400,000 PCs Infected With Fake "Antivirus 2009"

nandemoari writes "The second month of Microsoft's campaign against fake security software has resulted in the removal of the rogue "Antivirus 2009" application from almost 400,000 infected PCs. Microsoft claims that December's version of the Malicious Software Removal Tool (MSRT) — the free utility included in Windows Update every month — specifically targeted 'Antivirus 2009.' According to Microsoft, MSRT removed the rogue application from over 394,000 PCs in the first nine days after it was released on December 9."

Malwarebytes

[oahazmatt]

At my job, we've used Malwarebytes to fix about 200 PCs with this so far. It's a good alternative.

Wait a pain...

[Chabo]

I was tasked with getting this thing off my mom's laptop. That was tougher than any other piece of malware I've ever dealt with.

I also had to convince my dad that there was no easy way to sue the "manufacturer" of this program.

Agree!

[MxTxL]

Malwarebytes is awesome! The AV2009 malware is a tough one to remove, but Malwarebytes takes is right off.

Combofix was the only thing that worked for me

[transporter_ii]

Particularly bad virus. It blocked all antivirus web sites and even blocked programs on the computer. I could put Spybot Search and Destroy on the computer, but it wouldn't even start. What I finally had to do was rename combofix.exe to something else like fix.exe, and then it ran and removed MS Antivirus 2009. I did try to Malwarebytes but it wouldn't even install, even if I renamed it.

family tech support

[EpsCylonB]

Yep, got called round to my brothers house to fix his computer cos it had this stuff on it.

I don't know exactly what it was supposed to be doing, the computer would boot up into winxp and then just freeze. Safe mode worked but safe mode with networking did not, so I guess it was calling home somewhere (thinking about it now I should have just unplugged the network cable to see if that stopped the computer freezing).

Anyways I didn't have any stuff with me and without net access I decided the path of least resistance was to reinstall windows (my brother did not have anything he wanted to keep).

I should have brought round a ubuntu live cd with me.

When will people learn

[TheGeniusIsOut]

I do not have anti-virus/spyware/malware software installed, the only firewall I have is in my router, my computer is on and connected nearly 24/7, and I have not gotten any viruses/malware/spyware in at least 3 years. Windows XP fully updated, careful browsing/downloading habits, and liberal use of free online scanners for suspicious software before execution has served me well. The problem is too many people are click happy and ignore common sense, basic safe computing habits, and in general are looking for a quick fix they don't have to think about. This leads to people falling prey to the pop-up ads claiming their computer is infected so they can download the latest botnet zombification software. Up until a year ago, I was having to clean my sister's PC on a weekly to monthly basis due to all the crap she downloaded off the internet. After convincing her to try the safe habits I practice for a month, in which time her computer worked perfectly, she realized she was the source of her computer problems and corrected her attitude towards computer security, with no problems to this day.

Re:Agree!

[enharmonix]

Malwarebytes is awesome! The AV2009 malware is a tough one to remove, but Malwarebytes takes is right off.

I swear by them. In fact, I removed Symantec AV from my computer (since it only protects against exploits nobody uses anymore and slows your PC down more than any virus). I use Windows Defender to monitor system changes and do periodic sweeps w/ Malwarebytes. System is much faster now and still clean.

Re:Malwarebytes

[lejflo]

For the general malware infection, finding out what reg entries and what files to delete require:

1. Doing a Google search for symptoms
2. Reading through a LOT of forums/pages to figure out what you have.
3. Manually scouring your filesystem and registry for the culprits/doing many other steps that you found from the aforementioned search.
4. Crossing your fingers and hoping that you followed the appropriate instructions.

Contrast to Malwarebytes:

1. Start up the program.
2. Run the update (as needed).
3. Start the scan.
4. Go do something more fun (like, e.g., posting on /.).

I LOVE Malwarebytes. It saves me so much time, and it has, on occasion, found stuff I had no idea was even on my computer.

Re:Understating the menace.

[PCM2]

nobody I know actually uses MSRT

You might be surprised. The version of MSRT that comes from Windows Update runs in the background once a month and only alerts you when it notices a problem. I've never knowingly run it, but sure enough, if I check my Windows Update history I've installed the December edition.

