Courtesy of Panda Security.
PandaLabs’ report this week focuses on a worm, a fake antivirus, a Trojan and a traditional virus.
The new fake antivirus we are looking at this week is called Alpha Antivirus. Like many of its kind, it tries to fool users by displaying fake infections, false remote connections, or non-existent vulnerabilities.
It then encourages users to buy a fake security suite. Since this antivirus is a
fake antivirus, users end up paying for a product that does not exist, as well as revealing their bank details to cyber-crooks.
Removal help for this nasty is further on in this article.
JokR.A is a script worm which leaves a visible indication of infection for users to see. In order to spread, this malware copies itself under the name Th3_jOkEr.vbs together with the autorun.inf file (hidden) to all drives and the Windows folder.
This way, it runs whenever users access these drives. It also copies itself to removable drives to increase its chances of propagation. This malware makes a series of entries in the registry, to ensure it runs on every system start-up,
displaying the following warning: “Thanks for your participation”, “My
virus is now on your computer, so thank you for your the participation
with your friends 🙂 !)”.
It also inserts the following text in the Internet Explorer header: “Hacked By Yassine [Th3_jOkEr] …:::… Fuck You …:::…” It’s difficult to see in the following image, but the IE header has been changed.
Finally, we want to mention a Trojan and a virus associated with an email with the subject Convocatoria en la Audiencia (Summons to the Central Criminal Court). This message has an attached file which looks like a pdf file, but in reality it has the “scr” extension.
On opening the file which supposedly contains the summons, users are taken to the official website of the Spanish National Police, while another connection is made to a page from where it downloads and installs the Banker.LYI Trojan and
the Induc.A virus.
Banker.LYI is a banker Trojan that targets a specific Spanish bank. This Trojan steals the bank details entered by users, and uses the Outlook address book to redistribute the same message among all the infected user’s contacts.
Induc.A is a virus written in Delphi. The first thing the virus does is search for versions of the Borland Delphi compiler (4,5,6 or 7) installed on the computer. If it finds a version, the virus inserts a code to infect all the files compiled with these versions.
More information about these and other malicious codes is available in the Panda Security Encyclopedia. You can also follow Panda Security’s online activity on its Twitter and PandaLabs blog.
Alpha Antivirus Removal:
If you have become infected by Alpha Antivirus, or other scareware (rogue software), have your PC worked on by a certified computer technician, who will have the tools, and the competency, to determine if the infection can be removed without causing system damage. Computer technicians do not provide services at no cost, so be prepared for the costs involved.
If you feel you have the necessary skills, and you want to try your hand at removal, then by all means do so.
The following free resources can provide tools and the advice you will need to attempt removal.
Malwarebytes, a very reliable anti-malware company, offers a free version of Malwarebytes’ Anti-Malware, a highly rated anti-malware application which is capable of removing many newer rogue applications.
411 Spyware – a site that specializes in malware removal. I highly recommend this site.
Bleeping Computer – a web site where help is available for many computer related problems, including the removal of rogue software. This is another site I highly recommend.
SmitFraudFix, available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.
What you can do to reduce the chances of infecting your system with rogue software.
Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.
Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications.
Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on, that offers substantial protection against questionable or unsafe websites.
Do not click on unsolicited invitations to download software of any kind.
If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.