September 8th, 2008 — Anti-Malware Tools, personal stuff
I thought I’d upload the stats from one of today’s clients. This client complained of “security alerts” which were just rogue anti-privacy applications.
I cleaned this PC with my bootable antimalware (avira and superantispyware) disc. I added the log below for your viewing pleasure (these infections are fresh)!
Happy Hunting:
=================================
Begin scan in ‘C:\’
C:\Documents and Settings\All Users\Application Data\kfwluzmr\afypazgp.exe
[DETECTION] Is the Trojan horse TR/Obfuscated.GX.577
[NOTE] A backup was created as ‘493e1a7c.qua’ ( QUARANTINE )
[NOTE] The file was deleted!
C:\Documents and Settings\Roger Rolper\Local Settings\Temp\163.tmp.exe
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.wah
[NOTE] A backup was created as ‘48f81b36.qua’ ( QUARANTINE )
[NOTE] The file was deleted!
C:\Documents and Settings\Roger Rolper\Local Settings\Temp\164.tmp
[0] Archive type: RAR SFX (self extracting)
–> sav.exe
[DETECTION] Is the Trojan horse TR/Fake.UltimaAV.bh
–> sav.cpl
[DETECTION] Is the Trojan horse TR/FakeAV.BC.2
[DETECTION] Contains detection pattern of the dropper DR/FraudTool.MSAntivirus.V.1
[NOTE] A backup was created as ‘48f91b37.qua’ ( QUARANTINE )
[NOTE] The file was deleted!
C:\Documents and Settings\Roger Rolper\Local Settings\Temp\a.exe
[DETECTION] Is the Trojan horse TR/Drop.Zlob.waf
[NOTE] A backup was created as ‘492a1b31.qua’ ( QUARANTINE )
[NOTE] The file was deleted!
C:\Documents and Settings\Roger Rolper\Local Settings\Temp\b.exe.bak
[DETECTION] Is the Trojan horse TR/Obfuscated.GX.577
[NOTE] A backup was created as ‘4881845a.qua’ ( QUARANTINE )
[NOTE] The file was deleted!
C:\Documents and Settings\Roger Rolper\Local Settings\Temp\c.exe
[DETECTION] Contains suspicious code HEUR/Crypted
[NOTE] The fund was classified as suspicious.
[NOTE] A backup was created as ‘492a1b32.qua’ ( QUARANTINE )
C:\Documents and Settings\Roger Rolper\Local Settings\Temp\file.exe
[DETECTION] Contains suspicious code HEUR/Crypted
[NOTE] The fund was classified as suspicious.
[NOTE] A backup was created as ‘49311b6f.qua’ ( QUARANTINE )
C:\Documents and Settings\Roger Rolper\Local Settings\Temporary Internet Files\Content.IE5\OXG6II6L\file[1].exe
[DETECTION] Contains suspicious code HEUR/Crypted
[NOTE] The fund was classified as suspicious.
[NOTE] A backup was created as ‘49311c37.qua’ ( QUARANTINE )
C:\Program Files\AntiMalwareGuard\amg.exe
[DETECTION] Is the Trojan horse TR/Fakealert.abf
[NOTE] A backup was created as ‘492c1db7.qua’ ( QUARANTINE )
[NOTE] The file was deleted!
C:\Program Files\DIGStream\digstream.exe
[DETECTION] Contains detection pattern of the SPR/Dldr.DigStream program
[NOTE] A backup was created as ‘492c1e00.qua’ ( QUARANTINE )
[NOTE] The file was deleted!
C:\Program Files\SAV\sav.cpl
[DETECTION] Is the Trojan horse TR/FakeAV.BC.2
[NOTE] A backup was created as ‘493b203d.qua’ ( QUARANTINE )
[NOTE] The file was deleted!
C:\Program Files\SecureExpertCleaner\Reminder.exe
[DETECTION] Contains detection pattern of the SPR/SecExpClean.A.1 program
[NOTE] A backup was created as ‘49322041.qua’ ( QUARANTINE )
[NOTE] The file was deleted!
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1126\A0054947.cpl
[DETECTION] Is the Trojan horse TR/FakeAV.AR
[NOTE] A backup was created as ‘48f52075.qua’ ( QUARANTINE )
[NOTE] The file was deleted!
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1139\A0056657.dll
[DETECTION] Is the Trojan horse TR/Zlob.waf
[NOTE] A backup was created as ‘48f520a1.qua’ ( QUARANTINE )
[NOTE] The file was deleted!
C:\WINDOWS\system32\drivers\etc\hosts.20071029-122133.backup
[DETECTION] Is the Trojan horse TR/Qhost.MY.3
[NOTE] A backup was created as ‘4938236f.qua’ ( QUARANTINE )
[NOTE] The file was deleted!
======================================
September 1st, 2008 — Malware Tips, My Tools
Viewed 207 times, 11 so far today
I had probably one of the worst client calls of my career that other day. When I arrived to David’s house I immediatly saw the XP Antivirus 2008 infection and though…sweet, “i’ll be outta here in a few minutes”..boy was I ever wrong.
