400,000 PCs Infected With Fake "Antivirus 2009"

nandemoari writes "The second month of Microsoft's campaign against fake security software has resulted in the removal of the rogue "Antivirus 2009" application from almost 400,000 infected PCs. Microsoft claims that December's version of the Malicious Software Removal Tool (MSRT) — the free utility included in Windows Update every month — specifically targeted 'Antivirus 2009.' According to Microsoft, MSRT removed the rogue application from over 394,000 PCs in the first nine days after it was released on December 9."

Wildly annoying one.

[fuzzyfuzzyfungus]

In having to do support for assorted windows users, I've seen assorted popup/redirect stuff pushing that particular fine piece of software a lot. Most disconcertingly, it even happens to users visiting what one would think of as reputable sites, on machines with fully updated AV that reports no issues.

I really don't have the time or interest to figure out if the AV is just sucking, and not reporting infections that actually do exist, or if whoever is pushing the software has compromised a bunch of ad providers; but it seems to be a big issue in windows land(poor bastards).

Re:Malwarebytes

[Finallyjoined!!!]

Yup, I've removed it from 14 Windows PC's belonging to neighbours & friends. Malwarebytes was a handy tool.

The annoying thing though, most of them installed it themselves, deliberately, thinking they were doing "good".

Bah. Hang the authors of "Antivirus 2009" up by their nadgers.

Is this troublesome to anyone else?

[baomike]

The idea of MSFT deleting a program (albeit a piece of malware) from my machine bothers me.
When will their idea of malware differ from mine?
Will they always do it correctly (no collateral damage)?

Re:Is this troublesome to anyone else?

[Volante3192]

Well, the reason you install these programs like Defender is so it deletes the malware for you.

Replace Microsoft with Kaspersky, AVG or one of those other "reputable" AV vendors and ask the same question. They have just as much ability to delete a program.

Understating the menace.

[Rahga]

This family of infectors is probably, by far, the worst spyware/hijacking peice of junk I've ever seen. I can't help but feel that 400,000 isn't nearly the number that has actually been infected, simply because nobody I know actually uses MSRT, and I seriously doubt that any machine that gets infected with it could actually get back into the condition where it can download and/or install MSRT, or virtually any other software. It's just that bad.

Re:how many users will complain about removal?

[cbhacking]

An amusing notion, but it'll never happen for two reasons:
1) EULAs may or may not be enforceable in their usual sense, but a requirement that you can't remove the software doesn't even make sense. The concept of a EULA is that you must agree to the terms in order to use the software. If you're not using the software (i.e. you remove it) you're not bound by the terms anymore.
2) Since this is intentionally malicious software and almost certainly constitutes at least one form of fraud, the owner publicly identifying themselves would be a bad plan. Not only are they unlikely to win a legal battle with MS in civil court (the fraud might even make the EULA automatically invalid or some such), but they might well end up facing criminal charges as well.

IANAL, and one can always hope the malware authors get stupid, but this doesn't seem a likely scenario.

I'm tired of users like you

I'm not saying this as flamebait but I'm really tired of users who consistently post in forum after forum that they don't run antivirus, firewall, or antimalware applications. Then, just like you, they claim they don't have any infections. How would you know even if you had an infection without running a scanner? Online scanners are great but they only cover files that you're going to run of your own volition. They do not cover infections that occur through holes in the browser and/or OS. This is where the fundamental problem lies in your strategy.

Case in point, lets say you browse to a website that uses a hole in your browser to get code onto your system that opens a port via UPNP in your router. Then through the open port your machine starts infecting/spamming others. How would your methods guard against that?

Safe computer habits are great when you can trust your Operating System and browser to be secure all while you're not logged in with an account with "Administrator" (root) level privileges. Too bad Windows can't be trusted to be secure and, therefore, necessitates the need for antivirus, antimalware, and firewall.

