I managed to pick this little fella up myself. I was up until 2am last night, worried to death that the computer that I had just purchased was ruined. I have not got a clue how to use those restore points mentioned, but I am going to have a look in windows help. I cannot understand how this is allowed to happen. Excuse my ignorance, but surely these hosts could be blocked?

I have just run AVG (downloaded based on the first couple of comments) and it found 4 issues, I hope that has cured it.

Reminds me of the days of dial up when I managed to get my (then) girlfriends machine to dial up loads of premium rate hardcore porn sites. Can you imagine the the grilling I got when i got home on the day the BT phone bill arrived. Worse still, IE would open about 30 times and connect to all manor of foul sites showing every illegal sexual activity known to man, and animal for that matter.

Ramble over, so I will just say thanks, again, for a superb article.

A couple of years ago I work at the Answers By Gateway Helpdesk, and got many calls where people had started the installation, but stopped short of buying it before calling us first. One poor woman had actually bought it, and the pop-up warnings actually got worse. I had to tell her it was in her interest to cancel her bank/credit card account and make a new one asap, as they can pretty much charge anything from her account until she puts a stop to it since you can't exactly call the police on them :P All of these customers already had Norton (I know it's not great, I worked there for the money and to help people with their computers, thats why I had to find another job :P), but even with Norton, seeing the warning about all the infections was enough to make each of them worry. The IT world often over estimates how many people understand computers, and we keep throwing more complicated systems at them, thats why many average users run 3 anti-virus programs on their home systems.

Aside from grabbing cash, I would not be surprised at all if these applications connected in some way to enlarging the criminal botnet. That kind of system can lay idle for a LOOONG time before it needs to be used, and with a large enough botnet each system would only need to contribute very little so the infected users would not even realize what their systems were being used for, esp now with all the 2x and 4x core super computers we use nowadays. Useless windows services are more of a resource hog to the user than the little piece of botnet living in thier systems. And need I mention how much Windows has always loved doing things in the background as often as it can? If Windows could ever get as solid as Unix, users wouldn't need to be afraid to use their computers and threats like this wouldn't exist. We'd be back to just the usual hacker types, thay still exist BTW.

Because there is no patch for human stupidity.

Perhaps you have seen this before? I have a shirt that says exactly that and it is clean and ready to be worn to one of my clients next time he calls up. Specifically for him. The guy is a nice guy but well...dumb is the nice way of saying it.

He had gotten xp-antivirus2008 on his system last week, swore he had no clue how or when he had gotten infected. He had gotten other stuff(malware and virus's) about two months prior and i felt bad since he was a bit on the old side so i gave him a break on the cost of getting his system cleaned up. It had around 100 other nasty bits the first time around. So this time rather than do it onsite i picked it up before the weekend and I dropped his machine off all nice and clean on a Tuesday towards the end of the day. Late the next evening he calls up and tells me he has a screen asking about doing a scan with win-antivirus2009 this time!

I was shocked knowing full well i had gotten the system completely cleaned up. BUT thought perhaps i missed something? i had run EZ-PC-Fix (via BartPE) AVG, Counter-Spy, Viper, Spybot, Adaware, Trend-Micro Housecall, MalwareBytes, SuperAntiSpyware, ClamAV and actually a couple of others too. Each one finding a few more. Not till i was getting clean scans did i deem it safe, BUT, perhaps he had a zero day?!?!?

OK, needless to say i felt bad for the guy, so i told him don't even click on the start button to shutdown, just pull the power disconnect everything and bring it to me, ill clean it up tonight and you can pick it up in the morning.

Worked through the night to not only get it cleaned up but to investigate how he was getting it, where he was getting it from and what ever else i could about this little guy that would let him survive after a rigorous cleaning like that. Well i found in firefox's history the site he got it from was main-scanner.com, got there from a search where he just kept following link after link after link while looking for shotguns. guy likes guns i guess.

Blocked all known domain names via the hosts file, AGAIN, went over how to keep safe and clean while online and as he was leaving he let lose with his freudian slip and asked "so you verified where and how i got it online right"? I said yes and i have prevented you from going to those sites again in the future. To which he responded "ok, good, Yeah i just had to go back and verify for myself that was how i got infected the first time" !@**&#*@&(&(*!&(*!&*(@&!

