Forgot your password?
typodupeerror
Security Software Windows Technology

New Malware Simulates Hard Drive Failure 294

Posted by timothy
from the just-a-healthy-reminder dept.
An anonymous reader writes "A nasty strain of malware goes beyond mere sensational alerts, it makes it seem the user's hard drive is failing. It moves files from All Users and the current Windows user's profile into a temporary location, making it appear as though problems with the hard drive are causing files to disappear. It also disables a user's ability to change wallpaper images and sets registry keys to hide certain icons — giving the impression that programs are going missing as well. Of course, it's all done in an attempt to get people to buy the software that will fix it."
This discussion has been archived. No new comments can be posted.

New Malware Simulates Hard Drive Failure

Comments Filter:
  • Hey buddy! (Score:5, Funny)

    by MrEricSir (398214) on Friday May 20, 2011 @08:19PM (#36197750) Homepage

    Nice computer you got there. Would be a shame if anything were to happen to it. My buddy Vinny here, he sells "protection" against these kinds of problems. You pay every week, and there ain't gonna be no problems, capiche?

    • This reminds me of a funny trick to play on somebody from back in my mainframe days...

      Create a directory with the same name as the home directory inside the user's home directory. Set a login script to place the user into that directory.

      So they try to get to their files and there's nothing there. Everything looks normal. Usually, someone with half-a-clue can figure it out pretty quickly, but it does provide that brief moment of terror that gets the blood pumping in the morning.

      • Re: (Score:3, Funny)

        by Anonymous Coward

        that reminds me of a trick I used to play back in my mainframe days too. I'd just delete everything a user had in their directory. Man you should have seen the look on their faces. I'll never forget the feeling over power I experienced either....

      • by MstrFool (127346)

        There was a prank going around the Gateway 2000 tech centers that I found quite amusing. Do a screen-shot of the desk top, set it as the background, then move the icons to a folder. I found it really showed the clued from the clueless. Quite a few techs called for some one to fix their system. And no, i wasn't the one doing it, though I was the one to fix it many times.

        • Did that once, and once only. The butt of the joke hard booted thinking that his PC was non-responsive, fraking up his HKLU (silly registry, why?). "Last Known Working" was my friend that day....

          • by snemarch (1086057)
            HKLU - the unholy bastard child of local machine and current user; making-of flesh movie coming to a theater near YOU!
          • I never understood nor looked on with anything other than raw hate, fucking around with another person's work or personal machine. You're deciding for your personal, shallow jollies that someone else's property and time have no value other than to amuse you. Do that to mine and there will be definite and unavoidable physical violence. I will even get fired to do it.
        • Did this on HS with an admin account I found perusing the Active Directory. Except, instead of moving the icons, I used a VBScript-created error box that looked real bad, and wouldn't go away when clicked on (it was there in the screencap).

          The freshmen and teachers panicked for a few minutes, and a day or two later, that admin account was gone. But not the other two, named Test2 and Test3.
        • by SheeEttin (899897)
          Yeah, that one's timeless. There's also a variant in which you set the desktop to a broken-LCD image (i.e. corruption, garbage) and hide the icons and taskbar.
          Of course, the fact that the cursor still works would be a giveaway. (Unless you change that too--but that's a bit too much.)
        • Be careful with this if you are not 100 % sure you'll be around to uncover the prank if it gets out of hand.

          I played this once on a half computer tech, half sound tech and things went pretty bad. I hid and locked the taskbar and all the icons (on XP) and stored them in some other folder for easy recovery. But I didn't go to work the following day due to personal reasons. It turns out, this guy and an engineer went nuts over the problem and ended up going back to a recovery point.

          I neglected to tell him t

        • by tlhIngan (30335)

          The best way to do this prank is to not move ALL the icons away. Leave a few of them there so they work. It'll puzzle the hell out of them as they can't seem to figure out why some icons work (consistently, too) but others just refuse.

          You'll also find out who notices that the icons highlights.

  • by MightyMartian (840721) on Friday May 20, 2011 @08:20PM (#36197756) Journal

    Had this one get on one the computers I administer. Managed to poison the profile and for a brief while I thought the files had been deleted. Of course, I got the inevitable "isn't your AV and anti-malware software up to date", to which I responded "As much as can be, the user is relied upon not to be a simpering moron who clicks on every possible link."

    Oh, and by the way, Microsoft, your fucking browser still sucks and is still atrociously insecure. Shape up, Redmond.

    • by Moryath (553296)

      This is also why end-users shouldn't have install rights. Period.

      • Re: (Score:3, Insightful)

        "it's like a computer, only useless."

      • by mrnobo1024 (464702) on Friday May 20, 2011 @09:10PM (#36198142)

        That's all well and good in a corporate environment, but do you really expect every home user to have his own personal IT department?

        • by Bacon Bits (926911) on Friday May 20, 2011 @10:16PM (#36198492)

          My relatives certainly seem to think they do.

          • by Ihmhi (1206036)

            Here's what works for me. "If I were a plumber, I sure as hell wouldn't unplug your toilet for free. That's my livelihood, and the only person who gets a blank check in my business is my mom."

