Slashdot Mirror

← Back to Stories (view on slashdot.org)

All-Radio 4.27 Portable Can't Be Removed? Then Your PC Is Severely Infected (bleepingcomputer.com)

Posted by BeauHD on from the can't-be-unseen dept.

CaptainDork shares a report from Bleeping Computer: Starting yesterday, there have been numerous reports of people's Windows computers being infected with something called "All-Radio 4.27 Portable." After researching this heavily today, it has been determined that seeing this program is a symptom of a much bigger problem on your computer. If your computer is suddenly displaying the above program, then your computer is infected with malware that installs rootkits, miners, information-stealing Trojans, and a program that is using your computer to send send out spam.

Unfortunately, while some security programs are able to remove parts of the infection, the rootkit component needs manual removal help. Due to this, if you are infected with this malware, I strongly suggest that you create a malware removal help topic in our Virus Removal forum in order to receive one-on-one help in cleaning your computer. Some of the VirusTotal scans associated with this infection have also indicated that an information stealing Trojan could have been installed by this malware bundle as well. Therefore, it is strongly suggested that you change your passwords using a clean machine if you had logged into any accounts while infected. 6/29/18: The story has been updated to specify that this malware campaign is targeting Windows computers.

5 of 247 comments (clear)

  1. Re:Microsoft Windows only by Black+Diamond · · Score: 5, Informative

    If you don't see an operating system listed, you can rest assured that it's windows.

  2. Re: Nuke & Pave by Anonymous Coward · · Score: 5, Informative

    Security Program Manager, Microsoft Corporation

    I Got Hacked, What Do I Do?
    https://technet.microsoft.com/en-us/library/cc700813.aspx

    So the parent was modded up before, suddenly it gets modded down. Really slashdot moderation has been trashed recently. It's worth saying why this was the money post. The only post in the whole thread which really mattersL:

    The key quote you have to follow is:

    The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications). Alternatively, you could of course work on your resume instead, but I don’t want to see you doing that.

    But it's the bit before that which really matters:

    You can’t clean a compromised system by using a virus scanner. To tell you the truth, a fully compromised system can’t be trusted. Even virus scanners must at some level rely on the system to not lie to them. If they ask whether a particular file is present, the attacker may simply have a tool in place that lies about it. Note that if you can guarantee that the only thing that compromised the system was a particular virus or worm and you know that this virus has no back doors associated with it, and the vulnerability used by the virus was not available remotely, then a virus scanner can be used to clean the system. For example, the vast majority of e-mail worms rely on a user opening an attachment. In this particular case, it is possible that the only infection on the system is the one that came from the attachment containing the worm. However, if the vulnerability used by the worm was available remotely without user action, then you can’t guarantee that the worm was the only thing that used that vulnerability. It is entirely possible that something else used the same vulnerability. In this case, you can’t just patch the system.

    Below there are people proposing reverse engineering the malware and then, if you know what it does, you can clean it up by reversing that. However, one thing most malware does is open up to the network and let the malware authors do what they want, so even if you know what this malware does you don't know what all malware does. Anything more could have happened to your system.

    Reinstall from original installation media and pray to god that your system's onboard firmware is not compromised.

  3. Re:This is why we can't have nice things by AmiMoJo · · Score: 5, Informative

    I have never in my life ever heard of any type of malware or code that can be written that can :
            "Be removed with human assistance" that cannot be removed by a program.

    Those have been around for over a decade.

    They work by replacing some core part of the OS, like the SATA driver or the filesystem driver. That makes it impossible for anti-virus software to clean the infected files, because the rootkit can block writes to those files and hand the AV software clean copies when it scans them. They operate at such a deep level, running inside the kernel, that the best AV software can do is detect their secondary effects and try to suppress them.

    The only way around this is to manually boot from a recovery CD and replace the infected files. Some AV companies provide bootable CDs that can run their software. The best ones use Linux because the Linux NTFS driver just ignores permissions and lets them access those system files and delete them. Then you can use a Windows install disk or the Windows 10 recovery system to replace them and get the system running.

    It's a manual process, the rebooting from CD/USB drive and then running the Windows recovery can't be automated.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  4. Sync isn't backup by swb · · Score: 5, Informative

    Sync to OneDrive, et al, isn't backup.

    Most malware doesn't immediately destroy your computer, it cripples it over days or weeks. I can't tell you the number of people who told me "Yeah, I noticed something last week and it's been flaky since then."

    Meanwhile, you've been syncing your infection up to the cloud the whole time so now your cloud storage is infected, too. You may get some of it back, but I've also seen people just re-infect themselves, too.

    Some cloud storage often at higher tiers will offer some kind of versioning and let you restore pre-infected files, but for most people this isn't the default or isn't even a feature they have.

    The only way cloud sync really works as a backup is if you have a spare computer you only bring online periodically that syncs itself and that you then take offline again, but now all you've done is add a complex network transaction to what amounts to a local backup.

  5. Re: Nuke & Pave by Anonymous Coward · · Score: 0, Informative

    Reinstall? I think it would probably take me months to re-install all my programs, fight with the companies that have "activation" while attempting to explain why I need to re-active the old program, maybe $100's or $1000's to re-purchase the software where I was unsuccessful at fighting with the companies that have the "activation" nonsense,

    Ah yes, the pitfalls of paying for software. If those licences are worth anything to you - keep receipts to show those companies when you need to. It isn't just malware destroying computers - they break when some internal component gets too old.

    One of the upsides of open source - not only is it free in the first place, but no 'activation nonsense', no 'licence management', no 'paying again' when you couldn't prove ownership after the disk broke . . .