Got a Christmas Card Video? Beware of the Koobface Worm

Just yesterday I mentioned; even technically astute users are finding that staying safe on the Internet is more difficult than it has ever been.

To illustrate this point, I noted that in last few months, some of my favorite tech writers have come clean, and admitted having had to deal with malware infections on their personal machines.

If you’re wondering why even security experts can be fooled, the simple answers is – all of us, you, me, the informed and the uninformed, are in a battle with cybercriminal experts.

I long ago came to the conclusion that cybercriminals are some of the craftiest people on the planet. I say this, not in admiration of what they do, but instead, how they do it.

Business in general, could take away some valuable lessons from the methods used by cybercriminals to achieve maximum “market” penetration. Recognition of opportunity, and the timing and implementation of strategy, is critical to business success. I can’t think of another group  that does this with more skill, than the cybercriminal community.

Cybercriminals use every conceivable opportunity to spread malware, and the celebration of special events creates an exceptional opportunity for cybercriminals.

The Christmas season, when most of us let our guard down somewhat, in the spirit of the season, I suspect, is a timely opportunity for cybercriminals.

PandaLabs, Panda Security’s malware analysis and detection laboratory, has just reported on a new Christmas Holiday FaceBook scam that renders users’ computers useless, should they follow a malicious link on a user’s wall.

If you have a Facebook page, you may well be curious and even anxious to follow this link, or links like it, but don’t let your curiosity override your common sense. Security experts argue (none too successfully it seems), that a significant number of malware infections could be avoided if users stopped  clicking haphazardly, or opening the types of files and emails that are potentially dangerous.

Those unlucky victims who become infected by the Koobface worm involved in this attack, may be lucky, and may be able to recover control of their computer – but I wouldn’t count on it.

I encourage you to read the following PandaLabs Report:

Cybercriminals are capitalizing on the Christmas holiday in a new Facebook scam that renders users’ computers useless.

Following the posting of malicious links on Facebook users’ walls, the bait directs to a fake embedded video player that poses as a Christmas greeting. When users try to play the video or click on a link on the page, their computers download and install a variant of the well-known Koobface worm, Koobface.GK.

After the virus is installed on a computer, a Captcha is displayed that threatens to reboot the computer within three minutes. Although nothing happens after three minutes, the computer is rendered useless.

Every time a user enters the Captcha text, Koobface.GK registers a new domain where the infection files are hosted, facilitating the worm’s continued distribution.

“Social networks have become one of the popular entry points used by hackers to spread their creations, due to the false sense of security many users have regarding the content published on these networks,” says Luis Corrons, technical director of PandaLabs. “Users generally trust the messages and content they receive, and consequently hackers get a high level of response through these channels.”

Christmas: Cybercriminals’ favorite time of year

The latest attack takes advantage of an increase in Internet users sending Christmas greeting cards to their family and friends. It follows continued attention from cybercriminals on the holiday season, with Christmas-themed malware that is created year after year.

Examples of Christmas-specific malware first appearing in past holiday seasons include:

ZafilD, 2002: Although this worm appeared several years ago, it is still distributed through e-mails that use Christmas greetings as bait. It opens a port on the infected computer without users’ knowledge and downloads another Trojan.

MerryX.A, 2005. MerryX.A infected users’ computers in a Christmas greetings e-mail with an attachment, which was really a Trojan designed to capture keystrokes and steal information.

This Trojan managed to infect more than 50,000 Internet users in only one week.

The Navidad (Christmas in Spanish), 2007. This malware family has numerous variants. These astute worms are difficult to detect because they reach computers are sent in the form of an e-mail reply, which has previously been sent to another (infected) recipient. The message includes the Navidad.exe file, which infects computers when run.

To stay safe on social networks, PandaLabs recommends Internet users do the following:

Don’t click suspicious links from non-trusted sources. This should apply to messages received through Facebook, other social networks and even via e-mail.

If you click on links, check the target URL. If you don’t recognize it, close your browser.

Even if you don’t see anything strange on the target URL page but are asked to download something, don’t accept.

If you do download or install an executable file and the PC starts to launch messages, there is probably malware on your computer.