        • by Moryath (553296)

          No, but why should they be running as superuser just to open their email client?

          • by snemarch (1086057)

            No, but why should they be running as superuser just to open their email client?

            Beats me, that's why I have them run Vista (SP1 or later) or Win7.

            The people who are going to ignore warnings and click yes on the UAC prompts wouldn't be any safer off on other operating systems, they'd happily type in their user credentials and get their fresh copy of Mac Defender or whatever.

    • by gad_zuki! (70830) on Friday May 20, 2011 @08:58PM (#36198050)

      >Oh, and by the way, Microsoft, your fucking browser still sucks and is still atrociously insecure. Shape up, Redmond.

      Really? Care to point to some statistics showing me big holes in IE9 that are actively used by malware?

      Not much out there. Oh, there's no shortage of Java, Flash, and Adobe Reader holes, and according to stats lifted from crimepacks those are the ones used.

      I just looked at that stats on my website. 90% of those users have Java installed. How many of those are the latest version? Maybe 50% Most of the flash installs are not the latest version. Who knows what version of Reader they have.

      Plugin security is a nightmare right now. Blame Sun and Adobe for not having autoupdaters like Chrome does for Flash. Joe User has no idea what he's doing with a computer. Blaming MS isn't really helping him.

      • by whoever57 (658626)

        Plugin security is a nightmare right now. Blame Sun and Adobe for not having autoupdaters like Chrome does for Flash

        I do blame MS. Not for vulnerabilities in Flash, Java and other plugins, but for not providing an API that would allow third party programs to plug into Windows update to automatically download (which could be from the vendor's site) and install the update.

        How many different updaters does a system need? Then, there are updaters that simply don't work unless you are logged in with admin

        • by snemarch (1086057)

          If Microsoft opened up Windows Update for 3rd-party applications, how many do you reckon would actually use it?

          Yup, it would be sweet to have one central updating facility, and it's one of the few *u*x things I miss in Windows; I just don't see it ever going to work in the Windows ecosystem (an Appstore for phone/tablet might, but that wouldn't cover desktops and legacy software).

  • False alert (Score:4, Funny)

    by lucm (889690) on Friday May 20, 2011 @08:26PM (#36197800)

    A little while ago I was sure I had this malware on my computer. However the actual problem was worse: I had a Seagate hard drive.

    There is an upside with Seagate products: they taught me the importance of using RAID and/or backups.

    • Re:False alert (Score:5, Insightful)

      by LurkerXXX (667952) on Friday May 20, 2011 @08:51PM (#36197988)

      AND BACKUPS! *AND BACKUPS*!!!

      RAID is *NOT* a substitution for backups. Delete a file on the RAID and it's gone. Someone takes the machine, and it's gone.

      Backup your computer to offline media, and make sure to keep a (hopefully encrypted) copy of it at some remote location (like a family members house, work, wherever)

      RAID IS NOT A SUBSTITUTION FOR BACKUPS!

      • by adolf (21054)

        Seconded, and furthered:

        RAID would do nothing to protect against the thing described in TFA.

        RAID only protects against hardware failure, and even then only if the failure is actually detected instead of just silently munging data.

        This is not to say that RAID is not useful: It can be a performance boost in some applications. It can provide a clever way to combine many smaller disks into one larger volume, which can also be useful in some instances. To be sure, some of the things RAID does do can be very c

  • by 3vi1 (544505) on Friday May 20, 2011 @08:31PM (#36197836) Homepage Journal

    When web apps pop up a realistic looking XP or Win7 windows claiming virus infection... or the need to run an 'exe' to install a missing codec, it's a good day to be running Linux or OS X. Nothing tells you fraud so much as something that's been polished to a fine point to fool the Windows users.

    • by rtaylor (70602)

      True, but there is nothing here that couldn't be done just as easily on OSX and Linux.

      Remove users files in standard Gnome/KDE places and futz with the .bashrc or .profile file to make the login wonky.

      • by 3vi1 (544505)

        >> True, but there is nothing here that couldn't be done just as easily on OSX and Linux.

        And tell us how you would do that? How would you make a web page that convinces the user that they should click 'okay' on your installer instead of going to the system app center / repositories?

        People that were conditioned to Windows might fall for it, but people that 'learned' Linux would know it's BS.

        How would you convince someone to give you the admin ID when they didn't launch an installer or app that needs a

        • How would you make a web page that convinces the user that they should click 'okay' on your installer instead of going to the system app center / repositories?

          There are a lot of people who are used to Windows, so if they switch, especially after hearing that Linux has no viruses/malware they might feel safe clicking on anything.
          Also, in my experience not all programs and drivers are in the default repositories, for example, drivers for Canon multifunction devices (the scanner part) are available as a .deb file from canon web site, but not on any Debian Linux repository. Which means that I (or someone else) actually have to sometimes download and run a file to ins

    • by miknix (1047580)

      Next step.. Modify the malware to prompt the user to install Linux?

    • Good reason to change the default theme in Windows too.

      • by adolf (21054)

        While I believe your advice is well-intentioned, it's really no good.

        This only works if the malware isn't using existing Windows widgets for its displays.