On a side note, maybe this explains the persistent disk thrashing episodes I still get with Vista, maybe once a month or so...

Re:Malwarebytes

[Anonymous Coward]

We use combofix for anti virus 2009, but we have been using malware bytes for the new kid in town and called antivirus 360. It's relatively the same thing as av2009, bit av360 also has a script or something preventing certain .exe files from running like combofix and sdfix and malwarebytes. i usually just rename the exe and it works fine, but yea Ive probably removed this crap off of a few hundred machines myself and never thought of using msrt.

Re:Malwarebytes

[Anonymous Coward]

Some of the trickier ones will include themselves as part of winlogon, and winlogon is stupid enough to blow up if a dll listed in the registry to load fails. Becomes a tricky game of using sysinternals utils to nuke the right files and reg keys on boot before winlogon runs.

Re:Malwarebytes

[Endo13]

That's what Unlocker is for. http://ccollomb.free.fr/unlocker/ [ccollomb.free.fr]

Re:Malwarebytes

[Endo13]

Try this instead.

1. Run Hijackthis and look for any suspicious startup entries. Even the average computer user will be able to rule out most entries as things they recognize, meaning you won't have to google more than a handful, which will probably take 5-10 minutes at the most.
2. Install Unlocker. http://ccollomb.free.fr/unlocker/ [ccollomb.free.fr]
2. Browse to locations of files linked to by suspicious startup entries. Check date created.
3. Go to Windows directory, sort files by date, google suspicious files found since above date. Remove files confirmed to be malware or files for which you cannot find any information. (If you can't find any info on them, they're either randomly generated malware names, or malware too new to show up yet in a search.)
4. Do the same in Windows\System32.
5. Run a system cleanup to delete all Temp files and Temporary Internet Files.
6. Now delete the original malware folder.
7. Delete the startup entries with Hijackthis.
8. Restart computer. Should be clean.

The best part is, this will work with virtually *any* malware infection, and will generally catch things that even Malwarebytes misses.

Re:Malwarebytes

[cbiltcliffe]

This doesn't work with some variants I've seen. The malware is running as the system, but there are also components that are running as the current user.

Set the permissions to deny SYSTEM access to that key, and the user components change the permissions back before you can delete the key. Killing the user components is useless, as the system components restart them. Killing the system components blue screens the machine, as some are linked into winlogon, and you can't kill that.

Denying your own user write access to the startup keys to get around all this is, obviously, useless.

Offline scan/deletion is the only way to go with this crap.

Re:Combofix was the only thing that worked for me

[Lumpy]

rename the spybot exe name. you can do the same with hijack this.

That way you can eradicate the registry entries, then DO NOT REBOOT but yank the power cord.

Most ickies will rewrite their registry entries when they see a shutdown started.

Avast! free home edition has protected against that nasty ever cince they updated the name from 2008 to 2009.

Re:MS patting themselves on the back

[cbhacking]

Nope. Try a little research, please. This program spreads through two methods, Trojans and scareware (tricking the user into thinking that his computer is infected, so he buys and installs AV2k9 as a "fix"). Such software can do anything the user can (which, provided you run the program with root/Administrator credentials - like you would if installing something - is anything at all).

In either case, it's a simple matter of Problem Exists Between Keyboard And Chair. The prevalence of malware for Windows does make scareware more likely to work, but in the end it's still a matter of the user telling the OS to do something stupid (run a malicious program) and the OS obeying just like it's supposed to.

Re:Very few PCs run Windows?

[cbhacking]

The malware may try and stop Windows Update from running (many of them do). For that matter, the kind of people likely to install something like this (it spreads either through Trojans or as scareware, not through system exploits) are probably statistically more likely to have Windows Update turned off entirely. For that matter, this isn't a worm that spreads automatically - it takes substantial user error to get infected in the first place.

All this means that the only infections the MSRT can get to were either not fully compromised (yet) or the user did something tricky (like downloading the MSRT to another computer, renaming the executable, and running it from a flash drive). Considering that, 400,000 is actually a lot for a well-known and reactive (not proactive) tool like the MSRT.

Re:Malwarebytes

[fuzzyfuzzyfungus]

Obviously not much use for home users and very small outfits; but it is situations like that where imaging tools are far more useful.