****mentally i wanted to say****

Go back home, find one of the guns you like. Preferably one with a REAAAALY BIGG barrel, stick it in your mouth, if it doesn't fit not to worry, just pull the trigger and it will fit with no problem!!!!

****but i couldn't speak****

I could not believe what he said, i just stood there dumbfounded.

How dumb are people??? Yes, some of them are even that dumb!!!

So the one thing i have heard a lot of people mention on here is what can we as Admins, IT guys, Consultants and First Responders who DO know better do to help those who do not.

So far other than education its tough but i do have one really good recommendation..

Sign up for a free account on OpenDNS.org and then use OpenDNS to block these types of problems from users who if told pulling the trigger would make the barrel fit might pull the trigger. OpenDNS does work for some of those domains mentioned above and while obviously the bad guys keep buying up new names and well if your a IT guy like myself when you find another malicous site you can block it for every one of your clients just by adding it but please submit it to the OpenDNS community to get it voted on and blocked for everyone else.

It works and actually its good because if and when your client does pickup that gun, i mean end up on one of these sites instead of getting infected he will get a nice warning page complete with your logo and OpenDNS's explaining why he was prevented from pulling the trigger.

Keeps them save and honestly makes you look pretty darn good while doing so. Sure it won't prevent everything but at this point its the closest i have found to having a way to protect them from themselves. Sadly i found out about it After Captain Genius went to verify how he got shot up the first time but i will be rolling this out to every client after this incident.

And yes, good article. sorry for the long winded response. still can't believe he did that to himself a second time less than 24 hours later...

This was the last of four trojan/bot/whatevers I took care of on someones machine last week.

One of the others had blocked (in the registry) damn near every anti-virus and spyware removal tool out there. I think that might have been "Bot Net Jack's" contribution (silly sucker signed his code.)

I eventually ended up maiming the hell out of it (it was late).

In safe mode I opened the executable and the related dll (was posing as a dat file) in notepad and typed SCREW YOU PEOPLE* right over the executable identifiers.

Then I saved them and attribed +r.

*Well, PEOPLE will do as well as what I actually typed in.

This week I might get the proper removal tool and do a better looking job.

("might" being the operative word here.)

I've seen too many machines come across my bench to be happy about what these guys are doing. I admit, at first I enjoyed the challenge of getting rid of them (When no A/V solution would), but this is getting old, quickly.

The most recent one I worked on actually had a rootkit installed, too. I get the distinct feeling that when this guy gets in, it invites a bunch of buddies over for the party. Even changed the clock to append "VIRUS ALERT" in the system tray and in the system properties window.

The only upshot to cleaning so many of these infestations is that it really allows me to rake in the cash...

This program also messes with Symantec Anti-Virus (Version 10 At least) We by default install NAV on all of our Corperate PC's and last week, I received a support call regarding this exact piece of Mal-ware, Upon further investigation, I found that the mal-ware had managed to disable the Symantec real time scanning, as well as the Auto-update, so no matter how long after the Mal-ware was installed, Symantec would never detect it.

Hi, I ran into this the other night doing some internet surfing. Fortunately AVG 2008 detected the bad downloads as malware. I suspect I got some spyware doing a full scan of system AVG, Adaware and Defender. By the link scanner of AVG is working great, it caught several malware sites after clicked on them and blocked them from browser.

Check the boot order of his machine, and leave a live linux CD in the drive :-p

Alternatively, shove ubuntu on as a wubi install, and make it his default boot option - and don't tell him the admin password :-p

(having said that, he might need it to get the updates)

Actually, it's very difficult to get this kind of depth in any web post these days...

Some of us have seen this pap over 4 months ago, mine you had me wondering for a while. My friends Norton had run out and asked what I thought of this XP antivirus. Not too sure if they paid for it but the Nortons AV was about 14 months old.

Had 7 versions of it running and like above 1500 downloaded malware files.

