Ransomware! – How A Layered Security Approach Can Defeat It

My Australian mate, Mal Cowan, steps into the breech when his good friend gets infected with one of the most difficult to remove pieces of malware currently ripping up the Internet – ransomware. Follow Mal, in this guest writer article, as he spins up his skill set and puts the hammer to a ransomware payload cybercrime.

Recently, I received a frantic call from a good friend.  He informed me that when he booted his computer, there was a message supposedly from Australian Law Enforcement, stating that his PC had been involved in illegal activity and, distributing pornographic material.

Freak-out time – The malware had taken a photo of him via his webcam and placed it in the top  middle of the Law Enforcement notice.

Note: This scam is not restricted to Australia. The graphic below provides ample evidence that this type of ransomware is a global issue.

Graphic courtesy of F-Secure.

Immediately, I knew what this program was – Ransomware.  Tech and blog sites have been full of news of this scourge in the past few months.

At first look, there was a full screen message – complete with an official looking logo from the Australian Federal Police.  The computer’s IP address had been logged, and there was indeed a photo of my friend, along with the messages outlined above.

The clincher? The message stated that he had to pay a fine to unlock his computer.

First, I tried to start Task Manager to stop the malware process.  That did not work – it simply would not load.  The computer was well and truly locked.

Next, I tried to restart the computer in Safe Mode.  No luck.  The message appeared again.  Still frozen.

Then, I inserted Kaspersky Rescue Disk (a fantastic Linux based recovery disk made for just this type of situation), and restarted the computer.

Selecting boot options before Windows started, I loaded Kaspersky and updated the malware database via the Internet.  The wonderful thing about Kaspersky is, it scans the infected machine without Windows running, so anything nasty cannot hide.

After a three hour scan, Kaspersky came up with 50 Trojan detections (one of the biggest I have ever seen).  It was able to eliminate all but one of them.

I crossed my fingers and restarted Windows.  Instead of the message, there was just a big white screen – still locked.  Kaspersky had obviously made a dent, but I needed something more.

Before leaving for my friends house, I had loaded up a USB stick with Hitman Pro Kickstart.  Hitman Pro is a wonderful true cloud antivirus scanner using multiple AV engines, with an excellent detection rate.

Recently, it also added a feature in which one can create a bootable USB stick that can bypasses the infected boot process.  The catch is – this must be done on an uninfected machine (which is why I used my personal computer to create it).

I inserted the USB stick into the slot, restarted the machine, and went to boot options (the F12 key on the infected machine) and selected “Boot from USB”.

Hitman Pro Kickstart came through.  It booted straight into the Windows environment without a hitch, and then proceeded to run a scan (an Internet connection is required).  I was a bit dismayed when the scan came back clean, as I knew Kaspersky had not been able to eliminate one threat.

But now, I was past the ransomware Trojan and able to start other antimalware applications.  Malwarebytes was next.  I updated it and proceeded to run a full scan.  Bingo.  It nailed a few more Trojans that had got past Kaspersky and Hitman Pro, and after deleting these nasties and rebooting the computer normally again, a further scan with Hitman Pro, Malwarebytes and AVG, the computer came up clean.

The point of my story really is quite simple.  NOBODY can rely on one antivirus/antimalware application to catch all malware.  The ransomware obviously got past the onboard, realtime antivirus (which was not AVG, I installed that afterwards).  Kaspersky detected most of the infections, Hitman Pro helped me boot into the Windows environment, and Malwarebytes cleaned up the rest.  AVG came up with a clean scan after I uninstalled the old antivirus.

How did my friend get infected?  Who knows.  There are so many exploits that this Trojan could have used that I don’t have a clue.  The computer is a family machine, used mostly by children for online games and such.

Just visiting a family friendly site can get your computer infected these days. It could have been worse.  It might have been an infection that actually encrypted the contents of the whole computer.  That’s a nightmare I am glad I didn’t have to deal with.

Thanks Mal.  

Rogue Security Software Continues It’s Rampage – Some Solutions

If the day should ever come when anti-malware applications achieve a 100% effective rate in the detection of malware, or software developers develop operating systems and applications that are fully malware resistant, I’ll have to find something else to Blog about!

