Tuesday, June 15, 2010

Fake virus scanners which are really viruses

My work has been getting a blizzard of viruses sent in email recently. It's not a problem as we just block them at the firewall but the intensity is a bit daunting.

They are all of the same flavor.
They send out a very obscurely written Javascirpt (sometimes encoded) and if the person clicks on it when running windows and has administrative privileges then the browser goes off to a site that's been compromised and has the actual virus on it (the Javascript is just a trigger). Downloads and installs the virus.

In the case I've seen it installs a fake virus scanner that claims to find a lot of fake viruses and for a more $50 you can get the "license key." If you don't payup then your computer continues to pop up a million windows and pretty much won't let you do anything. Symantec and other virus scanners are disabled and the task manager won't run. We call this "Ransomware."

One of these little creatures is called Protection Center which is stolen from a Microsoft Product, but it's not from Microsoft. You can see a picture of it here:
http://www.spywares-remove.com/remove-protection-center-protection-center-removal-help

Best way to deal with it is to reboot into Safe Mode by restarting and pressing F8 repeatedly and then running a virus scan. There are faster ways to kill it by using msconfig.msc and manually deleting it and the associated registry keys but that takes more know how.

While it's actually a very interesting virus I don't fully understand it enought to really expound on it - most of it is non-functional crud and the web addresses have a lot of extra characters that are taken out at the last second. it is very obfuscated but with a little effort you can read it. There is an excellent analysis of it here:
http://garwarner.blogspot.com/2010/06/more-twitter-spam-html-attached-threats.html

If you have a copy of the base64 virus you can run it through an online base64 decoder and then decode the resulting javascript. What you're looking for is the line that generates the web site. Once I figured out where it was going I stopped but the above link goes further.

As with most things it's better to prevent it from happening in the first place.

Prevention
If you are a Windows User:

- Don't click on weird links or attachments
- Run as an unprivileged, non-administrative user
- Disable Java in your browser
Firefox 3.0.6: Tools-options - click on Content and uncheck Enable Java
Seamonkey 2.0.4: Edit-preferences - click on Advanced and uncheck Enable Java
internet Explorer 8.0.6001: Tools-internet options - Click Programs, click manage add-ons, click on Java and click disable (along with any associated java add-ons).

No comments: