Slashdot Mirror

← Back to Stories (view on slashdot.org)

400,000 PCs Infected With Fake "Antivirus 2009"

Posted by timothy on from the please-keep-up-now dept.

nandemoari writes "The second month of Microsoft's campaign against fake security software has resulted in the removal of the rogue "Antivirus 2009" application from almost 400,000 infected PCs. Microsoft claims that December's version of the Malicious Software Removal Tool (MSRT) — the free utility included in Windows Update every month — specifically targeted 'Antivirus 2009.' According to Microsoft, MSRT removed the rogue application from over 394,000 PCs in the first nine days after it was released on December 9."

26 of 353 comments (clear)

  1. Tomorrow's Headline by meadowsoft · · Score: 4, Funny

    "over 394,000 PCs report massive amounts of virus infections due to the accidental removal of Antivirus 2009"

  2. When will the Malcious software removal tool... by Anonymous Coward · · Score: 4, Funny

    Remove my win32 directory?

  3. Malwarebytes by oahazmatt · · Score: 4, Informative

    At my job, we've used Malwarebytes to fix about 200 PCs with this so far. It's a good alternative.

    --
    Those who believe the Internet is private,
    find their privates are on the Internet.
    1. Re:Malwarebytes by Endo13 · · Score: 5, Informative

      Try this instead.

      1. Run Hijackthis and look for any suspicious startup entries. Even the average computer user will be able to rule out most entries as things they recognize, meaning you won't have to google more than a handful, which will probably take 5-10 minutes at the most.
      2. Install Unlocker. http://ccollomb.free.fr/unlocker/
      2. Browse to locations of files linked to by suspicious startup entries. Check date created.
      3. Go to Windows directory, sort files by date, google suspicious files found since above date. Remove files confirmed to be malware or files for which you cannot find any information. (If you can't find any info on them, they're either randomly generated malware names, or malware too new to show up yet in a search.)
      4. Do the same in Windows\System32.
      5. Run a system cleanup to delete all Temp files and Temporary Internet Files.
      6. Now delete the original malware folder.
      7. Delete the startup entries with Hijackthis.
      8. Restart computer. Should be clean.

      The best part is, this will work with virtually *any* malware infection, and will generally catch things that even Malwarebytes misses.

      --
      There is no -1 Disagree mod. Slashdot.org/faq defines mod options. USE IT.
    2. Re:Malwarebytes by cbiltcliffe · · Score: 4, Informative

      This doesn't work with some variants I've seen. The malware is running as the system, but there are also components that are running as the current user.

      Set the permissions to deny SYSTEM access to that key, and the user components change the permissions back before you can delete the key. Killing the user components is useless, as the system components restart them. Killing the system components blue screens the machine, as some are linked into winlogon, and you can't kill that.

      Denying your own user write access to the startup keys to get around all this is, obviously, useless.

      Offline scan/deletion is the only way to go with this crap.

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
  4. Wait a pain... by Chabo · · Score: 4, Informative

    I was tasked with getting this thing off my mom's laptop. That was tougher than any other piece of malware I've ever dealt with.

    I also had to convince my dad that there was no easy way to sue the "manufacturer" of this program.

    --
    Convert FLACs to a portable format with FlacSquisher
  5. Wildly annoying one. by fuzzyfuzzyfungus · · Score: 5, Insightful

    In having to do support for assorted windows users, I've seen assorted popup/redirect stuff pushing that particular fine piece of software a lot. Most disconcertingly, it even happens to users visiting what one would think of as reputable sites, on machines with fully updated AV that reports no issues.

    I really don't have the time or interest to figure out if the AV is just sucking, and not reporting infections that actually do exist, or if whoever is pushing the software has compromised a bunch of ad providers; but it seems to be a big issue in windows land(poor bastards).

  6. Good job Microsoft! by Chryana · · Score: 4, Funny

    Now let's hope Symantec is not going to sue them... :)

  7. how many users will complain about removal? by hguorbray · · Score: 5, Interesting

    I wonder how many of the clueless will complain to microsoft that the removal tool removed software THEY HAD PAID FOR

    iirc some of the malware and adware 'vendors' had eulas that forbade users to remove their programs

    It'll never happen, but I'd like to see one of those guys try to sue microsoft for violating their EULA -would microsoft try to claim that the EULA was invalid?....

    One can always dream.