Well, let's see: I could spend who knows how long poking at this, in the hope that I might end up with a clean system(as opposed to a more subtly infected one), or I could just send down an image, and have the system running like new in 20 minutes, 18 of them unattended. Not a hard choice.

Take off and nuke the site from orbit, it's the only way to be sure.

Re:Agree!

[cjb658]

Yup, and AV 2009 is about the worst spyware there is. It installs a God damn driver just so that DNS queries to antivirus sites don't resolve, even though your hosts files stay clean.

Re:I'm tired of users like you

[st0rmshad0w]

Yeah, good luck catching rootkits with an online scanner. If you can even get to one once the malware takes over your network stack.

And is that router of yours just a Linksys NAT router or a real UTP device?

Spend a few years fighting this stuff pretty much full time and you'll see how foolish your assumptions are about both the ability of this stuff to find a way into your system, and your ability to detect it and kill it once its there.

Re:Is this troublesome to anyone else?

[madhurms]

I think they quarantine it (by default) instead of completely deleting it. Unless they have changed this recently.

Re:I'm tired of users like you

[st0rmshad0w]

From the CBL a few months back:

News Alert - 2008/09/22 - A/V is not keeping up
It has become apparent that reliance on Anti-virus software for protection against spam bots is increasingly ineffective, and is reaching "disaster" status.

A large non-profit security organization has recently reported that only 23% of the 30,000 "unique" infections they see per day are detected by _any_ of 35 of the most popular A/V products, and percentage only reaches 50% after the infections have been in the wild for a month. And this includes well-known long standing botnets like Srizbi or Storm.

Many of our correspondants have told us that they've run a whole battery of A/V products on an infected machine that are provably infected with a known bot (by the email they emit), and not found anything.

Given the failure of A/V to help identify/eradicate infections, we can only continue to assert that the best way to prevent bot emission (and CBL detection) is to secure your networks so that ONLY mail servers can send email to the Internet.

Spam bots are out-pacing AV software by leaps and bounds.

Our website got hit by a AV2k9 redirect issue

[pjp6259]

I'm not sure how this happened. Our personal little website (prestopnik.com), got hit by these guys. The put some redirect rules into our .htaccess file, such that if you were visiting our site from one of about 6 different domains, it redirected you to their site. We didn't see it for a long time, because we usually just visit our site directly, but if you were coming from a link in yahoo mail, or found it via google or something you got redirected.

Our hosting tech support said one of our computers was infected, but from looking online, I didn't see signs of an infection on our side, but I'm still not 100% sure what happened, and if we are clean now. I think we run on our shared machine for hosting (linux though), maybe they got in like that?

Re:Malwarebytes

[pdawson]

Process Explorer is your answer to this, from Sysinternals. Suspend, not kill ass the problem processes, then go into properties for winlogon, explorer, etc and the problem dlls will have their own threads inside the process. Suspend the individual threads, then go back and kill everything you suspended. Memory is now clean, go kill the problem files off disk and out of startup entries, then reboot.

Re:Our website got hit by a AV2k9 redirect issue

[Bert64]

They may have keylogged you, and got your password to the hosting machine...
Or they could have exploited vulnerable webapps on it...
Unusual for a linux hosted website to get hit by something like this, but not unheard of. You need to make sure the machine wasn't rooted tho, and reinstall if it was.

Use Secunia's PSI

[rwwyatt]

It is simply the best solution I have seen on the market. I use a variety of solutions, and the best I have found so far is Spybot Search and Destroy along with PSI. I can even browse porn with Windows now... Imagine that..

Depends

[Sycraft-fu]

Some do, some don't, some are configurable. A lot of companies want their tools to check in so that they can measure how widespread something is and react accordingly. For example NOD32 can be configured anywhere from submitting no information to submitting anonymous statistics as well as files it flags as potentially unsafe but can't identify. They want the information because it helps them better update their virus database and respond to new threats faster.

Also many corporate AV/AM products can do very full reporting back to the central server. They'll check in and say when they ran, what they found, where it was, etc.

