PDA

View Full Version : Ot: Web Page Virus Scam



Evan
05-17-2010, 07:35 AM
If you wind up at a web page that looks like this shut down Internet Explorer using the Windows Task Manager. Hit Ctrl+Alt+Delete and select in turn each instance of Iexplore.exe in the processes list by right clicking and selecting "End process". Agree and shut any other instance until the processes list shown no instances of Iexplore.exe.

This page is a scam and clicking on any of the buttons on it will cause it to install malware of some sort. For me it was very obvious the moment I saw it come up since I use the Windows 2000 theme, not the XP theme that the web page shows. There are also small but very important spelling and grammatical errors that are a 100% clue that this has nothing to do with the operating system.

http://ixian.ca/pics7/vscam.jpg

coldformer
05-17-2010, 07:46 AM
I run Firefox and Windows Defender and i ran into the same thing so its not just Internet Explorer

KiddZimaHater
05-17-2010, 08:33 AM
I'm glad English is the hardest language to learn.
The butchered grammar is a dead giveaway to most scams.:)

Ken_Shea
05-17-2010, 08:36 AM
Curious, how did you guys get to this page in the first place?

S_J_H
05-17-2010, 08:41 AM
I see those scams all the time. I must not be visiting very nice websites.:D
They are a PITA. It does make me wonder how many people fall for it though.

Steve

Evan
05-17-2010, 08:43 AM
I was searching for an image of the Exxon Valdez oil spill using Google images. There was nothing to give a clue that the site was malicious. The site is now down so I presume it was hacked and has been shut down.

Paul Alciatore
05-17-2010, 09:37 AM
But the malfactors will surely have hundreds or even thousands of other sites trying to do the same thing. And are opening up more each day. I try not to trust anything of that nature if I have not specifically typed the address myself.

Another example of the value of a good education. Proper grammer and spelling is not optional. And it appears to be a good idea to alter your color scheme.

Thanks Evan for the warning.

tlfamm
05-17-2010, 11:22 AM
I was nailed by that thing about two months ago - and it seems that by the time the fake anti-virus popup was displayed, my system was already infected. And I use Fire Fox and Sea Monkey; I doubt that any conventional browser can defend against a site infected with the latest crop of viruses.

Norton Anti-Virus was _completely_ useless, not even recognizing that my system was infected. (What am I paying for?)

Malware Bytes (free) was partially successful, but could not prevent reinfection on reboot, even when used in safe mode.

I finally resorted to ComboFix, and that successfully disinfected my system.

See documentation here:http://www.bleepingcomputer.com/combofix/how-to-use-combofix

And despite the cheesy-sounding site name, the software is completely legitimate (and free). But it is wise to be wary: the best way to get a virus disseminated is to hack a site distributing anti-virus tools.
--------------------------------------------------------------------

Obviously there is a war of escalation between the virus writers and the anti-virus writers - so I imagine Norton Antivirus has been updated to detect the particular strain of virus I had - but by now the virus authors have also modified their 'product'. Is a Medieval punishment too good for those folks?

Evan
05-17-2010, 01:46 PM
and it seems that by the time the fake anti-virus popup was displayed, my system was already infected.

That is possible.


Norton Anti-Virus was _completely_ useless, not even recognizing that my system was infected. (What am I paying for?)



That is why I don't bother with any antivirus software. Instead I turn off the various services that I do not need and that are the most common sources of vulnerabilities that the malware targets. I also don't run a firewall since that also invokes the internet connection sharing function. I have the windows security centre totally disabled. Automatic updates are disabled.

This is what I have disabled in my system. For a single user system on a home network it has no affect on the functionality of my computer other than turning off the help system and disabling NetMeeting.

http://ixian.ca/pics7/services.gif

S_J_H
05-18-2010, 09:22 AM
Son of a Biatch. I got attacked by a version of this malware yesterday and before I knew it it was in my system. Very aggressive malware. It is fast and makes it difficult to open System explorer( which I like better than process explorer) http://systemexplorer.mistergroup.org/
In system explorer I can watch it spread quickly in the pc and as soon as I end it, it restarts very quickly.
I can not open system restore which makes it hard to kill and it also prevents opening any windows security files.
I can find and quarantine it in safe mode, but I still can't get into system restore settings to disable system restore. So the pc is still infected on restart.

This may be the worst spyware/ malware I have come across.:mad:
I really do love my new Imac. Never have to deal with this crap.

