Slashdot Mirror
400,000 PCs Infected With Fake "Antivirus 2009"
nandemoari writes "The second month of Microsoft's campaign against fake security software has resulted in the removal of the rogue "Antivirus 2009" application from almost 400,000 infected PCs. Microsoft claims that December's version of the Malicious Software Removal Tool (MSRT) — the free utility included in Windows Update every month — specifically targeted 'Antivirus 2009.' According to Microsoft, MSRT removed the rogue application from over 394,000 PCs in the first nine days after it was released on December 9."
I hope one of those fakers takes Microsoft to court over this and publicly identifies themselves. There are many pissed-off users that would be happy to take a baseball bat to them. One of them would likely be on the jury.
John
I wonder how many of the clueless will complain to microsoft that the removal tool removed software THEY HAD PAID FOR
iirc some of the malware and adware 'vendors' had eulas that forbade users to remove their programs
It'll never happen, but I'd like to see one of those guys try to sue microsoft for violating their EULA -would microsoft try to claim that the EULA was invalid?....
One can always dream.
-I'm just sayin'
Literally every single Windows user I know has been infected with this. I removed it several times over the holidays. My wife (and many of her coworkers) where infected...
I know it's not necessarily a representative sample, but I'd be shocked if it was only 400k machines in total.
Turn s60 photos into awesome videos with mScrapbook for all S60 3rd edition phones!
Why do does the malaware removal tool report back about what it finds? Do all such tools do that?
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
The idea of MSFT deleting a program (albeit a piece of malware) from my machine bothers me.
When will their idea of malware differ from mine?
I had to use Real VNC at my last job and Windows Live OneCare (or whatever it's called) detected and removed it. I would think MRT would ignore questionable software, but for apps/services targeting Joe Sixpack, don't be surprised to see some things like VNC or IRC software flagged as malware.
Most people DO run AV software, and every machine I fixed that was infected with this malware had AV software installed and updated.
Convert FLACs to a portable format with FlacSquisher
>simply because nobody I know actually uses MSRT
MSRT is packaged with windows update. If they have automatic updates set as theyre supposed to then they run it every month. Its just not obvious to the end user. MS uses MSRT for a lot of things. Last time they took down one of the bigger botnets.
Ive seen PCs with "Antivirus 2009" and its precessors still able to use automatic updates. Im sure malware writers will now just disable the service. I believe some versions of Antivirus 2009 did shut down the service.
That said, the real problem here is why legitimate sites are service up the pop-under ads for antivirus 2009. Ad networks need to start vetting their clients. People should just start blocking all ads as a security threat.
Yes, I finally had to turn off my AVG resident shield the other day because it thinks programs and utilities I use on a regular basis are malicious.
My wife's Windows XP laptop was infected with this virus. This was her last straw. She came to me and asked if there is anything that can be done. I told her she can reduce her exposure to these pieces of malware if we were to install Linux on her laptop. It's been 5 days since we installed Ubuntu 8.10, and while there are some slight differences, she is enjoying it. I had been running Ubuntu for some time now.
I uploaded a few parts of this malware to virustotal.com a few weeks ago, it was picked up by 11% of the av engines tested, ie a very small percentage...
I got it from a machine that had mcafee installed, it didn't detect anything...
They seem to update this malware regularly to avoid detection, and there are typically several versions circulating at any one time. This particular machine had several versions installed which all pointed back to the same bunch of sites...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Here's some fun trivia: Contrary to popular belief, Windows only rode on top of DOS through version 3.11. 95 and 98 only looked like they did, by optionally loading 16-bit legacy DOS drivers as part of the Windows startup process, and by providing both DOS VMs and an option to boot into DOS Mode (which actually was MS-DOS) for backwards compatibility with legacy DOS apps.
This page has a pretty good overview of Windows 95 architecture, with some diagrams that show the various OS components, none of which is a full copy of DOS that has a GUI riding on top of it as found in Windows 3.11 and earlier. Instead, there is a 32-bit kernel which uses 32-bit device drivers exclusively, unless the user installs a legacy DOS driver.
If any DOS apps are run within Windows 95, they run in their own DOS virtual machine, and if no DOS apps are running, no DOS VM is created. These VMs are similar to those in Windows NT; what is not similar to Windows NT is the ability to load DOS device drivers to support legacy hardware that had no 32-bit protected-mode driver.
Those DOS drivers almost always ran slower than 32-bit drivers and frequently caused problems, to the extent that one of the first steps in troubleshooting a Windows 95 system was to check the autoexec.bat and config.sys for unneeded DOS drivers, or simply renaming those files to get rid of the gunk.
If there really were a copy of DOS running underneath Windows 95, renaming autoexec.bat and config.sys would have removed all the device drivers, leaving you with no access to your CD-ROM drive due to a lack of MSCDEX.EXE, which is needed by all versions of DOS, including the "DOS Mode" of Windows 95.
My truck is like a series of tubes.
It's security by obscurity!
My daughter brought her laptop home for the holidays and was complaining that it has been very slow and unable to connect to the internet for the past few weeks. I booted and found this crap installed and tried for about 4 hours to remove this crap before discussing installing Ubuntu. I copied her documents off and installed Ubuntu and she has been happily working for the past week with no issues whatsoever. Not THE solution for everyone, but she mainly uses it for research and online social networking so there were no "linux killer" applications that I had to consider with her. The printer she has will work fine with Ubuntu. Total time to copy documents, install, and then configure the installation like she wanted was 2 hours.
Try deleting the hidden system files (.SYS) in the root of your boot drive and see how far Windows 9x gets while booting.
The 9x Windows did ride on top of DOS, but replaced (and I'm using the word very loosely) DOS with its own kernel and drivers. DOS was still there, hiding in the background, but most everything was handled by the 32-bit protected mode code of 9x.
Also, there was no "virtual machine" for DOS in 9x. Windows took a snapshot of the DOS environment before it took over, and was able to present this environment to the user via V86 mode. This was, more or less, the same way Quarterdesk's DesqView software worked, except without the pretty graphics of the Windows GUI. A virtual machine implies much of the hardware is emulated, which it was not.
Renaming autoexec.bat and config.sys would have no bearing on the Windows environment because once Windows took over, it used its own .ini files and the registry to store and retrieve hardware and software configuration information.
Any drivers/TSRs run before Windows started would still be present after Windows loaded. In fact, one simple change to a single file cause Windows to not even load, booting instead to a plain old C:\ prompt. One could then later start Windows by executing WIN.COM.
Even Windows ME had DOS still hiding underneath it all. Windows versions based on the NT kernel are the only ones that did not rely on some version of MS-DOS to bootstrap Windows.
I really don't think you know what you are talking about.
I ran into two machines in the last few days with AV2009, but removing them was rather tricky because there was a rootkit present as well. Despite grabbing AVG, Spybot, Malwarebytes Antimalware, Ad-Aware, Superantispyware etc etc, half of them couldn't install/update/run. I would rename the install files, rename the .exe files, change the install path, it didn't matter. Even in safe mode the rootkit was intercepting and disabling the programs. Vicious little bugger.
Ultimately, I found the culprit to be a rootkit called TDSS. A little googling will give you all the details you need, but essentially going into Device Manager, from the menu selecting Show Hidden Devices, Non-Plug and Play Drivers, and disabling anything with TDSS in the title should solve your problem. Once it's disabled you can get your anti-spyware software to run properly.
I've been out of the tech support loop for a while, and this one made me a little nuts until I found it. Hope the clue helps somebody.