Re:Malwarebytes

[Anonymous Coward]

I have no need to remove this crap offline. All I end up doing is installing a program called Unlocker and use Autoruns to home in on these files. If it is hooked into winlogin, the machine will bluescreen but the threat will be removed before it does. As for Antivirus 2009, god only knows how many times I have seen it and how many times I will see it in the future.

Beyond Annoying

[Coopjust]

Back when it was Antivirus 2008 (and earlier) it was pretty easy to remove (relatively). Kill two processes at once via process explorer (so the tree dies and the other process doesn't revive the killed process), remove some registry and startup entries.

I just had to deal with a new version (friend's PC)- Spyware Guard 2008. What a pain in the ass. This version installed a rootkit, a device driver, locked the HOSTS file, added hidden registry entries, hidden services, parent and child services, downloading stubs to update it to stop detection...antiviruses stopped updating.

I was determined to kill it though. I got SuperAntiSpyware Free edition- free for personal use. Picked up all of the entries (rootkit, files, registry, etc.) and removed them after a reboot, no safe mode necessary. A standalone A/V scan (McAfee boot disc with latest definitions, and a rootkit scan from an OS outside of Windows) turned out clean, which impressed me.

I've also used Malwarebytes on a few PCs- very efficient and effective. I have to PayPal some money to these developers, as these two tools are great and allow even users who were decieved into running this crap to disinfect their own PCs. It also makes a techie's job much easier- a few minutes of running tools versus hours of trying to hack at the thing manually.

I hope whoever is contributing to this P.I.T.A. malware has karma bite them in the ass.

Re:The relationship between Windows 95/98 and DOS

[adminstring]

The question of whether 9x "rides on top of" DOS is related to the two somewhat distinct issues of the use of DOS during the boot process, and support for DOS device drivers once Windows 95 has booted.

To me, the fact that the DOS 7 kernel IO.SYS is used to bootstrap Windows 95 does not indicate that 9x "rides on top of DOS" any more than the fact that LILO or GRUB might be used to bootstrap Linux means that Linux "rides on top of" LILO or GRUB.

The fact that legacy DOS device drivers can be loaded during the real-mode portion of the 9x boot process (but need not be kept around afterwards, and by default are not) only indicates that Windows has been designed to tolerate DOS device drivers in order to provide backwards compatibility.

This is a big difference between 9x and 3.x, which requires DOS drivers for sound and CDROM support. This is also the biggest difference between 9x and NT as regards DOS support - NT will not tolerate legacy DOS device drivers at all. This fact makes it perfectly clear that NT does not "ride on top of" DOS, while the fact that 9x is built to tolerate DOS drivers muddies the waters as to whether or not 9x "rides on top of" DOS. To me, the fact that these legacy drivers are not required indicates that 9x is an OS rather than a GUI, and that is the point I was getting at with the CD-ROM driver example.

Taking this reasoning a step farther, the fact that 32-bit hard disk drivers are available under Windows 3.1 leads some to consider 3.1 itself to be somewhat of an OS (or, along with DOS, one of the two components of an OS) rather than simply a GUI, because previous GUIs such as GEM for DOS had no device drivers of their own and relied entirely on DOS for driver support. There is some merit to this argument, and my take on the situation is that there isn't a clear line between GUI and OS where early versions of Windows are concerned, but rather a gradual shift from total reliance on and tolerance of DOS for bootstrapping and drivers in early versions of Windows (which were mere window managers like GEM) to a total lack of reliance on DOS code for these functions in later versions starting with NT 3.1, which first used NTLDR to begin the boot process. Windows 95's place on this spectrum is that it requires some DOS code to boot, but afterwards doesn't require any non-32-bit device drivers at all.

If, when we say that Windows 3.11 "rides on top of" DOS 6, we mean that Windows 3.11 is an application environment which takes advantage of the filesystem and driver support provided by DOS, I don't think that we can accurately say the same thing about Windows 95, which is an OS with a 32-bit kernel and some 16-bit components which uses DOS for bootstrapping but does not need any DOS filesystem or driver support once it's up and running. To me this doesn't equate to having DOS "hiding underneath" Windows 9x. It seems more accurate to me to say that Windows 9x has built-in support for DOS drivers and apps for backwards-compatibility reasons, and uses it during the boot process.