As a general rule, make sure your computer is well protected to ensure you are not exposed to the risk of infection from any malicious code. You can protect yourself by downloading Panda Security’s new free Panda Cloud Antivirus solution.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

ISinowal.WRN, Banbra.GLS and TDSS.CZ Trojans – Panda Security Takes a Look

Courtesy of Panda Security: This week’s PandaLabs report looks at the Sinowal.WRN, Banbra.GLS and TDSS.CZ Trojans.

Sinowal.WRN is a Trojan that collects all possible information from computers.  By making a series of registry entries it goes resident on the system, gathering and sending all the data it finds.

It reaches users in an email claiming that there is an H1N1 virus vaccination program and that everyone should register their personal details for monitoring purposes.

The email includes a link to download the electronic document needed to create the personal vaccine profile.

In just a few days, our technical department has received more than 10,400 reports of these emails, which have a variety of subject fields.

If users click on the link, they are taken to a Web page where they are asked to download a document in order to create their vaccination profile.  Running this file infects the computer with Sinowal.WRN, which is designed to steal confidential information. The information is then stored in files which are later sent to the creator of the malware.

Banbra.GLS is a banker Trojan designed to steal bank details of users that access certain Brazilian bank websites. It arrives in a file which, when run, displays a browser window with a spoof image of a PayPal invoice.

TDSS.CZ is a Trojan which can reach users as an attachment to an email. This file is called flashupdate, and it has a typical installer icon.

This is designed to trick users into installing the supposed update. When the file is run, the only thing that users will notice is that the file disappears. Yet it hasn’t really disappeared, it has just been hidden (as it has rootkit characteristics).

The process is still running however, transparently to users and to the system.
The file then takes a series of actions to modify the system.  When the user opens a Web page, before it loads, the following page appears:

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Personal Protector Fake Antivirus, Autoit.HW and Autorun.JOE worms – Panda Security Takes a Look

Courtesy of Panda Security: This week’s PandaLabs report looks at Personal Protector fake antivirus, and the Autoit.HW and Autorun.JOE worms.

Removal help for Personal Protector fake antivirus follows later in this article.

Personal Protector, is a fake antivirus (a type of adware). As with all such malware, it simulates a scan of the computer and claims to detect a series of threats, which is completely untrue. It then offers users the option of eliminating the (non-existent) malware, using a pay version of the fake antivirus.

Once again, the aim of the cyber-crooks is to profit financially from this fraudulent application. Every time users try to remove the malware, supposedly detected on their system, or update components of the application, they will be asked for a payment.

Autoit.HW is a worm that spreads through spoof Web pages and emails which trick users into installing the malware on their computers. It can also spread through removable USB drives. In this case, it takes advantage of the autoplay feature of removable drives to execute even if users have not run the executable file.

Once the computer has been infected with this malware, it disables the
task manager, so that users cannot see active processes on the system. The worm does this in order to hide itself.

With the same aim, it also disables the Windows Registry editor and folder options, so that users cannot change the option to see hidden files, or file extensions.

Autorun.JOE is another worm which, like the previous one, spreads via
email and removable drives. After infecting a computer, it takes the
following malicious actions:

– Disables the task manager
– Disables Windows Registry management tools
– Disables the option to view hidden files.
– Disables the option to view hidden system files.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

Personal Protector Removal Instructions:

If you have become infected by Personal Protector, or other scareware (rogue software), have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage. Computer technicians do not provide services at no cost, so be prepared for the costs involved.

If you feel you have the necessary skills, and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools and the advice you will need to attempt removal.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue, or malicious, software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

AntiAID and Control Center Fake Antiviruses – Panda Security Takes a Look

Courtesy of Panda Security: This week’s PandaLabs report looks at AntiAID and ControlCenter fake antiviruses.

Removal help for both these nasties follows later in this article.

AntiAID is a fake antivirus which when installed on a computer displays a screen comprising several tabs for configuring the protection level, updates, small tools, etc. This malware first simulates a scan of the computer, falsely claiming to detect various examples of malware.

When the scan is finished, a screen appears displaying the results and a warning about the risks of the threats it has supposedly detected. To delete these ‘threats’ users are asked to enter a registration code, and a browser window opens with the page through which users can pay for this code.

Once again, the aim of cyber-crooks is none other than to profit financially from this fraudulent application. Every time users try to remove the malware supposedly detected on their systems, or update components of the application, they will be asked for a payment.