It doesn’t look like that day is likely to happen any time soon, however. In the meantime, Internet users will continue to download and test/tryout the latest, greatest, and newest anti-malware tools. Knowing this, Cyber crooks are blitzing the Internet with “rogue security software”, often referred to as “scareware”.

Scareware is a particularly vicious form of malware, designed specifically to convince the victim to pay for the “full” version of an application in order to remove what are, in fact, false positives that these program are designed to display on the infected computer in various ways; fake scan results, pop-ups, and system tray notifications.

Dialogue boxes, like the ones below, can be a powerful motivator. It’s no wonder then, that unaware computer users will often respond by clicking on the link which will take them to the product download site.

Using techniques such as the ones described earlier, cyber criminals are infecting more than 35 million computers with scareware/rogueware each month (roughly 3.50 percent of all computers), and earning more than $34 million monthly, through scareware attacks.

Generally, reputable anti-spyware software is capable of detecting rogue software if it attempts to install. But this is not always the case. Anti-malware programs that rely on a definition database can be behind the curve in recognizing the newest threats.

A good partial solution to this problem is  – ensure you have installed, and are running, an anti-malware application such as ThreatFire Version 4.7.0, free from PC Tools. This type of program operates using heuristics, or behavioral analysis, to identify newer threats.

Additional steps you can take to reduce the chances of infecting your system with rogue software.

Consider the ramifications carefully before responding to a Windows Security Alert pop-up message. This is a favorite vehicle used by rogue security application to begin the process of infecting unwary users’ computers.

Be cautious in downloading freeware, or shareware programs. Spyware, including scareware, is occasionally concealed in these programs. Download freeware applications only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications, since exposure to rogue security applications is widespread.

Install an Internet Browser add-on such as WOT (Web of Trust), an Internet Explorer/Firefox add-on, that offers substantial protection against dangerous websites.

Always remember of course, that you are your own greatest line of defense against malware. STOP. THINK. CLICK.

If you are infected by scareware/rogueware, the following free resources can provide tools, and advice, you will need to attempt removal.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Scareware is Destroyware – Not Just Malware

Scareware is a particularly vicious form of malware, designed specifically to convince the victim to pay for the “full” version of an application in order to remove what are, in fact, false positives that these program are designed to display on the infected computer in various ways; fake scan results, pop-ups, and system tray notifications.

According to Panda Security, approximately 35 million computers are infected with scareware/rogueware each month (roughly 3.50 percent of all computers), and cybercriminals are earning more than $34 million monthly, through scareware attacks.

Delivery methods used by these parasites include Trojans, infected websites, misleading advertisements, and Internet Browser security holes. They can also be downloaded voluntarily, from rogue security software websites, and from “adult” websites. As one of my friends put it “It’s easy to be bitten by a dog like that”.

The average computer user that I speak with informally, has no idea that rogue applications exist. But they do, and cyber crooks are continuing to develop and distribute scareware at a furious pace; there are literally thousands of variants of this type of malware currently circulating on the Internet. It’s fair to say; distribution has now reached virtual epidemic proportions.

Having watched the development and deployment of scareware over the last few years, and having noted the increasing sophistication of the current crop of scareware applications, I have come to the realization that scareware removal instructions have limited value, except perhaps, for the most technically sophisticated computer user. A reformat and a system re-install, are more than likely in the cards.

Yes, I know, there are literally hundreds of sites that will walk you through the process of attempting to eliminate this type of scourge, but simply put – if your computer becomes infected with the current scareware circulating on the Internet, you are, in most cases, wasting your time attempting to save your system.

If you doubt this, take a look at Trojan War Resolution: The Battle Won, in which Larry Walsh of eWeek, describes a three day marathon system recovery attempt which was ultimately successful, but…..

The best advice? Have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage.

If you have become infected by scareware, and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools, and advice, you will need to attempt removal.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue software.

Consider the ramifications carefully before responding to a Windows Security Alert pop-up message. This is a favorite vehicle used by rogue security application to begin the process of infecting unwary users’ computers.