    -I'm just sayin'

  8. Combofix was the only thing that worked for me by transporter_ii · · Score: 4, Informative

    Particularly bad virus. It blocked all antivirus web sites and even blocked programs on the computer. I could put Spybot Search and Destroy on the computer, but it wouldn't even start. What I finally had to do was rename combofix.exe to something else like fix.exe, and then it ran and removed MS Antivirus 2009. I did try to Malwarebytes but it wouldn't even install, even if I renamed it.

    --
    Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
  9. Understating the menace. by Rahga · · Score: 4, Insightful

    This family of infectors is probably, by far, the worst spyware/hijacking peice of junk I've ever seen. I can't help but feel that 400,000 isn't nearly the number that has actually been infected, simply because nobody I know actually uses MSRT, and I seriously doubt that any machine that gets infected with it could actually get back into the condition where it can download and/or install MSRT, or virtually any other software. It's just that bad.

    1. Re:Understating the menace. by PCM2 · · Score: 5, Informative

      nobody I know actually uses MSRT

      You might be surprised. The version of MSRT that comes from Windows Update runs in the background once a month and only alerts you when it notices a problem. I've never knowingly run it, but sure enough, if I check my Windows Update history I've installed the December edition.

      On a side note, maybe this explains the persistent disk thrashing episodes I still get with Vista, maybe once a month or so...

      --
      Breakfast served all day!
    2. Re:Understating the menace. by gad_zuki! · · Score: 4, Interesting

      >simply because nobody I know actually uses MSRT

      MSRT is packaged with windows update. If they have automatic updates set as theyre supposed to then they run it every month. Its just not obvious to the end user. MS uses MSRT for a lot of things. Last time they took down one of the bigger botnets.

      Ive seen PCs with "Antivirus 2009" and its precessors still able to use automatic updates. Im sure malware writers will now just disable the service. I believe some versions of Antivirus 2009 did shut down the service.

      That said, the real problem here is why legitimate sites are service up the pop-under ads for antivirus 2009. Ad networks need to start vetting their clients. People should just start blocking all ads as a security threat.

  10. family tech support by EpsCylonB · · Score: 5, Informative

    Yep, got called round to my brothers house to fix his computer cos it had this stuff on it.

    I don't know exactly what it was supposed to be doing, the computer would boot up into winxp and then just freeze. Safe mode worked but safe mode with networking did not, so I guess it was calling home somewhere (thinking about it now I should have just unplugged the network cable to see if that stopped the computer freezing).

    Anyways I didn't have any stuff with me and without net access I decided the path of least resistance was to reinstall windows (my brother did not have anything he wanted to keep).

    I should have brought round a ubuntu live cd with me.

  11. When will people learn by TheGeniusIsOut · · Score: 4, Informative

    I do not have anti-virus/spyware/malware software installed, the only firewall I have is in my router, my computer is on and connected nearly 24/7, and I have not gotten any viruses/malware/spyware in at least 3 years. Windows XP fully updated, careful browsing/downloading habits, and liberal use of free online scanners for suspicious software before execution has served me well. The problem is too many people are click happy and ignore common sense, basic safe computing habits, and in general are looking for a quick fix they don't have to think about. This leads to people falling prey to the pop-up ads claiming their computer is infected so they can download the latest botnet zombification software. Up until a year ago, I was having to clean my sister's PC on a weekly to monthly basis due to all the crap she downloaded off the internet. After convincing her to try the safe habits I practice for a month, in which time her computer worked perfectly, she realized she was the source of her computer problems and corrected her attitude towards computer security, with no problems to this day.

    --
    Ignorance is Bliss -- And the Opposite is True -- Genius is Madness
  12. Re:Agree! by enharmonix · · Score: 4, Informative

    Malwarebytes is awesome! The AV2009 malware is a tough one to remove, but Malwarebytes takes is right off.

    I swear by them. In fact, I removed Symantec AV from my computer (since it only protects against exploits nobody uses anymore and slows your PC down more than any virus). I use Windows Defender to monitor system changes and do periodic sweeps w/ Malwarebytes. System is much faster now and still clean.

  13. At least Zunes are safe by MrNonchalant · · Score: 5, Funny

    Thanks Microsoft for thoughtfully protecting all the Zunes from this outbreak.

  14. Re:Is this troublesome to anyone else? by Volante3192 · · Score: 5, Insightful

    Well, the reason you install these programs like Defender is so it deletes the malware for you.

    Replace Microsoft with Kaspersky, AVG or one of those other "reputable" AV vendors and ask the same question. They have just as much ability to delete a program.