David had the latest generation of the XP Antivirus 2008 trojan…it’s a very nasty bundle of rogue antivirus and data stealing applications. David’s Quicken and Turbo tax files were being uploaded to various sites around the world on a non-stop basis (until we yanked his ethernet cable out). How did I observe this? I used process monitor from Microsoft and my own network monitor.
David was just blown away and completely freaked out. I was too. I couldn’t believe how easy it is to steal and passout someones identity and financial records.
I told David to sign up with the same identity protection service my wife and I use. LifeLock.
Lifelock ensures you that if your identity is ever stolen it’s pretty much useless, because the thieves can’t open any:
-loans in your name
-credit cards in your name
-basically anything in your name!!!
the moment they try, you’ll get a phone call on every phone you have registered with LifeLock. The lifelock operator then asks you if you are trying to buy a car (for example)…you say “nope!”…then the car loan is halted and the thief looks pretty dam stupid 
I’ll be promoting LifeLock on my blog because i really believe in it. 90% of my malware calls are related to identity theft in some fasion (rogue antivirus or data uploaders).
To finish the story…I removed XP Antivirus 2008 and all the other malware (such as the rootkit and data stealers) by using my bootable anti-malware disc. Once the malware was removed David decided to buy KAV 2009 for future protection.
You may be curious to know that David was using Mcafee…ouch.
August 30th, 2008 — personal stuff
Viewed 62 times
Good Lord I just spent a ton of money…Happy 35 Kay!!!
August 28th, 2008 — AntiVirus Reviews, Malware Warnings, announcements, avoid this
Viewed 82 times, 8 so far today
First, don’t click on any emails claiming to be an update from MSN or Microsoft. MSN/Microsoft never sends emails about a “Free Update”. If you want to update your PC *always* go to Microsoft.com (NEVER click on any links in an email offering windows updates).
Next, I did click on this link through one of my clean Virtual Machines. Let’s see what happens, let us observe the path to infection!
1. I received an email to my personal business account. Spam Assassin does not recognize it as spam and lets it on through.
2. I click on the link. I can see the link takes me to a .swf (a flash file) hosted at imageshack.com.
3. As soon as the .swf loads (almost instantly) I am prompted to download install.exe. I choose to open the file (pretending I am non-suspecting user seeking a windows update).
4. We are now presented with a license agreement for AntiVirus XP 2008 which we can only agree to.
5. As soon as I agree, Antivirus XP 2008 is loaded almost instantly.
6. Oh WOW! 2506 infections on a clean PC! Obviously a complete lie designed to scare people.
7. …and if I try to uninstall it…oh, what a shock! The uninstaller crashes.
8. Well, I guess I’ll just remove those viruses. When I click the remove viruses button I’m sent to a website to purchase this fake antivirus program for $49.95.
Not only will I lose $49.95, but I’ll also give up my identity to a international ring of thieves!!!
August 26th, 2008 — Malware Warnings, Uncategorized, avoid this
Viewed 24 times, 1 so far today
I was just checking my mail at remove-malware.com and someone was nice enough to send me e-card malware! I think I’m going to see what the .exe does in one of my clean virtual machines. I had 3 clients this week that opened this e-card.exe file. They didn’t get a cute card, instead that got XP AntiVirus 2008, Misc Droppers and a Rootkit.
Never ever open any e-card, 90% of them are tricks.
August 26th, 2008 — Anti-Malware Reviews, Videos, announcements, avoid this
Viewed 66 times, 1 so far today
Many thanks to all who voted! I’ll be posting this Bit Defender Review by this Sunday August 31st (keep in mind it may be sooner, it just depends on my client load this week). Due to popular demand Firefox will be demo’d in the reviews going forward (as well as IE).
August 23rd, 2008 — Malware Warnings, rootkits
Viewed 88 times, 12 so far today
I took a few appointments this weekend and witnessed the same infection over and over again…Figaro.sys. The Figaro.sys rootkit is dropped in c:\windows\system32\drivers (on vista) and on XP i’ve seen it in the DLLCACHE folder.
I don’t know exactly what it does but I can give you the symptoms:
- Random reboots
- Virtumonde drops
- Very slow logins
I removed Figaro.sys with Killbox (quick and dirty removal utility). Combofix was run, however it DID NOT detect this rootkit. I should mention that detection was made possible via KAV 7.
August 22nd, 2008 — Malware Warnings
Viewed 70 times, 1 so far today
Well, I just signed into my Gmail account and noticed this:
Do you see it???
“Free Antivirus XP 2008″…sad but true. I’m seeing XP Antivirus 2008 ads all over the place inside of Google related sites that use Adwords. In-case anyone doesn’t know XP Antivirus 2008 is Rogue (fake) Anti-malware designed to basically steal your money and identity. Let’s hope the Adwords team at Google can get rid of fraudulent advertisers.
August 21st, 2008 — Anti-Malware Reviews, Videos
Viewed 85 times, 4 so far today
August 17th, 2008 — Anti-Malware Reviews, Videos, announcements
Viewed 215 times
FYI - I uploaded the Panda Antivirus Review to Youtube. youtube.com/mrizos