Be cautious in downloading freeware, or shareware programs. Spyware, including scareware, is occasionally concealed in these programs. Download freeware applications only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications, since exposure to rogue security applications is widespread.

Install an Internet Browser add-on such as WOT (Web of Trust), an Internet Explorer/FireFox add-on, that offers substantial protection against dangerous websites.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Another Day in the Trenches: Killing XP Antivirus 2010

Popular guest writer Mark Schneider, walks you through a computer recovery operation, following an infection by a rogue security program, XP Antivirus.

I hate rogue antivirus programs. They seem to be getting more numerous and harder to get rid of all the time. Case in point: At work, I noticed a shared computer suddenly popped up a Window announcing it was doing a scan, and that I was infected with over 4,000 Trojans and other forms of malware.

Nice try I thought, so I used Control Alt Delete to start task manager, and I closed Internet Explorer and all running processes involved. Fortunately, it was a limited user account that was infected, and that turned out to be a important factor in removing it.

I immediately ran Malwarebytes from that user and found a number of infections including the rogue antivirus product I was afflicted with. These cretins that come up with this crap can’t even come up with something creative – we’ve seen XP Antivirus for a few years now; each year they just tack on a year to make it look current.

Sad thing is, I’m sure somewhere out there is someone who renews this crap every year. Imagine paying yearly to be infected – oh right, we already do that it’s called McAfee, but don’t get me started.

Well back to the task at hand: I rebooted the machine and logged into an administrator account, updated Malwarebytes and ran it again… and found more junk, actually the same junk. Malwarebytes found it, but could not kill it.

Next, I downloaded Superantispyware, a great application that I always run at home but it wasn’t on the work machine. The first thing I do now after I download a anti-malware application is rename the installer. I do this because I often find the malware knows how to prevent anti-malware from installing – these guys aren’t creative, but they’re getting smarter.

To rename a file, right click on the file and select rename and type anything.exe and install the program. Superantispyware did its thing and found a ton of additional files. I removed the infected files and rebooted again, and ran both my programs again. I still found junk!

I repeated the sequence two more times until nothing was found. I then ran a scan in all user accounts to confirm “the kill”. So far so good, until I went into the user account where the infection had started, now whenever I tried to launch any program from the desktop I’d get the “Choose what Program you want to use to Open this File” message. This means I had to fix file associations and a great site with XP file association fixes is here. I used the .exe file association fix and it worked great.

The last thing I did was to run Process Explorer, and Autoruns from Syinternals. These utilities give a great in-depth look at what is currently running and starting on your machine at boot-up. Finding nothing suspicious I deemed the computer clean, for now.

So a few lessons I learned on this one: Don’t use IE – this was caused by a flaw in Internet Explorer I believed it was just fixed this week. Second, running as a limited user is still far safer than running as an administrator, even though its trivial to elevate to administrator level, most malware seldom does, and this makes cleaning an infected PC much easier.

Next, running your cleanup tools multiple times and rebooting after each scan is the only way to give the anti-malware tools a chance against the bad guys.

This is a guest post by Mark Schneider of the Techwalker Blog, who brings a background as a high level techie, to the blogging world.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Infected by Scareware? Get Your Wallet Out!

Downloading Fake/Rogue Software Hurt$

Scareware, rogue software, destroyware, call it what you will – if you become infected, you are in for a frustrating, time consuming, and in many cases, an expensive experience.

There are literally thousands of these applications currently in the wild blue, just waiting for the unaware computer user to fall into the trap. It’s such a lucrative business for cybercriminals, that we are now dealing with a virtual epidemic of this type of malware.

Most of these rogue application  use social engineering to convince users’ to download this type of unsafe application, and let’s face it – a dialogue box that states “WARNING! Your computer is infected with spyware! – Click here to remove it!”, is a powerful motivator for many unaware computer users. But here’s the catch – clicking on the OK button starts an infection process by rogue security software. It’s as simple as that!

After installation, false positives; fake or false malware detection warnings in a computer scan, and the promise to remove them, is the primary method used to convince the unlucky victim to purchase the product.

It’s a scam of course; but to make matters worst, the installation of rogue security software frequently leads to a critically disabled PC, or in the worst case scenario, allows hackers access to important personal and financial information.