Steve

gnm109
05-18-2010, 11:05 AM
Son of a Biatch. I got attacked by a version of this malware yesterday and before I knew it it was in my system. Very aggressive malware. It is fast and makes it difficult to open System explorer( which I like better than process explorer) http://systemexplorer.mistergroup.org/
In system explorer I can watch it spread quickly in the pc and as soon as I end it, it restarts very quickly.
I can not open system restore which makes it hard to kill and it also prevents opening any windows security files.
I can find and quarantine it in safe mode, but I still can't get into system restore settings to disable system restore. So the pc is still infected on restart.

This may be the worst spyware/ malware I have come across.:mad:
I really do love my new Imac. Never have to deal with this crap.

Steve


I'm still not buying an Apple. It's nothing personal. My old boss liked them and tried to get me to buy one for ten years.

I got hit by that virus about two years ago. I basically ruined my hard drive. It shut off the ability to use CD's so I could never even access the HD. I just replaced it. I know, I know, HD's are usually recoverable. Well this one wasn't. It met Mr. Hydraulic press after I wasted a month trying to fix it.

Evan's got the right idea. Shut everything off. I think my server has some sort of firewall since I never get spam anymore but I never, ever open attachments from unknown sources.

Evan
05-18-2010, 11:45 AM
I should mention that visiting that web page did NOT infect my system. The security measures I use go to the heart of the problem by disabling the "features" in Windows that are the main vulnerabilities. Perhaps the biggest one is the Universal Plug and Play system. That isn't related to the regular Plug and Play and turning it off has no effect on your computer's ability to detect new hardware. It is a network function only and is a giant hole into the OS for anything that can access your network.

S_J_H
05-18-2010, 09:35 PM
holy cow! I just got rid of it. It was a little different than the one Evan posted screen shots of.
This thing disabled all access to windows security and system restore files on a normal startup and in safe mode. Most system files I tried to open would open and then close within a 1/2 second or not open at all.Task manager function was shut down.
It changed my internet connection settings to a proxy server and the only web site I could visit was the scamming anti-virus website.
Several times I caught it with my spyware remover but since I could not disable system restore it was right back on startup.

Never seen anything this aggressive.
It somehow changed my user account password as well.
I finally realized it seemed to pause the attack when I visited the site and hit the buttons to purchase it, like they obviously are hoping people will do. Makes sense because they can't make any money if the bamboozled persons pc is still going haywire.
After doing that I caught it again, shut down to safe mode and started the last known good config. It was then neutralized.
Time for me to rethink my spyware and virus strategy's I guess.

Steve

gnm109
05-18-2010, 09:59 PM
holy cow! I just got rid of it. It was a little different than the one Evan posted screen shots of.
This thing disabled all access to windows security and system restore files on a normal startup and in safe mode. Most system files I tried to open would open and then close within a 1/2 second or not open at all.Task manager function was shut down.
It changed my internet connection settings to a proxy server and the only web site I could visit was the scamming anti-virus website.
Several times I caught it with my spyware remover but since I could not disable system restore it was right back on startup.

Never seen anything this aggressive.
It somehow changed my user account password as well.
I finally realized it seemed to pause the attack when I visited the site and hit the buttons to purchase it, like they obviously are hoping people will do. Makes sense because they can't make any money if the bamboozled persons pc is still going haywire.
After doing that I caught it again, shut down to safe mode and started the last known good config. It was then neutralized.
Time for me to rethink my spyware and virus strategy's I guess.

Steve


When I got it in my HD, I was unable to get into safe more to restore to an earlier point. It's bad.

S_J_H
05-19-2010, 01:54 AM
Found it on www.Bleepingcomputer.com ( the site to go to for malware knowledge of all sorts) ,
It's known as ransomware.
The basics-
What this programs does:

Antispyware Soft is a rogue from the same family as Antivirus Soft and Antivirus Suite. This rogue is promoted through malware that will install the program on to your computer without your permission or knowledge. In fact, when the program is installed it will stay running in the background and perform no actions until some later date when it then starts to display its warnings and program screen. This program is also configured to start automatically when Windows loads, and once running, will scan your computer and state that your computer has numerous infections. If you try to remove any of these infections, though, the program will not allow it until you purchase the program. This is a scam, as the infections this program displays do not actually exist on your computer. Instead they are being showed to scare you into purchasing it.

While Antispyware Soft is running it will also block the majority of programs from running on your computer. When you attempt to run them, it will display a warning stating that the program is infected and then terminate it. The message you would see is:

Windows Security Alert
Application cannot be executed. The file cmd.exe is infected. Do you want to active your antivirus software now?

It blocks programs in order to protect itself from being removed.

While running it will also display fake security alerts stating that active infections have been found or that a remote computer is attacking yours. The text of these alerts are:

Windows Security alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. Click here for the scan you computer. Your system might be at risk now.