"no website can run an anti-malware scan on your computer simply by your visiting the site"

Microsoft Live OneCare, or whatever it's called today, comes pretty close. See http://safety.live.com/ . It's a legit ActiveX-based web virus scanner from Microsoft. Most users would be hard pressed to distinguish a fake site from it, or vice versa.

This sort of malware is probably the best reason I've heard for changing the colour of your window frames. Even a slight colour change, possibly combined with custom icons, would make these 'system windows' stand out a mile.

Of course, they also stand out on Linux...

I'm not even sure how i got this virus (or a variant of it).

I consider myself pretty IT savy, and in all my years with playing with PC's i can count the number of virus's i've gotten on one hand (i.e. 2 - including this one).

I followed a link from the BBC news website - as soon as the page loaded, i got the fake warning message. I quickly took the power cable out of the PC and rebooted. As soon as the OS loaded, i had a background wallpaper of the same warning message. I could only get rid of it, by searching for the .bmp file in the registry.

Then i noticed, that i wasn't able to connect to any websites which were anti-virus sites, or anything related to spyware / malware etc..etc..

I did a full scan via Symantec, but it didn't find a thing.

I managed to download AVG via download.com but again it saw nothing wrong.

Trying to get to IT sites to search forum posts was also blocked.

I couldn't install Spybot-S&D as it needed to connect to the internet for updated files, but their mirror was blocked.

Managed to get on a friends PC and download Malwarebytes software, which after the first scan detected and removed 13 files. Noticed that i didn't do an update on the software first, and luckily the update site wasn't blocked (lots of sites were still blocked after the first scan). Updated, and ran a scan again. This time the software found 10 objects and removed them (after a reboot).

Just in the middle of another scan - but all websites are now working again, and my machine has improved it's performance massively since the recent scans.

As i mentioned, all i did was load a website. I use Firefox 3, and my OS is completely upto date with regards to patching. Also have Symantec constantly running and Blackice firewall - neither managed to stop this. I didn't agree to install any software either.

Informed the BBC and they removed the link - but it could of been an Ad or anything i guess. Horrible piece of software.

Excellent article! I am impressed with how slick the graphics are on the site. Fools those who judge a book by the cover.

We did a test with another type of scam software, PC Doc Pro. The result is shown on a little video I made of what happened when we tried it out on a clean install of Windows Vista on our virtual machine - [url]http://www.mywot.com/en/online-threats/fraudulentsite[/url] or at youtube [url]http://www.youtube.com/watch?v=c4ubAP62ero[/url]

Although I think im going to have a word with a friend of mine who runs a garage, and next time someone who works in IT comes in, treat them like a compleat fool for not knowing how there car works as well as he dose, because this is what some of you guys are doing.

There is a lot of infringement of Microsoft's copyrights going on there. It's going on in a context that damages the value of Microsoft's brands: a worse example of "passing off" is hard to imagine. So where are Microsoft's lawyers? Surely it's possible for the combined legal might of the Microsoft Corporation to accomplish something even in relatively hostile juristictions such as the Ukraine?

Or is it a black-helicopter job? Microsoft wants XP dead, and its security is different to Vista, so they're actually turning a blind eye and will later do something to make Vista more "secure" while leaving XP to be killed by the parasites?

I have also seen this infection running alongside a Mass Mailer.

Malware Bytes got rid of Xp Anti-Virus and detected the mass mailer but couldn't do anything with it.

Did a delete file on reboot with HijackThis and it got rid of it.

The program is very convincing and less IT aware people can fall for it very easily.

Great article.

"One can only wonder how many users have been duped into installing ineffective security software, and what happened to their private information and credit card data when they paid for it."

That's what I thought after finally giving up on NAV and VirusScan!

Paris as she probably has X 'Panti' virus installed...

This has been doing the rounds for a bit now, usually it does a genral policy edit and changes the screen saver or desktop background then locks out the options tab in windows. after reboot you get a "this machine is infected with spyware" desktop and XP anti virus running claming your machine is a clean as a silage pit.

It is not the hard to remove (Malware Bytes) seems to be designed to remove it which i find rather dubious.