An example of a rogue security application getting ready to pounce.

If you become infected by scareware then get your money out. Your wallet is going to take a hit – maybe two.

The following factual stories, brought to my attention by the very people who have been victimized, will point out the frustration, and the expense, of having to deal with a rogue software infection.

Victim #1 – “What do you do if you were duped into buying the XP Antivirus software? Should I take any precautions such as canceling credit card and/or email passwords etc.? Is my home edition of avast! 4.8 Antivirus enough to keep me safe from bogus and/or rogue software???? Please help…my computer is my life! Thank you”.

Victim #2 – “Unfortunately I fell for the “virus attack” after trying to remove it, gave in and bought the XPAntivirus. They charged me not only for what I had bought but charged me again, $ 78.83 for something which I hadn’t ordered, nor ever received.

It was a nightmare trying to get in touch with anybody, and I finally connected with a guy with an accent, who told me to E-mail the billing service re: my problem. I wrote them tried to call, it’s been a week, and they still won’t contact me to clarify what occurred. I printed off a purchase order from them when I bought the XP which verifies what I received.

Anybody know what state their in, I’ll notify the states attorneys office. These people are crooks”.

Having watched the development and deployment of scareware over the last two years, and having noted the increasing sophistication of the current crop of scareware applications, I have reluctantly come to the conclusion that scareware removal instructions have limited value, except perhaps, for the most technically sophisticated computer user.

The best advice? Have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage.

However, if you have become infected by scareware, and you want to try your hand at removal, then by all means give it a try. There are literally hundreds of sites that will walk you through the process of attempting to eliminate this type of scourge, but the following sites are among the best I’ve found, at providing the tools, and the advice, you will need to attempt removal.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

SmitFraudFix – available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

The following recommendations are repeated (particularly for new or inexperienced users), on what steps can be taken to reduce the probability of having to deal with a rogue software infection.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

Make regular backups of critical data

Make a boot disk in case your computer is damaged or compromised

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Malware Removal Tips – Experience From the Trenches

Guest writer Mark Schneider gives you the best advice you’ll ever get on malware removal – “when it comes to malware removal, use a shotgun – not a rifle”.

Cleaning an infected computer is a challenge. Unfortunately, malware writers are talented, and that translates into real trouble if your machine gets infected.

Many computers ship with large all-in-one security suites. These all-in-one programs look good on a checklist comparison in PC Magazine, but I prefer to use a variety of free programs from different vendors, each using a slightly different method of cleaning a machine, which gives you the best chance of finding all the bad files.

Recently, I had to deal with a Lenovo Thinkpad my daughter had been using – the laptop is a spare machine I use only occasionally, and had just been given a clean install of Windows XP.

After my daughter had finished using it, I did a routine scan using Malwarebytes, a very good free anti-spyware program. The initial scan found 15 infections, including some Rootkits, which can be very difficult to remove. Malwarebytes told me I needed to reboot the computer to finish the removal. I complied and rescanned.

Same results, same Trojans, same Rootkits, so I scanned with Microsoft’s Security Essentials, a new free anti-virus Microsoft recently released. Security Essentials found nothing at all, so I tried a new (to me) website, virustotal.com.

Virustotal allows you to upload suspicious files to scan to determine if they are a threat or, possibly a false positive. I uploaded the file that was showing up the most frequently on the quick scans. Virustotal scans the file using over 40 different malware removal engines. Only one engine, McAfee Virus scan, found the file to be suspicious so I was beginning to think I might have a false positive. But, the fact that the file kept reappearing was very suspicious. Now I needed to get serious.

The next step was to run CCleaner a very good registry, and temporary file cleaner. CCleaner will make virus scans faster, and may delete files that are allowing a possible payload to reload when you restart the computer.

After using CCleaner, I installed Superantispyware Free, a program that I always install as one as my primary tools to combat spyware. The fact that this computer was a fresh rebuild was the only reason I hadn’t installed it yet.

Installing and running Superantispyware goes very fast – it’s a great program that is the favorite of many computer technicians. Super lived up to its reputation, and found a number of problems, including one Trojan with multiple registry entries.