Re:I'm tired of users like you

I run a full scan with Trend Micro's House Call every few months to see if I am infected, which does much more than simply scanning files I would execute of my own volition. We use McAfee at work, and House Call will detect and remove things McAfee ignores, which usually come my way via a co-worker's USB drive.

You're still trusting your security to a scan every few months. You're more likely to have a lower infection rate by running a good on-access virus scanner on your machine even if another scanner (such as Mcafee) ignores some files.

If I went to a site that found an exploitable hole in Opera, since I only use IE if I have to, and began running code on my machine, it could be detected by a quick look into Process Explorer and a check of my idle bandwidth usage. It may take a day or two to notice the performance degradation to check, but it would be found. As this has not happened yet, it does not seem to be a problem for me

First of all, how would you know a site found an exploitable hole? I'm pretty certain you're not monitoring every security mailing list on the internet. Even if you were would you run a full system scan every time a new exploit came out? It seems like a pretty big waste of resources. Secondly, we all use Process Explorer but do you leave it running all the time and monitor every process running on your machine in realtime? What about big all encompassing processes like svchost.exe that run multiple services? Do you monitor the load modules and stacks in realtime? Most times people fire up Process Explorer because something is pegging their CPU usage.

What happens when the next piece of malware comes out what runs at a low priority, can detect an idle network connection, and can hide itself as another legitmate process? Oh wait, they already exist. I somehow doubt you monitor all of this in realtime because if you were paying attention to everything then you'd have very little time to do "real work" on your computer. This is why these realtime scanning agents were created.

Having protection is no substitute for vigilance, but sometimes vigilance in itself can be all the protection you need.

Vigilance of every process in realtime on your machine is exactly what a virus scanner does. However, as a person who runs his computer 24/7 and always connected to the internet, how can you claim to be vigilant?

The worst part of overly self-confident posters like you is you try to train others in your system. For example you stated you taught your sister your system. Does she use process explorer too? Does she monitor her bandwidth usage as well? Therein lies my problem with your post. In this day-and-age running Windows without antivirus and antimalware scanners is all the rage amongst the "too cool for you" self-proclaimed computer geniuses littering the web's gamer forums. You wouldn't believe how many times I've been asked to fix someone's computer only to hear that they "read somewhere that virus scanners aren't needed." Therefore people like you are the problem just as much as those who don't manage their own computer's safety. All it takes is a couple thousand machines to bring down spam/infect tens of thousands of others.

it got me

[systematical]

I consider myself a pretty knowledgeable computer user as I've been in IT for 6 years now working in technical support, network administration, and development. Spybot and AVG would not even run and I couldn't reinstall them. Trend Micro's online scanner would stop working half way through. I installed adaware and that removed some of the junk. Then I installed Avast and that removed a bit more. At this point I was able to run SpyBot and that removed a bit more. Finally after running malware bytes or whatever its called + spybot + adaware + avast + malware bytes again for good measure my XP system is "clean." Though who really knows? My system is speedy again, as well as my internet, but I have the sneaking suspicion my pc is working the grave yard shift for a botnet....

Re:When will people learn

[Kojiro+Ganryu+Sasaki]

That's not sad. That's practical. If i have a hammer, i want to use the hammer to hit nails with it. I don't want to begin every nail hammering session by inspecting it to see if someone has smeared super glue on the handle.

One rogue program removed per month?

[rrohbeck]

So how long will it take to clean up the entire population of Windows PCs?
This kind of propaganda is counterproductive. First of all, this is a negligible effect, secondly it pretends that MS takes care of Windows users, and thirdly it doesn't emphasize that safe computing is far more important than all security software in the world.

Re:When will the Malcious software removal tool...

hahahahahahaha

oh dear me how original and hilarious.

joke is so old now.

Re:The best antivirus solution

[TailGunner]

Using an insecure OS that nobody cares about is NOT security. dumbass.

Re:The best antivirus solution

Using an insecure OS that nobody cares about is NOT security. dumbass.

There ought to be a moderation type made specifically for this kind of a post.