I much prefer manual removal.

files/folders that should be removed

c:\Program Files\XP Antivirus

c:\Program Files\XP Antivirus\xpa.exe

C:\Program Files\XPAntivirus\

C:\Program Files\XPAntivirus\XPAntivirus.exe

c:\WINDOWS\system32\scui.cpl

%UserProfile%\Desktop\XP Antivirus 2008.lnk

%UserProfile%\Start Menu\XP Antivirus 2008

%UserProfile%\Start Menu\XP Antivirus 2008\Uninstall XP Antivirus 2008.lnk

%UserProfile%\Start Menu\XP Antivirus 2008\XP Antivirus 2008.lnk

%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\XP Antivirus 2008.lnk

C:\WINDOWS\krln32.exe

C:\WINDOWS\system32\scvh0st.exe

C:\Program Files\Common Files\trjdwnl.dll

C:\WINDOWS\shlext32.exe

registry removal

HKEY_CURRENT_USER\Software\XP antivirus

HKEY_CURRENT_USER\Software\

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\XPAntivirusFilter

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XPAntivirusFilter

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-dcf7-f96da086b434}\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C6B8C69-9285-4D94-8492-9E920C8C2B65}\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74f25a2c-22b3-4023-8f1a-ca616c30a8b5}\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9a19966f-ae0e-4699-8cce-9b6f5f1c352c}\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D714A94F-123A-45CC-8F03-040BCAF82AD6}\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP antivirus_is1\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "XP Antivirus"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "mmnext06"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "shellbn"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "System"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows Framework"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""

I've seen the same version as you, I believe it was a virtumonde variant. SmitFraudFix couldn't run on the user profile because regedit was locked down, the entries were cleared from admin but it didn't resolve everything. I couldn't be asked to faff around any further so backed up the data and did a nuke 'n' pave.

It also adds a VIRUS ALERT message in the system tray which is a dead giveaway that it's not legit as well as replacing the desktop wallpaper and hijacking the browwser.

very interesting read, i have had numerous people bring laptops infrected with this shit to me and you wouldnt believe the pain in the backside it is to remove, thats why my real only conclusion is to nuke the site from orbit! wipe the HD then start again

personally i think user education is a paramount thing teaching people what is legitimate is good, these sort of things make it hard but not impossible, problem is most dont care and what their interwebs straight away *sigh*

personally there is no punishment on this earth good enough for these swines, however may i suggest papercutting them a million times and dropping them in salt?

Found this (or something very similar) recently on a machine I had been using in a hostel, this one also altered the DNS IP to redirect users going to windows update et al. to the "anti virus" site. Foolishly I had accessed my ebay account from the machine earlier and had an email from them the next day to say that my account had been compromised and they had changed my password. No harm done luckily.

No, sorry, the Bluescreen is not the last action Windows does before halting - most of them will execute their full or mini memory dump, write to the event log then restart.

This is to help the availability of headless servers where the problem could well just be a fatal application error and the restart clears the problem. A techncian does not need to take a trip to the colocation room to hit a switch. In any case, the reboot after bsod is an option that is user or admin settable.

Cheers,

Daniel

Why?

Eventually I get phone calls from peopl eneeding thier computer cleaned. Without them I'd have less work.

I have just had to remove this and other Variations of this from my Dads 2 PCs. I have installed Avast on his machine in the past and had him run Ad-aware or Spybot regularly to keep the crap down, but this malware targets a large cross section of the public that aren't that computer savvy.

What I found on my dads PCs was that it had actually disabled automatic updates for windows and had disabled the updates for avast, so that even if you ran a scan it wouldn't detect it. To get round it I had to run the Online Scanner from ESET, then manually re-enable windows updates and Avast, then Once avast was updated it was able to remove a lot more of the problem software. But I was still being faced with a big Red Biohazard logo saying my "privacy was in danger", displayed on the desktop. I found an Excellent guide to removing Malware over at Majorgeeks and followed that, and now both machines are running a lot sweeter. But I do wonder if I might just be better off reformatting and re-installing, just to be sure.

Think I am going to get dad to use a different browser like firefox or opera too from now on.