  15. I'm tired of users like you by Anonymous Coward · · Score: 4, Insightful

    I'm not saying this as flamebait but I'm really tired of users who consistently post in forum after forum that they don't run antivirus, firewall, or antimalware applications. Then, just like you, they claim they don't have any infections. How would you know even if you had an infection without running a scanner? Online scanners are great but they only cover files that you're going to run of your own volition. They do not cover infections that occur through holes in the browser and/or OS. This is where the fundamental problem lies in your strategy.

    Case in point, lets say you browse to a website that uses a hole in your browser to get code onto your system that opens a port via UPNP in your router. Then through the open port your machine starts infecting/spamming others. How would your methods guard against that?

    Safe computer habits are great when you can trust your Operating System and browser to be secure all while you're not logged in with an account with "Administrator" (root) level privileges. Too bad Windows can't be trusted to be secure and, therefore, necessitates the need for antivirus, antimalware, and firewall.

  16. Re:MS patting themselves on the back by cbhacking · · Score: 4, Informative

    Nope. Try a little research, please. This program spreads through two methods, Trojans and scareware (tricking the user into thinking that his computer is infected, so he buys and installs AV2k9 as a "fix"). Such software can do anything the user can (which, provided you run the program with root/Administrator credentials - like you would if installing something - is anything at all).

    In either case, it's a simple matter of Problem Exists Between Keyboard And Chair. The prevalence of malware for Windows does make scareware more likely to work, but in the end it's still a matter of the user telling the OS to do something stupid (run a malicious program) and the OS obeying just like it's supposed to.

    --
    There's no place I could be, since I've found Serenity...
  17. Why do they know this? by pembo13 · · Score: 4, Interesting

    Why do does the malaware removal tool report back about what it finds? Do all such tools do that?

    --
    "Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
  18. Time for Linux by MrJimbo · · Score: 4, Interesting

    My wife's Windows XP laptop was infected with this virus. This was her last straw. She came to me and asked if there is anything that can be done. I told her she can reduce her exposure to these pieces of malware if we were to install Linux on her laptop. It's been 5 days since we installed Ubuntu 8.10, and while there are some slight differences, she is enjoying it. I had been running Ubuntu for some time now.

    1. Re:Time for Linux by TheNetAvenger · · Score: 4, Interesting

      Sorry about your wife's laptop, but this doesn't happen without the user specifically installing the software.

      Even on Linux, she won't be any safer if she isn't instructed not to click on crap and install it.

      You would be safer running Vista, as this malware (not virus) was not able to get installed on Vista even when users told it yes. If by chance it even did get installed on Vista, it would have had limited damage compared to XP; things like redirect the web sites, turn off anti-virus etc. (Vista users basically didn't have this problem)

      So you convince her to move to Vista yet?

      You could also set her up as a 'user' and not let her run crap in administrator mode, and if she needs something installed, have her do the run as and actually type in the password so she knows that she is modifying the computer. (Yes on XP)

      On, Vista, have her run as User as well, the password prompt is just automatic and doesn't require her to do 'run as'...

      ---

      I love the stories of 'the last straw' and how horrible Windows is, especially when it is something users have done to themselves. If Windows or MS is guilty of anything here, is that they made Windows too easy for users and hasn't educated people enough. (Like you should have done for your spouse.)

      PS She should smack the crap out of you for not explaining what to click on and what not to click on to install, especially from the internet.

  19. Re:The relationship between Windows 95/98 and DOS by adminstring · · Score: 5, Interesting

    Here's some fun trivia: Contrary to popular belief, Windows only rode on top of DOS through version 3.11. 95 and 98 only looked like they did, by optionally loading 16-bit legacy DOS drivers as part of the Windows startup process, and by providing both DOS VMs and an option to boot into DOS Mode (which actually was MS-DOS) for backwards compatibility with legacy DOS apps.

    This page has a pretty good overview of Windows 95 architecture, with some diagrams that show the various OS components, none of which is a full copy of DOS that has a GUI riding on top of it as found in Windows 3.11 and earlier. Instead, there is a 32-bit kernel which uses 32-bit device drivers exclusively, unless the user installs a legacy DOS driver.

    If any DOS apps are run within Windows 95, they run in their own DOS virtual machine, and if no DOS apps are running, no DOS VM is created. These VMs are similar to those in Windows NT; what is not similar to Windows NT is the ability to load DOS device drivers to support legacy hardware that had no 32-bit protected-mode driver.

    Those DOS drivers almost always ran slower than 32-bit drivers and frequently caused problems, to the extent that one of the first steps in troubleshooting a Windows 95 system was to check the autoexec.bat and config.sys for unneeded DOS drivers, or simply renaming those files to get rid of the gunk.