Rebooting the machine after Superantispyware ran, finally yielded some results. Additional scans from Superantispyware, and Malwarebytes, came up clean.

My next test is to run HijackThis. HijackThis is a very powerful tool which must be handled with care. Installing HijackThis is simple; using it effectively is another story. The best method, for most people, is to run HijackThis and create a log file. Next, post this file to a web site where experts can parse your results and determine if you still have any suspicious files.

My preferred site is HijackThis.de – the site is primarily in German, but don’t let that deter you. They have a scanner which will scan your log file in real time and give you a good idea, right away, if HijackThis has found anything.

If you have run, and re-run your scanning tools, run a HijackThis, and everything comes up looking okay, you’re probably malware free. But for the next few reboots, you should continue to make sure your anti-malware programs are up to date, and keep rescanning periodically.

Most malware these days wants to hide in the background. You may be infected and never know your machine is stealing your passwords, and draining your bank account. So stay safe, keep your data backed up, and if you get infected, use as many tools as it takes to get secure again.

This is a guest post by Mark Schneider of the Techwalker Blog, who brings a background as a high level techie, to the blogging world.

Why not pay a visit to Mark’s site today.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Scareware? Maybe (Destroyware? Definitely)

So, you picked up a “scareware” infection. Should you, as the name implies, be “scared”? In my experience, scared doesn’t really cut it, nor does shocked, or alarmed. No, horrified is perhaps the best way to describe that sinking feeing that occurs following a scareware infection. You’ll see why.

While it may be true that this type of malware, otherwise known as “rogue security software”, is scary, it is so much more than that. A more accurate name for this parasitic infectious software is “destroyware”, since the effect it has on a victim’s system is just that.

Rogue security software can write itself into multiple parts of the operating system, and in many cases it can hide its files, registry entries, running process and services, making the infection virtually impossible to find and remove without causing operating system damage.

Once infected by this type of malware, the chances of a safe system recovery are essentially non-existent. The installation of such malware invariable leads to a critically disabled PC. A reformat and a system re-install, are more than likely in the cards. (A good reason to have multiple partitions on your Hard Drive).

Yes, I know, there are literally hundreds of sites that will walk you through the process of attempting to eliminate this type of scourge, but simply put – if your computer becomes infected with the current scareware circulating on the Internet, you are, in most cases, wasting your time attempting to save your system.

If you doubt this, take a look at “My scareware night and how McAfee lost a customer”, in which the author (Larry Dignan of ZDNet), describes a system recovery attempt which was ultimately successful, but…..

The best advice? Have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage.

If you have become infected by scareware (rogue software), and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools and advice you will need to attempt removal.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

SmitFraudFix – available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

Additional precautions you can take to protect your computer system:

When surfing the web: Stop. Think. Click

Don’t open unknown email attachments

Don’t run programs of unknown origin

Disable hidden filename extensions

Keep all applications (including your operating system) patched

Turn off your computer or disconnect from the network when not in use

Disable Java, JavaScript, and ActiveX if possible

Disable scripting features in email programs

Make regular backups of critical data

Make a boot disk in case your computer is damaged or compromised

Turn off file and printer sharing on the computer.

Install a personal firewall on the computer.

Install anti-virus/anti-spyware software and ensure it is configured to automatically update when you are connected to the Internet

Ensure the anti-virus software scans all email attachments

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

MalwareBytes Accuses IObit of Theft

IObit is offering their anti-malware application for free until November 11. On the face of it, I considered this good news.

That is, until a reader informed me that MalwareBytes, the developers of the highly regarded MalwareBytes Anti-malware application, announced yesterday that they have developed evidence that IObit “is stealing and incorporating” their “proprietary database and intellectual property into their software”.

You may want to read this claim from MalwareBytes here. In the meantime, I recommend that you consider the implications carefully before downloading this “free” offer.

If this accusation is true, and it appears to be, based on MalwareBytes investigation, I don’t think it’s appropriate to support such reprehensible behavior. As I said earlier, consider the implications of supporting this kind of behavior, and downloading this free offer, is tacit support.

MalwareBytes offers a free anti-malware solution that is recognized as one of the premier products in the field, and they deserve our support. If you would like to take a stand against theft of intellectual property, you may want to consider the following course of action as suggested by Malware Bytes.