My Dad managed to catch this on his PC (had the bad luck to receive a scam "you've received an e-card" mail on his birthday, natch). I only spotted it as a problem because the thing foolishly used Vista-themed fake windows on an XP box. Dear Lord, it's a nightmare to get rid of, as all of those slight variants out there appear to have differently-named executables with different hashes in different obfuscated directory names and registry keys; nothing automated I could find would do the trick.

It also hides all your desktop icons and replaces them with an ActiveX page to reinstall the damn thing again, before locking out the relevant page of the Display Properties tab. Which was an eye-opener.

Windows Anvitirus, Windows Anvitirus 2005, 2006, 2008, XP Windows Antivirus, all the same sort of thing if not the same, each slightly different in their install, file locations and registry settings. AVG doesn't catch them all unfortunatly. My Dad PC got infected with Windows Antivirus 2006 and I managed to manually remove that ok. My sister got windows Antivirus 2007 and in the end I gave up did a clean wipe out and re-install.

At least I'm not alone!

Page 6 you say, "Interestingly, while virtually everything else the malware has shown us so far has been in flawless English"

Yet on the previous pages you posted images with poor construction of English.

"Windows detect unregistered version"

"Don't close this window if your want you PC to be clean"

I won't go on because I don't want to be the one that proof read their next version and the usage of English is often the biggest indicator (If suddenly being asked to install software while you're minding your own business searching for "Duck Porn" isn't clue enough).

For me, ESET NOD32 picked it up, but it sailed straight through Trend.

Just spent the last week removing this from various pc's and one of them also had a very nasty rootkit that was spamming like a monkey flinging poo! The biggest problem was after MBAM removed most of the initial crap, Blacklight, Rootkit Revealer, AVG Anti Rootkit and a couple of others all failed to spot the hidden mass mailer. Only after manually looking through the registry and running Gmer did the final few nasty's show up and as Gmer scanned an old version of Norton was able to quarantine them. So i recommend keeping a close eye on a syslog to see what traffic is trying to fly out of your network.

I Have not seen any mention of it in any comments so far...

For Windows users, depending on your system/network setup modifying the HOSTS file is an extra little step that can be taken to help block connections to servers involved with malware; or to redirect or block any servers you wish really.

I Have not used opendns.org, but it sounds like it accomplishes a similar effect.

Give a read here:

http://www.mvps.org/winhelp2002/hosts.htm

(Also has a preconfigured HOSTS file available for download)

One note for Spybot S&D users:

If you do download any HOSTS file and replace your current HOSTS file with it, be sure to rerun your Spybot S&D Immunize feature. Spybot appends to the HOSTS file used by the system and will need to be reappended to any new HOSTS file.

This also goes for any legitimate program that edits the HOSTS file.

And, make sure to set the file to Read Only after playing with it.

Wikipedia link for the lazy:

http://en.wikipedia.org/wiki/Hosts_file

(Correction: The HOSTS file is not only for Windows users.)

re : "Hosts file - I Have not seen any mention of it in any comments so far"

Go back and read the comments properly then. You clearly didn't bother first time.

I consider myself to be fairly experienced in IT, but I've recently been caught out by a trojan. Luckily it was on a VM machine. This downloading of AV/Spyware product could have been ever so serious if it had included the Trojan.W32.BAGLE (wintems.exe). This little Bast**d disabled any AV/Spyware installed and it prevented you from running any you downloaded to clear the mess.

Public hangings, that'll stop them.

I'm sorry. There was technically a single reference to it. But no useful information about it was giving.

"Blocked all known domain names via the hosts file, AGAIN, went over how to keep..."

Nice catch. Really.

Good article.

This week my brother was led to install a similar malware but this was called Vista Antivirus 2008 instead of XP. This is very much the same as described in the article.

I do not know if it runs well in Vista, but it did a pretty good job in the XP machine.

It also blocked various directories, such as regedit, and removed various options from the start menu, such as the run, but we could still get to cmd from through the browser.

My friend had avast installed and it detected and deleted the files, it also made the changes in the registry but we could not remove it from the control panel.

As others have said, and extremely well researched article. I hope it stays on the top bar for a long time.

I'm not a Windows user myself, but these days I advise friends that if they see anything remotely suspicious the first thing they should do is unplug the modem/router to give themselves thinking time.

