A new version of an old malware program is currently being distributed by well SEO’d sites and websites being advertised by hackers on Facebook, MySpace and other social networking sites. The hackers use a friends account to post a ‘comment’ or ‘wall post’ stating that your profile pictures have been posted on another website. This website is known as an ‘Attack Site’ and will issue several popups notifying you that your pc has been infected by spyware/malware and you should see some blurry photos in the background.
DO NOT CLICK ON THESE POPUPS. Do not try to close them, do not click ‘OK’ and do not click ‘CANCEL’ or it will install potentially harmful viruses and programs such as ‘Antivirus 2008′.
Instead IMMEDIATELY close your browser by hitting ‘ctl+alt+delete’ and selecting the program in Task Manager under ‘Processes’ and clicking ‘End Process’.
If you have failed to do the above and installed the programs your system will be very difficult to clean with any current programs as the new Trojan blocks known anti-virus and anti-malware processes from running. The virus(es) will also block access to online sites that scan for viruses and malware as well as sites like Lavasoft, Spybot SD and others that you might attempt to use to get rid of the virus. Ewido does not currently detect and remove this threat and was the only program allowed to run in a controlled test.
This infection posses a medium-high threat because it potentially disables your machines virus, spyware and malware protection and can open you up to more harmful threats. The infection itself does not harm your files so before formatting you can copy most files off the drive and backup, just make sure you scan them for infections. We did not find any keyloggers in the instance we downloaded which means it most likely won’t pose a threat to your credit cards, online stock/bank accounts, personal email or forum accounts or mmorpg accounts. However, it is best to practice precaution and change all passwords and pin numbers after any threat that is similar. If you run a Norton scan make sure you pay attention to what it calls each threat. If you see ‘keylogger’ listed you definitely need to change any passwords that you used while infected and monitor your bank accounts for a week or so.
If you have been infected you will need to take drastic measures to eradicate the infection. Here is how we removed the viruses:
1. To do this you need to have a second pc or laptop available. If you do not please contact a local computer technician, but be aware that the ‘Geek Squad’ will most likely overcharge you. We suggest a local independent computer technician. A remote solution will not get rid of this virus.
2. Shut down your pc and remove the hard drive.
3. Either install the hard drive in the second machine, or use an external hard disk case (apprx. $15 at Frys) install the drive in this case and hook the usb cable from the case into the second machine.
4. Make sure that the second machine has Norton or Symantec Antivirus installed.
5. Download Malwarebytes Anti-Malware here (MBAM)
6. Install the program and check for updates.
7. Disconnect your internet/network connection from the computer or laptop.
8. Run a ‘Full Scan’ and select only the hard disk drive in question.
9. It should take about 35-45 minutes and will discover approximately 48-50 ‘problems’ allow MBAM to remove/fix all entries it finds.
10. Run a second ‘Full Scan’ on the drive in question. It should find only one problem. Again allow MBAM to fix/remove this problem.
11. Run a third ‘Full Scan’ on the drive in question. It should come up clean.
12. The trojan will attempt to download other viruses before you remove it. If you failed to disconnect your connection and you do not have Norton running, or you do not see Norton popup with a message during this process telling you that it found at least one viral threat and successfully quarantined it then you should now make sure your Norton virus definitions are up to date and run a full virus scan on both machines.
13. If the Norton scan come up clean shut down and reboot and have MBAM run on restart. The scan should come up clean.
14. If this scan is clean shut down and remove the hard disk you were fixing.
15. Reinstall the hard disk in your pc/laptop and boot up. After booting immediately install MBAM on this machine and run an update. If the update fails due to ’server connection reset’ then you missed something during the removal process and most likely will need to format your hard disk.
What doesn’t work. We tried several things before resorting to the drastic steps above. You can try this and if they fail then use the above instructions.
1. Running a Norton Disk install. = Failed the install hung as the setup initialized. We finally found a way to get Norton to install but the virus blocked the updates, this helped drive home how new this threat is (Norton claims it started on December 18th, 2008).
2. Running any anti-malware install from disk = Most installs fail because the install files are not entirely self-contained and require internet access to download components to complete the install process. The virus blocks this process.
3. Running MSCONFIG and changing startup = The virus(es) really show off their sophistication here. If you are savvy enough to try changing your startup and notice all the bad files and eliminate them from starting up, upon reboot the virus resets and allows two .dll files to be added to the startup.
4. Running MSCONFIG and using diagnostic startup = Failed because the virus resets it to ‘Selective Startup’ and eliminates all but
‘load startup items’ and only selects the two .dll’s to load.
5. Loading in Safemode and erasing the troublesome .dll files = Failed because the virus creates them as an instance on startup, but then either changes file names or erases the files from your system making it nearly impossible to erase the files causing all the headaches (unless you’ve memorized all the harmless dll files on your pc).
6. Editing registry keys in regedit = Failed on reboot the virus simply resets the registry and will attempt to download newer versions of all the viruses/malware on your system that it installed prior. We found this increased the exposure by installing 4 new problem files (went from 48 to 52 active malicious programs or files).
7. Attempting to scan network drives for viruses = Failed. Norton found no problems on the drive when running a network scan, however found 48 problems when the drive was installed as a slave to a separate system. We are not sure why the network scan failed, it could be our version of Norton so you might try this before removing the hard disk.
If you are not very computer savvy we suggest taking your pc to a technician skilled in dealing with high-threat level viruses. If you are running on a machine that has a separate partition for your Operating System you can reformat that partition as the viruses main components are buried in WindowsOS Files. These attack websites do pose a threat to iPhone and Leopard users although it doesn’t appear to be able to do as much damange. We did not find this posed a threat to Ubuntu, most likely due to the limited nature of that operating systems users. We do not have instructions for removing to from non-Windows OS’s.
iPhone users are especially susceptible as they might click links to these attack sites while using the Facebook App. To keep your iPhone from being attacked simply hit the home button if you see a message that says ‘Our records indicate a photo was uploaded to our site from your ip address in the past 48 hours’. Then reload safari with your dataplan and wifi disabled and change the address to something benign like google or yahoo or msn. Then hit home again and re-enable your dataplan and/or wifi and you should have safely averted the attack site. Damage to the iPhone’s OS is not measurable at this time and could be fairly low risk, but please take this precaution anyways.
Not sure if you’ve been infected? Here are the symptoms:
1. When using any major search engine the results redirect to something entirely different than what you clicked on. The status bar might even show the url as something like “http://go.google.com/blah….” where as normally google does not use a redirect url.
2. Attempting to update your spyware such as Adaware, Malwarebytes or SpyBot SD says that the connection to the server was refused.
3. FireFox or Internet Explorer windows open on their own, sometimes several at once to websites you have never visited before.
4. Attempting to visit sites like Lavasoft or Housecall.Trendmicro.com says the server connection was reset.
5. Attempting to run HiJackThis installer and several other installers for anti-virus or anti-malware programs results in the program running and being listed in Task Manager but not actually showing up in your program list or on your pc.
6. A program known as ‘Antivirus 2008′ installs itself on your computer and becomes difficult to uninstall.
If you get all of the above you are most likely infected with this new trojan virus and it’s counterparts.