Antivirus software alert
Infiltration Alert
Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan - dropper or similar.
Details
Attack from: IP Address, port 39096
Attacked Port: 30516
Threat: Win32/Nuqel.E

Last, but not least, the program will also configure your computer to use a proxy server for its Internet connection. This proxy server will not allow you connect to any sites, but will instead display a warning stating that the site is malicious and that you should purchase Antispyware Soft to protect yourself. All of these warnings and infections messages should be ignored as they are false and just being shown to scare you into purchasing the software.

Without a doubt, Antispyware Soft was created to scam you out of your money by trying to convince you that you are infected. It goes without saying that you should not purchase this software, and if you already have, you should contact your credit card company and dispute the charges. To remove Antispyware Soft and any associated malware, please follow the removal guide below.

Further info and removal instructions- www.bleepingcomputer.com/virus-removal/remove-antispyware-soft

It's no fun to have or remove.:cool:
Steve

dp
05-19-2010, 02:21 AM
I love Unix. This thread has been a conversation I never have. But I feel your pain.

There is some good news for the pro-active out there. The VMware "Player" program which is free, is now capable of creating virtual machines from scratch. This means you can download Player and install it, then jack in your Windows DVD and install a second copy on your system.

The second copy, the virtual machine, is the one you would run when hitting the internet. If it gets infected you drag the vm to your host OS's trash can and copy in a new vm from your backup DVD. You save time, you don't care about viruses anymore (very Mac-like experience), and no more worrying about corrupting your hard disk.

http://www.vmware.com/products/player/

Your host machine can be Windows or Linux, and your virtual machines can be pretty much anything, but most people use Windows as the vm as well as the host.

Spin Doctor
05-19-2010, 06:56 AM
I got hit by this last January. Maleware.bytes took care of the problem. But then when I was listening to the Super Bowl on the radio I heard and add for Internet Security. Talk about big brass ones.

bmw625
05-19-2010, 10:14 AM
had this happen a few days ago myself. VERY aggressive indeed!
brent

Tony Ennis
05-19-2010, 10:39 AM
Virtual Machines are the coolest thing evah, but you need a fairly beefy computer to run one successfully. Web developers frequently run the browser, database, and web server on separate VMs to better simulate the production system and to test deployment procedures.

dp
05-19-2010, 11:21 AM
Virtual Machines are the coolest thing evah, but you need a fairly beefy computer to run one successfully. Web developers frequently run the browser, database, and web server on separate VMs to better simulate the production system and to test deployment procedures.

If you're just surfing the web and doing email, which is the pattern for a great many home users, then any modern system will work. I do everything on a Mac laptop, for example. 2G ram, 32-bit dual core cpu.

Where I work we have hundreds of virtual machines running as web servers and back end systems. Our databases run on stand-alone clustered systems (8-core Linux). My desktop workstation is a Dell optiplex 760 - a low-end Windows PC, and I run Player on it so I can have Linux (in a vm) as my primary OS. I'm a Unix admin. Windows is used for email and calendaring only.

I never use the Windows browser to visit sites outside our own network. For that I use the Firefox browser in Linux, and it is directed to use a proxy that filters out adverts, google analytics, and most other annoyances I find on the web.

Here's the win7 "experience" for my Mac Laptop's vm:

http://metalworkingathome.com/images/win7perf.png

kc5ezc
05-19-2010, 12:08 PM
[/quote]

This means you can download Player and install it, then jack in your Windows DVD and install a second copy on your [/quote]

Dennis: Hate to appear stupid, but does "jack in your Windows DVD" mean to load /run the DVD?
Sorry to be so ignorant of computer terms, but The language is a bit hard for me to understand. You IT professionals seem to have an idiom all your own....Just like other professions I suppose.
Thanks for the information on using VMplayer.

dp
05-19-2010, 01:20 PM
This means you can download Player and install it, then jack in your Windows DVD and install a second copy on your [/quote]

Dennis: Hate to appear stupid, but does "jack in your Windows DVD" mean to load /run the DVD?
Sorry to be so ignorant of computer terms, but The language is a bit hard for me to understand. You IT professionals seem to have an idiom all your own....Just like other professions I suppose.
Thanks for the information on using VMplayer.[/QUOTE]

Yessir. Start Player, insert your Windows install CD/DVD into the drive, and install the OS as a virtual machine.

VMware also has a free tool that will convert a running physical system to a virtual system so you basically clone a running box, including all the installed software, and run it as a virtual machine.

Virtual machines can also be copied between machines - your Windows virtual machine can then run on a Linux host, a Mac, or another Windows host. This ability to copy is at the heart of recovering from a virus infestation.

I keep three virtual machines on a thumb drive I carry around in my pocket.