Have my fourth machine in this week with this infection. I found the files for the BSOD screensaver, at least in this incarnation of it.

blphcl2vj0er03.scr in SYSTEM32

and

BLPHCL2VJ0ER03.SCR-27BB3455.pf in Prefetch

I am really enjoying following this thread. It is clearly a hot topic with lots of IT professionals!

Bottom line is:

These guys are already pretty good and will only get better.

The only answer is to help with the connection between the chair and the keyboard.

This is our challenge.

I'm using Paris just because it is the most attractive icon. That other Paris guy has much better reasons and much better banter than me.

Can't believe no-one's said that already.

Great article by the way.

Coat please!

However, you are wrong about the "graying out". It is now used across the board when a website wants to convince a luser to do something. For example Lovefilm.com uses it to convince you to click on some verbiage when your account has been migrated from an affiliate (Amazon) to Lovefilm proper. Not malware - marketeers, but still the same approach.

8 users at the company I work for have fallen for this and 2 actually paid for the software and one of them was a developer! (no the computer genius still hasn't lived it down)

I wouldn't mind but I had already sent round a warning about this one as it's good enough to fool the standard ('where's the any key?') user.

"Repitition"... ?

"Is the very fact that most Mac/Linux users feel like they don't need Antivirus software"

This is nonsense - if anything Linux users are more likely to want it since they tend to be more clued up. Can't speak for MacOS users mind you...

In my book the biggest problem is AV vendors who stop sending you updates when the subs expire. This simply leaves the poor user vulnerable till he pays the ransom money. Hardly very ethical....

Great article, I spent 2 hours on Monday evening removing this from a family members computer.

Great article. Very useful and detailed. Thanks

Cleaned this from my girlfriends cousins laptop. For those wondering, it does infect Vista. Of course I would not had to have done this if there was a virus guard on the machine. The young lady protested that she ran a full system scan twice a week and could not understand how she got infected. After a short investigation it became clear that she had mistook the defrag utility for AV. As I live and breath !!!!

She now has AVG-Free, Spybot S&D, Adaware and Microshaft MRT, keeping an eye on her but I know this will not be enough.

I just typed in 'antivirus' into google.co.uk and guess what the top sponsored link was?

Antivirus XP 2008

BestAntivirus2009.com Highest protection… …with lowest resource usage!

like proxomitron, and block local file access, until the option is in your browser activeX/java settings. then you`ll just have a crap app in your temp files you wont even know about

What if these predators refine their scam by correcting their English and interface errors?

They could probably also include code to detect the OS and send the appropriate crap. This could become "cross-platform" .....

How rampant could this get if they take care of all the obvious red flags?

BTW - I'm still not the original Paris quipster but I'll take a shot:

Paris, because even she knows this could be "hot".

Fantastic this one. Getting forwarded now

Cheers

If all the points you raise were covered, then indeed these bunch of crims would increase the number of machines exploited. I guess there will always be trusting/gullible types who will install software without first checking it for peer review via Scroogle or similar search.

If one does a search for antivirus2009 and it's relatives one would not install it. It is well documented as malware. I do not install anything on any of my machines without first looking it up for reviews, checking Bugtraq and looking further afield for any exploit related to the software. But then again I don't trust the Internet or what is available on it period. Maybe I am just lucky, perhaps what some would describe as paranoia covers my ass, but the last machine I owned which got exploited/infected was my Amiga, anyone remember the Saddam virus?

This kind of social engineering exploit is not going away, and as systems get more secure, which is the general trend. The weakest point of any system (the user) will become the increased focus of attack. So admins lock down them boxes, enforce a strict security policy and educate. Your users ARE your biggest security risk.

If security policy is lax enough to allow users to install software, at least ensure users are trained to research the software they want to install, before they install it. A stitch in time....

Well done - an excellent article.

I encountered similar problems with a friend's computer - they downloaded a rogue spyhunter app to deal with a long-time resident dialer - the rogue was NOT detected by Norton 360 - it intoduced a number of trojans which ...

a) redirected google searches as you state;

b) replaced the desktop image with one sta\ting the system was infected;

c) prevented browsing to anti-virus sites such as aVG, f-secure, trend micro etc.

d) prevented existing a/v tools from updating.