        If I were I Windows programmer (I'm not) and I were writing malware (good heavens!), I'd use the native toolkit for all of my dealings...just like most other software does. It's easier, that way.

        And then: Changing themes, for properly-implemented malware, would also change the look of that ill program to match.

    • by pz (113803)

      When web apps pop up a realistic looking XP or Win7 windows claiming virus infection... or the need to run an 'exe' to install a missing codec, it's a good day to be running Linux or OS X. Nothing tells you fraud so much as something that's been polished to a fine point to fool the Windows users.

      Good reason to not have the default color scheme on your windows box. Makes it easy to spot the fake popups.

      • by vlueboy (1799360)

        Thanks for the Java reminder --I got a this new PC the other day and had meant to ensure the OEM had NOT bundled it. I had a recent Java-initiated spyware on the Vista laptop earlier in the week.

        I'd forgotten to dump the Java runtime since I used to play with the SDK. Because enterprise Java has grown ever complex and acronym-ridden, I simply stopped minding it about 2 years ago and forgot to remove its inconvenient attack vector even though I've been hit through it more than once.

        On the color schemes, I us

      • by SheeEttin (899897)
        Or, seeing the XP-styled attempts on Windows 7... that's nice too.
    • Actually, the summary reads like an April Fool's joke about Windows95.

  • It certainly takes it a step further than "your system is infected." Ironically, the system actually does appear to have a bad hard drive (bad blocks marked by CHKDSK). Customer had paid someone else to replace the hard disk a little over a month ago and showed me the receipt, but the hard disk in the machine was the same capacity as the OEM disk and had a date code indicating that it was likely not a new drive, but the one that was factory installed.

    They're just going to replace the machine since the "in

  • by jav1231 (539129)
    Windows...move along.
  • I'm so confused. Why do the antivirus / anti-malware packages out there not detect and delete these stupid things?

    I know that the stupid XP Antivirus even sets a key in the registry that marks .EXE files as "safe file"

    I assume that means that IE will then open and execute any .EXE that heads it's way.

    It seems that removing these infections involves the tedious process of booting the hard drive from another machine, and manually picking it all clean.

    Only then, does the registry have to be picked thr
    • Malwarebytes has been picking up the changed registry keys on recent definitions updates. The major AV packages from Symantec and McAfee aren't effective against any of the most common malware attacks. Its quite sad to read their support forums where people conplain they paid big $$$ for an endpoint protection client site license from the big vendors and the malware still goes undetected. One GOOD thing is 64-bit versions of Windows are immune from most of the nasty stuff for the time being (32-bit dlls can
    • I'm so confused. Why do the antivirus / anti-malware packages out there not detect and delete these stupid things?

      Because anti-virus and anti-malware tools are reactive.

      There will always be a lead time between when the malware hits the wild and when anti-virus and anti-malware vendors update their signature databases. That time period can range from hours to months.

      (Yet another reason to browse in a way that only whitelisted sites are allowed to do fancy things. It may be a PITA, but it drives down
  • If the company in question is linked to the trojan, can we take legal action taken against them? It looks like an open and shut case.
  • There was a virus a while back that used an extortion scheme that was similar: Encrypt the data, wipe the original, then outright sell the key. That one's kind of scary. A simple disinfection wouldn't undo the damage, and since it wouldn't depend on permanent infection it might affect any platform. This one is less upfront about it, but won't fool anyone who has any clue about computers or hard drives.

    On the other hand, maybe a lot of users are too clueless to be affected. "Help, there are all these error m

  • Operating systems are still running user applications as an administrative user? I sign into my systems as a regular user, and I execute applications as a regular user. Administrative privileges should be for approved installation and removal of applications. On the other hand, It's silly to think that in this day and age, malicious behavior isn't automatically detected by the operating system and squashed - and I don't mean by an anti-virus or anti-malware application that one needs to purchase. Operating
  • How can this still be happening!

    I run FF 4.x on a OpenSuse 11.x box and on a windows XP box. I have actually experimented, both FF installs are default. On the Linux box the same stupid screen comes up, "scanning your hard drive you have 99 million viruses clock OK to get rid of them.".

    FF on the Linux box you click ok and FF prompts you that such and such a site wants to do some shit with some executable file, tell it no, close the tab and you are ok.

    FF on the XP box you click ok and you are off to the r

    • Can someone explain why the ability for for Drive By's can happen AT ALL an how come the code that allows this sort of shit to happen has not been ripped out with extreme prejudice after the very first occurrence of this behavior?

      Because you're letting random websites run code (Javascript, Flash, PDF, Java) on your computer. And even though that code is sandboxed (by Flash or Java or JavaScript or Adobe PDF Reader) there are flaws in those sandboxes that allow for arbitrary execution of code. Which the
  • by CrazyJim1 (809850) on Saturday May 21, 2011 @12:19AM (#36199314) Journal
    If your hardrive is failing, software won't fix it. This could be as funny as creating a virus to say your computer's flux capacitor is overheating and you'll need to buy a replacement through exmechanicgoneonlinescammer.com

APL is a write-only language. I can write programs in APL, but I can't read any of them. -- Roy Keir

Working...