Another fake antivirus, Control Center, operates in a similar fashion. It
fakes a scan of the system and claims to have detected (non-existent)
malware. It then asks for payment in order to remove the ‘malware’.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

AntiAID and Control Center Removal Instructions:

If you have become infected by AntiAID, Control Center, or other scareware (rogue software), have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage. Computer technicians do not provide services at no cost, so be prepared for the costs involved.

If you feel you have the necessary skills, and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools and the advice you will need to attempt removal.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

411 Spyware – a site that specializes in malware removal. I highly recommend this site. AntiAID removal, click here. Control Center removal, click here.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Volcano Security Suite – Panda Security Takes a Look

Courtesy of Panda Security: This week’s PandaLabs report looks at the Banker.LZK banker Trojan, the Volcano Security Suite malware program, and the Koobface.FU worm.

Banker.LZK is distributed through emails with several subjects, and a
malicious file called “Comprovante” (receipt).  Once it runs on the system, it connects to a Brazilian IP address and downloads another larger file called “sistema.exe”.

This file when run, goes resident and is concealed from users. It steals users’ bank details when they access certain online banks and enter their credentials. The Trojan connects to a Web page where it stores the data from infected computers (country, network name and time of infection).

Volcano Security Suite is a fake-antivirus-type adware. Like all malware of this kind, when installed on a computer it carries out a fake scan, supposedly detecting several examples of malware.

It tries to make users believe their system is infected, offering them the possibility of solving the problem by purchasing a pay version of the fake antivirus.

Removal help for this malware program is further on in this article.

Finally, Koobface.FU is a worm designed to distribute via Facebook. The first malicious file that reaches computers deletes itself when run, and downloads the rest of the files.

It then displays a false image of the Windows Operating System, where users are asked to enter the characters included in a Captcha, warning them if they don’t, the computer will be restarted in three minutes.

However, if the information is not entered, instead of restarting the computer, the screen remains, preventing normal use of the system.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

Volcano Security Suite Removal Instructions:

If you have become infected by Volcano Security Suite, or other scareware (rogue software), have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage. Computer technicians do not provide services at no cost, so be prepared for the costs involved.

If you feel you have the necessary skills, and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools and the advice you will need to attempt removal.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

General Antivirus and Win Enterprise Defender – Panda Security Takes a Look

Courtesy of Panda Security – This week’s PandaLabs report looks at a worm, a Trojan and two new fake antiviruses.

The two fake antiviruses are General Antivirus:

and Win Enterprise Defender:

Both are rogueware programs that scan the hard disk and mark normal non-infected files in different folders as malware. They ask the user to purchase a license (of a fake antivirus), at a very attractive price to resolve this issue.

Unaware users (even those who have an antivirus), on seeing that these rogueware programs detect more alleged malware, could be tempted into purchasing.

Users can purchase the fake antivirus’ with Visa or MasterCard. Additionally, they are asked for their credit card details which may then be used fraudulently.

Removal help for these nasties is further on in this article.

SpyAutorun.A is a worm with keylogger features which is able to steal users’ confidential data. All the information is collected in a text file which is sent to hackers’ email addresses.

Being a worm, it spreads through the network via previously infected removable drives, hard disks, memory cards, portable hard disks, etc.

Gymizi.A is a Trojan that displays annoying messages and restarts the infected computer. As soon as it infects a user and on opening the browser, it displays a small animation of a progress bar and inserts a message in the browser’s title bar.

Every so often it displays an error pop-up with the message “fuck musang berapi!!!” and restarts the computer. Once the system is restarted, it displays a screen with offensive texts. It also alters the registry to ensure it is run on every system startup.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

General Antivirus and WinEnterpriseDefender Removal:

If you have become infected by General Antivirus, WinEnterpriseDefender, or other scareware (rogue software), have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage. Computer technicians do not provide services at no cost, so be prepared for the costs involved.

If you feel you have the necessary skills, and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools and the advice you will need to attempt removal.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Ransom.K, Bifrost.GEN and Safety Center Fake Antivirus – PandaLabs Takes a Look

Courtesy of Panda Security.

This week’s PandaLabs report looks at two Trojans and a new fake antivirus.