“If you feel the same way we do about this theft, we encourage you to send an email to hosting services such as Download.com and Majorgeeks.com requesting that all IOBit software be removed”.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

SafeFighter Fake Antivirus – PandaLabs Takes a Look

Courtesy of Panda Security.

PandaLabs’ report this week focuses on two Trojans, and a new fake antivirus.

SafeFighter is a new fake antivirus.

Like other malware of this kind, it tries to fool users by displaying false infections, remote connections and vulnerabilities that do not exist. If users fall for the trap, they are directed to a screen where their credit card details are requested to carry out the transaction. This way, as well as obtaining money for a service that will never be provided, cyber-crooks steal users’ credit card details.

Removal help for this nasty is further on in this article.

Spammer.ANT is a Trojan that passes itself off as a Microsoft program.

Once run, it copies itself to the system and loads itself to memory under the name reader_s.exe. It then carries out remote connections and spams users, trying to get them to believe the messages received are from an online store.

It has a compressed file attachment with an executable called open.exe. When opened, AntivirusPro2010 is installed on the computer (a fake security solution we have discussed in the past).

The other Trojan in this report is Sinowal.WOE.

It reaches computers through email, and passes itself off as a Microsoft Word document. Once installed, it collects as much information as it can from the infected user.

Additionally, when the user opens the browser, the Trojan connects to a server where Sinowal.WOE stores the victim’s information, and downloads the AntivirusPro2010 fake security solution.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

SafeFighter and AntivirusPro 2010 Removal:

If you have become infected by AntivirusPro 2010, SafeFighter, or other scareware (rogue software), have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage. Computer technicians do not provide services at no cost, so be prepared for the costs involved.

If you feel you have the necessary skills, and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools and the advice you will need to attempt removal.

Click here to download free SUPERAntiSpyware to remove AntiVirusPro 2010.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

AntivirusPro 2010 – PandaLabs Takes a Look

Courtesy of Panda Security.

PandaLabs’ report this week focuses on two banker Trojans and a fake antivirus.

This week, Panda Security takes a look at AntivirusPro 2010. Once the user is infected with this malware a warning appears informing the user that the computer is infected.

Soon after, a false scan is run.

The scan results claim that the PC is full of malware, and frequent pop-ups are
displayed. This fake antivirus tries to get users to register and for what it
claims is an ‘antivirus service’.

Since this antivirus is a fake antivirus, users end up paying for a product that does not exist, as well as revealing their bank details to cyber-crooks.

Removal help for this nasty is further on in this article.

Trj/Nabload.DNU is a banker Trojan designed to download several Trojans that steal the bank details entered by users on their systems. When the file is run, an image is displayed on the screen, so users do not see the malware being downloaded.

While a video related to the image is displayed on the screen, the Trojan attempts to download the other banker malware from a URL.

Banker Trojan, Trj/SilentBanker.D, modifies users’ bank transfer details, so that cyber-crooks receive the transfer instead of the intended recipient.

When being run, it is deletes itself and it appears that there have been no modifications to the system. It does not display messages or infection warnings on the computer. Once the computer is infected, it connects to several Windows APIs and uses them to fulfill its designed purpose.

While the Trojan intercepts bank transfers and modifies the details, users are displayed a false Web page that resembles the original, with the details they have entered. On confirming the operation, users are unwittingly sending the money to the cyber-crook’s account.

More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.

AntivirusPro 2010 Removal:

If you have become infected by AntivirusPro 2010, or other scareware (rogue software), have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage. Computer technicians do not provide services at no cost, so be prepared for the costs involved.

If you feel you have the necessary skills, and you want to try your hand at removal, then by all means do so.

The following free resources can provide tools and the advice you will need to attempt removal.

Click here to download free SUPERAntiSpyware to remove AntiVirusPro 2010.

Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.

411 Spyware – a site that specializes in malware removal. I highly recommend this site.

Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.

SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

What you can do to reduce the chances of infecting your system with rogue software.

Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.

Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.

Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable or unsafe websites.

Do not click on unsolicited invitations to download software of any kind.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.