    If there really were a copy of DOS running underneath Windows 95, renaming autoexec.bat and config.sys would have removed all the device drivers, leaving you with no access to your CD-ROM drive due to a lack of MSCDEX.EXE, which is needed by all versions of DOS, including the "DOS Mode" of Windows 95.

    --
    My truck is like a series of tubes.
  20. Re:The relationship between Windows 95/98 and DOS by X3J11 · · Score: 4, Interesting

    Try deleting the hidden system files (.SYS) in the root of your boot drive and see how far Windows 9x gets while booting.

    The 9x Windows did ride on top of DOS, but replaced (and I'm using the word very loosely) DOS with its own kernel and drivers. DOS was still there, hiding in the background, but most everything was handled by the 32-bit protected mode code of 9x.

    Also, there was no "virtual machine" for DOS in 9x. Windows took a snapshot of the DOS environment before it took over, and was able to present this environment to the user via V86 mode. This was, more or less, the same way Quarterdesk's DesqView software worked, except without the pretty graphics of the Windows GUI. A virtual machine implies much of the hardware is emulated, which it was not.

    Renaming autoexec.bat and config.sys would have no bearing on the Windows environment because once Windows took over, it used its own .ini files and the registry to store and retrieve hardware and software configuration information.

    Any drivers/TSRs run before Windows started would still be present after Windows loaded. In fact, one simple change to a single file cause Windows to not even load, booting instead to a plain old C:\ prompt. One could then later start Windows by executing WIN.COM.

    Even Windows ME had DOS still hiding underneath it all. Windows versions based on the NT kernel are the only ones that did not rely on some version of MS-DOS to bootstrap Windows.

    I really don't think you know what you are talking about.

  21. Re:The relationship between Windows 95/98 and DOS by adminstring · · Score: 4, Informative

    The question of whether 9x "rides on top of" DOS is related to the two somewhat distinct issues of the use of DOS during the boot process, and support for DOS device drivers once Windows 95 has booted.

    To me, the fact that the DOS 7 kernel IO.SYS is used to bootstrap Windows 95 does not indicate that 9x "rides on top of DOS" any more than the fact that LILO or GRUB might be used to bootstrap Linux means that Linux "rides on top of" LILO or GRUB.

    The fact that legacy DOS device drivers can be loaded during the real-mode portion of the 9x boot process (but need not be kept around afterwards, and by default are not) only indicates that Windows has been designed to tolerate DOS device drivers in order to provide backwards compatibility.

    This is a big difference between 9x and 3.x, which requires DOS drivers for sound and CDROM support. This is also the biggest difference between 9x and NT as regards DOS support - NT will not tolerate legacy DOS device drivers at all. This fact makes it perfectly clear that NT does not "ride on top of" DOS, while the fact that 9x is built to tolerate DOS drivers muddies the waters as to whether or not 9x "rides on top of" DOS. To me, the fact that these legacy drivers are not required indicates that 9x is an OS rather than a GUI, and that is the point I was getting at with the CD-ROM driver example.

    Taking this reasoning a step farther, the fact that 32-bit hard disk drivers are available under Windows 3.1 leads some to consider 3.1 itself to be somewhat of an OS (or, along with DOS, one of the two components of an OS) rather than simply a GUI, because previous GUIs such as GEM for DOS had no device drivers of their own and relied entirely on DOS for driver support. There is some merit to this argument, and my take on the situation is that there isn't a clear line between GUI and OS where early versions of Windows are concerned, but rather a gradual shift from total reliance on and tolerance of DOS for bootstrapping and drivers in early versions of Windows (which were mere window managers like GEM) to a total lack of reliance on DOS code for these functions in later versions starting with NT 3.1, which first used NTLDR to begin the boot process. Windows 95's place on this spectrum is that it requires some DOS code to boot, but afterwards doesn't require any non-32-bit device drivers at all.

    If, when we say that Windows 3.11 "rides on top of" DOS 6, we mean that Windows 3.11 is an application environment which takes advantage of the filesystem and driver support provided by DOS, I don't think that we can accurately say the same thing about Windows 95, which is an OS with a 32-bit kernel and some 16-bit components which uses DOS for bootstrapping but does not need any DOS filesystem or driver support once it's up and running. To me this doesn't equate to having DOS "hiding underneath" Windows 9x. It seems more accurate to me to say that Windows 9x has built-in support for DOS drivers and apps for backwards-compatibility reasons, and uses it during the boot process.

    --
    My truck is like a series of tubes.