Bifrost.GEN is a backdoor-type Trojan whose objective is to go resident, concealing its presence and displaying no visible symptoms. The malware inserts its code into Internet Explorer and runs it in the background, leaving an open connection to await instructions from the attacker to access the infected computer.

The second Trojan we are looking at today is Ransom.K. It reaches computers with an icon that resembles an application Help file and encrypts the code of the .TXT, .DOC, .XLS and .JPG files detected on the computer, using a file it downloads called CryptLogFile.txt. Additionally, it replaces the desktop wallpaper with a message asking users to pay for the credentials for decrypting the code.

This type of extortion is known as “ransomware”. The solution to this problem
is simple, and involves deleting the CryptLogFile.txt file from C:\Windows and re-running the Trojan. When it can’t find the file with the list of documents, it will automatically return the files it encrypted to their original status.

Finally, Safety Center is a new fake antivirus. It is presented as an unregistered multi-tool product.

It asks users to purchase the license by registering online in order to use or update all the tools. On reaching computers it carries out a fake hard-disk scan, displaying false infections to trick users. If victims fall for the trap and pay, they will not only be paying for a fraudulent product, but will also have their bank details exposed.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

Safety Center Removal:

If you have become infected by Safety Center, or other scareware (rogue software), have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage. Computer technicians do not provide services at no cost, so be prepared for the costs involved.

If you feel you have the necessary skills, and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools and the advice you will need to attempt removal.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Panda Security – Auto Industry Top Spam Target

Many of us tend to think of Spam as an “oh, well” problem. But is it? Not if you’re part of the auto industry it isn’t!

According to a study just released by Panda Security, only 0.11 percent of mail received by businesses in the auto industry is legitimate, and other high level industries don’t fare much better.

If you think Spam is relatively harmless; read the following report and then consider the enormous waste of resources involved in Spam distribution, and the risks to your Internet safety.

Courtesy of Panda Security:

Panda Security, the Cloud Security Company, today revealed the results of its three-month long study from July to September 2009 on the prevalence of spam across a range of industries.

Investigating 11 sectors, including automotive, insurance, banking, tourism, construction, food and others, Panda analyzed the email traffic generated by 867 companies in 22 countries throughout the U.S. and Europe and found that the automotive industry is the top recipient of spam and email-borne malware. In total, more than 503 million messages were analyzed.

The overall aim of the study was to compare the prevalence of spam and malware across different business sectors. Following automotive, the electronics sector and government institutions rounded out the top three recipients of spam and email-borne malware with ratios of 99.89, 99.78 and 99.60 percent, respectively.

This ratio represents the percentage of spam or malicious messages in relation to all email received. Consequently, this means that just 0.11 percent of mail received by businesses in the motor industry is legitimate (similarly 0.22 percent in the electronics sector, and 0.40 percent in government institutions).

Interestingly, the banking sector, predicted by many to be a prime target, featured near the bottom of the ranking with a ratio of 92.48 percent. The education and tourism sectors close the ranking with figures of 87.98 and 87.22 percent.

There was, however, no considerable difference in the subject fields of the spam received across the various sectors. The majority, more than 68 percent, were related to pharmaceutical products. This was followed by advertisements for replica products with 18 percent, and messages with sexually explicit content at 11 percent.

Banker Trojans were responsible for approximately 70 percent of all malware detections. These were followed by adware/spyware at 22 percent, with the remainder accounted for by viruses, worms, etc.

According to Luis Corrons, Technical Director of PandaLabs, “We were curious to see if spam and email-borne malware affected all companies equally, or whether there were factors that influenced the likelihood of them being targeted. We were surprised to find significant differences – up to 12 percent – in the ratio of junk mail received between different business sectors.”

To help businesses be better suited and prepared for the threat of malware and prevalent spam, Panda Security has launched an education and training campaign called, ‘Time For Your Business’. This site helps businesses identify their current security issues and asks questions so they can customize solutions that are best suited to their needs.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

SafeFighter Fake Antivirus – PandaLabs Takes a Look

Courtesy of Panda Security.

PandaLabs’ report this week focuses on two Trojans, and a new fake antivirus.

SafeFighter is a new fake antivirus.