I downloaded various apps with another computer and brought them to the infected machine with a USB key.

Uninstalling Norton 360 took about 45 minutes - very slow; AVG installed OK but would crash on scanning the boot sector.

Various other apps (from f-secure etc.) would not run unless I changed the executable name e.g. from fsbl.exe to fslbabc.exe and even then wouldn't execute properly.

So what worked ?

Malwarebytes' Anti-Malware app executed and found 39 trojans/malwares in a few minuted - it deleted these

Gmer found another two (but its not for novices and I was reluctant to use it to remove one)

SuperAntiSpyware was slow but detected another three

and finally AVG (now able to run) found another one (only 4 hits in Google and all dating from Aug 26th) that the others failled to find.

... and all these apps will be run again tonight!

Good luck and thanks again for a superb analysis - apologies for the non-specificity of my own notes above re exact versions/trojan names etc.

In a corporate setting you shouldn't need to send a warning round. Anyone who has the rights to install anything on their computer shouldn't be the sort of person who'll fall for this.

Which reminds me - adnim - you're nearly on the money, but not quite. In my experience, the biggest security risks are stupid software vendors who still - even with Vista and its UAC - haven't figured out yet that their software has to run without requiring an admin security context. Worst offenders here are scanner software (why, HP, what on earth does the software need to do that requires these rights?) and PDA connection software.

The other security risk is of course IT Staff who forget to de-elevate users after having to elevate them to get PDA software installed (which often requires to be installed as the user who's going to make use of it - who must therefore be an administrator. Fuckwits!)

Penguin because this sort of "Let's all have root" fuckwittery was never allowed in Linux and letting it happen with Windows was one of Bill's mob's worst mistakes.

Hi.

Thanks for a great article. I now have a user (as of today) who has this on their machine. It is displaying the same symptoms but with AntiVirus 2009 instead of 2008.

Chris

hats off for such thorough investigation and reporting.

I was very impressed by the depth of this article. It appears the generic hackers are becoming more sophisticated. Those screen shots blew me away!!!

The usual stilted English and grammar errors were not present except in a few areas, too few to matter. This article actually scared the hell out of me!!

Thanks again for wonderful work!!

Hi,

Nice article. I had a customer who paid for XpSecurityCenter, thinking he was buying from Microsoft. He printed out out the payment and it looked official, except in fine prints, the company was located in Moscow. The computer was supposed to have been cleaned by the software on friday, but on monday his ISP called him to say they cut their Internet access, because their computer was used in an attack (as a zombie) and they needed a proof of cleaning from the technician to reinstall the access.

As usual, solution was to format the hard drive, to make sure there is no root kit left over in the computer. I trust anti-spyware and anti-virus BEFORE the infection, not AFTER.

Thanks again for taking the time to write a nice detailed article

Pierre Forget

A most excellent and timely article. I just spent the better part of two days researching, scanning, and cleaning up a laptop infected w/ a variant of this crap! (His desktop system is scheduled for a purge on Tuesday -- long weekend here in the West.) It's nice to know that (so far, anyway) this junk is just trying to extort cash. It'll suck when they start using stuff like this to root around our disks for data and send keystroke logs back to the mothership.

I just wish our anti-virus software had caught the Trojan EXE *before* the user executed it.

Wow! Everyone is focusing on their personal experiences eradicating this crap-ware. Shouldn't we look at the bigger picture and concentrate on educating users? That is our only hope against social engineering scams like this.

I'm with you mate. This is too invasive to rely on cleaning alone. Having spent between two and three hours removing a variant once, I now simply back up data off line and reinstall. Using XP with SP3 slipstreamed in and then restoring the data is much quicker and guaranteed to work.

The experience of reinstalling all their apps is usually a salutary lesson as it takes the user some time of their own

I've had 2 clients infected with this crap & found that desktop been hijacked with warning image and the desktop tab in display properties missing so that you cannot restore your own

desktop background. It has used a folder called rhcnkrj0etfg in Programs which alerts you immediately it is not a genuine program. Used AVG to clean also cleaned registry,but still had problems. Had to do reformat / reinstal XP

...just seen this on a users personal laptop, and the Malwarebytes Antimalware (malwarebytes.org) software worked a treat.