Like other malware of this kind, it tries to fool users by displaying false infections, remote connections and vulnerabilities that do not exist. If users fall for the trap, they are directed to a screen where their credit card details are requested to carry out the transaction. This way, as well as obtaining money for a service that will never be provided, cyber-crooks steal users’ credit card details.

Removal help for this nasty is further on in this article.

Spammer.ANT is a Trojan that passes itself off as a Microsoft program.

Once run, it copies itself to the system and loads itself to memory under the name reader_s.exe. It then carries out remote connections and spams users, trying to get them to believe the messages received are from an online store.

It has a compressed file attachment with an executable called open.exe. When opened, AntivirusPro2010 is installed on the computer (a fake security solution we have discussed in the past).

The other Trojan in this report is Sinowal.WOE.

It reaches computers through email, and passes itself off as a Microsoft Word document. Once installed, it collects as much information as it can from the infected user.

Additionally, when the user opens the browser, the Trojan connects to a server where Sinowal.WOE stores the victim’s information, and downloads the AntivirusPro2010 fake security solution.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

SafeFighter and AntivirusPro 2010 Removal:

If you have become infected by AntivirusPro 2010, SafeFighter, or other scareware (rogue software), have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage. Computer technicians do not provide services at no cost, so be prepared for the costs involved.

If you feel you have the necessary skills, and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools and the advice you will need to attempt removal.

Click here to download free SUPERAntiSpyware to remove AntiVirusPro 2010.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Total Security 2009 – PandaLabs Fights Back by Offering Free Serial Numbers

Once again ransomware is on the loose; but it’s a little bit different this time around. In previous versions of this type of malware, after installation, the victim was informed that the computer’s files had been encrypted and a decrypting tool had to be purchased from the cyber-criminal in order to decrypt the affected files.

Now we have a another new form of ransomware to deal with. Cyber criminals are now combining rogueware with ransomware, enabling them to hijack users’ information and block computer use.

Courtesy of PandaLabs:

PandaLabs, Panda Security‘s malware analysis and detection laboratory, has identified a new, more aggressive trend cyber criminals are using to sell fake anti-virus programs, otherwise known as rogueware. Cyber criminals are now combining rogueware with ransomware, hijacking users’ computers and rendering them useless until victims purchase fake anti-virus programs.

The fake program that PandaLabs has discovered, called Total Security 2009, is being offered to victims for approximately $79.95. Victims can also purchase ‘premium’ tech support services for an additional $19.95.

Users who pay the ransom receive a serial number that releases all files and executables, allowing them to work normally and recover their information. The fake anti-virus, however, remains on their systems.

PandaLabs has published a list of serial numbers that victims can use to unblock their computers, as well as a video demonstrating how this scam operates. To obtain a serial number click here.

Previously, when computers were infected by this type of malware, users would typically see a series of warnings prompting them to buy a paid version of the program. The new method of selling rogueware blocks users’ attempts to run programs or open documents, displaying a message falsely informing them that all files on their computers are infected and the only solution is to buy fake anti-virus.

“Users are often infected unknowingly – in most cases through visiting hacked Web sites. Once a computer is infected, it is extremely difficult to eliminate the threat, even for those with a certain degree of technical knowledge,” said Luis Corrons, technical director of PandaLabs.

“Users are also prevented from using any type of detection or disinfection tool, as all programs are blocked. The only application that can be used is the Internet browser, conveniently allowing the victim to pay for the fake anti-virus. For this reason, on the PandaLabs blog, we have published the serial numbers required to unblock the computer if it has been hijacked. Users can then install genuine security software to scan the computer in-depth and eliminate all traces of this fake anti-virus.”

“The way this rogueware operates presents a dual risk: First, users are tricked into paying money simply in order to use their computers; and second, these same users may believe that they have a genuine anti-virus installed on the computer, thereby leaving the system unprotected,” adds Corrons.

“This shift toward hijacking computers indicates either that users are becoming more adept at recognizing these threats or that security companies are beginning to close the gap on this highly sophisticated level of cybercriminal behavior. This would explain why hackers are becoming more aggressive in the methods used to force the victims into purchasing fake anti-virus programs.”

You can download a free trial of Panda Global Protection 2010 to completely remove the infection, once the ransomware feature is removed.

PandaLabs recently published a report about the lucrative business of rogueware. The report is available here.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.