:-)

Steven R

I had a couple of hours free this morning so I decided to duplicate the excellent work by Mr Johansson. I got almost the same results on a perfectly clean XP install.

At the same time, on my main machine, I was looking for some information on a unrelated issue on Google Groups when I clicked on a link that took me to an almost identical site. It detected over 35 viruses and spyware and told me it could fix the issues no problem. This is despite the fact that I am running Linux :)

I have to say that both sites were very professional looking and I believe that a lot of people are going to be taken in by these scam artists, I wonder if the credit card companies could do anything about it?

I thoroughly enjoyed reading through your article, I have often wondered how deep the rabbit hole goes, as it were, with these viruses. I have never had the time to do it myself, so thank you for a most interesting walkthrough, One point though, you say the rest of the dialogues were well written but in all of them my eye spotted at least one spelling mistake or grammatical error [often missing conjunctives such as 'the']. (I'm sure the more obsessive-compulsive of the Reg readership will sympathise with me, as I am sure they do when reading BOFH, with it's frequent mistakes [but then it is written by the BOFH, isn't it? He is clearly not the type to niggle.])

I must also say, for the sake of scores, I am writing this from an Aspire One (in blue).

If you think of it, this model is actually 100% replica of the War on Terror. Present nonexisting enemy, and get paid. The only difference is that this thing is about one-time purchase, while War on Terror is ongoing.

I was on planetemu.net the other day, and this got pushed to me - very amusing watching the fake scanner etc. I was running Ubuntu! It was very determined though - almost every action pushed up another dialog, as specified in this article. I right clicked the tab and closed it. My Dad however got fooled by this and I had to remove it. He thankfully didn't purchase though!

Does it act as some kind of legal protection, even though it's practically impossible to cancel without killing the browser?

ITACS have a radio slot on Radio 4 "You and Yours" this Friday and a slot on Five Live this Saturday "Breakfast show" about this very problem. Thanks for all your coments. I will use them on the shows.

Matthew Woolley

Chairman ITACS

Had another 2 instances to clear this week, 1 again had the RootKit and it was much harder to shift this time.

Malware Bytes (http://www.malwarebytes.org/mbam.php) and FixIEDef (http://www.malwareteks.com/FixIEDef.php) shifted the XP AntiVirus infection.

Malware Bytes couldn't update until we had run through 1 scan and rebooted, it then updated, we ran a second scan and it shifted the rest.

FixIEDef sorted IE out.

Ran GMER (http://www.gmer.net/files.php) to check for Rootkits as we've had one as part of XP AntiVirus before and again found one this time.

Machine had loads of Hijacked Services which GMER and HIJACKTHIS (http://www.majorgeeks.com/download3155.html) shifted.

Every instance I've seen is slightly different to the previous one, this truly is a Tw@t to shift!

She's been pestering me for months for admin access to my spare pc so she can install some games and other bits & bobs. Of course, I won't give her and no matter how often I explain why she cannot understand. This is perfect for illustrating why.

The upside of course, is that my spare pc rarely ever crashes and just runs and runs and runs...because it's locked down so tightly.

As ever - the biggest risk is the user.

Thanks for writing such a good article, I too have seen this on several computers and marvelled at how well written it was, other things I saw this malware do once installed

1) disconnect ethernet adapters

2) display a "your machine is infected" screen when you browse to any web site

3) suppress opening AVG Free and Spybot

4) Fake blue screen of death's (ctrl+alt+del and then cancel to get back to your desktop)

In the end I downloaded malwarebytes ant-malware and installed that (first killing the antivirus 2008 process in task manager) Malwarebytes successfully detected and removed over 20 malicious files from one machine.

The user claimed to have been infected after clicking a link in a spam about a reciept for airline tickets that I know has massively been doing the rounds.

Once again what a good document.

Listen to Five Live This Saturday and Radio 4 You and Your Midday Monday.

Story built around this blog with a bit of personal experiance built in. I have a computer shop and we have had close to 50 customers with this problem.

Thanks Bill for business.