Every week I remove viruses from Windows computers. Here’s a common scenario:

Someone gets a fake alert like this and realizes that they have a virus.

When they call me, I tell them to turn off the computer. This is because a virus can continue to inflict more damage. It can install [...]]]> Viruses Abound

Every week I remove viruses from Windows computers. Here’s a common scenario:

Someone gets a fake alert like this and realizes that they have a virus.

When they call me, I tell them to turn off the computer. This is because a virus can continue to inflict more damage. It can install other viruses and even encrypt your hard drive to hold your data hostage to demand a $200 ransom. Turning off a computer stops whatever the virus is doing.

Use a Live Rescue CD

The first thing I do with the computer is boot into a Live CD to search for viruses. Typically the computer displays the key to press for boot options. It is usually one of these: F1, F2, , F10, F12 or Del. The computers may be set up to boot from the CD if one is available.

By booting into another operating system, you keep the virus from running, inflicting damage, and actively thwarting virus scans. The Live CDs I use include:

• Kaspersky Rescue Disk
• AVG Rescue CD
• Bitdefender Rescue CD
• Avira AntiVir Rescue System

Lately, I have found Kaspersky Rescue Disk to be the most effective. This approach also works from a USB stick if the computer’s BIOS supports booting from USB.

Update Virus Definitions

Because new viruses are out all the time, it’s best to update the virus definitions. This is done by connecting the computer to the Internet by an ethernet cable if your Live CD supports it.

Scan for Viruses

Kaspersky typically finds viruses like this, a trojan named Packed.Win32.Katusha.o.

Boot Computer and Fix Internet Redirects

Boot the computer, then check for a Proxy setup in Internet Explorer’s Connection Settings. If there is one, disable it by changing to automatic settings. Similarly, check your network connection properties for IPv4 TCP/IP. Often you will see something like this, which should be changed to automatic settings.

Install Microsoft Security Essentials

There are a lot of decent Antivirus programs, but I like Microsoft Security Essentials because it finds viruses, is lightweight, and is free without nagware.

Other Things To Do

If there are still problems, other things that can be done:

• Install Malwarebytes Antimalware or other antivirus software if you still suspect problems. You should not typically run multiple antivirus programs at once.
• Boot into Safe Mode (F8 key at computer startup) to make system changes if you suspect that there is still an active virus. Or try another Live Rescue CD.
• Uninstall unused or virus-installed programs, available in Control Panel – Uninstall a Program.
• Remove startup items from Programs – Startup folder. You can also remove startup items by typing msconfig into the Start or Run box.
• Give up on system. Wipe the hard drive and reinstall the operating systems and programs. Sometimes this is the only remaining option if the operating system has been severely compromised. By pulling the drive and connecting to another computer as a peripheral drive, you can backup the data.

Run Windows Update

By running Windows Update and installing all the service packs, you are applying security patches and reducing the likelihood of getting viruses in the future.

Conclusion

Viruses can be scary and destroy your data. These steps can help, but once you have a virus, there are no guarantees. An infected computer is owned by the virus folks.

Therefore, in addition to protecting your computer, you should have backups of your important files such as photos or financial documents. If you have sensitive data, it can be encrypted with TrueCrypt or other tools.

Much of the report covers recent botnets. Botnets start when a virus infects a computer, either through spam or an infected web page. [...]]]> The Microsoft Security Intelligence Report (SIR) outlines PC security threats and is based on data captured by Microsoft. Here is a download to the latest volume, covering the first half of 2010.

Much of the report covers recent botnets. Botnets start when a virus infects a computer, either through spam or an infected web page. The virus puts the Windows machine under the control of the botnet, typically run by criminal syndicates. The report explains how criminals use and share your information.

Viruses are on the rise. In the three months between April and June 2010, Microsoft cleaned up more than 6.5 million infections, twice as much as the same period in 2009.

This chart shows the number of computers cleaned by Microsoft, listed by country.

This map illustrates the percentage of computers infected in particular regions. The infection rate was highest in South Korea where 14.6 out of every 1000 machines were found to be enrolled in botnets.

Stay Safe

As always, be sure to run Windows Updates and some form of Anti-virus. I prefer the free Microsoft Security Essentials, which I find to be just as effective but less of a memory hog than anti-virus by Symantec or McAfee.

Or you can just use a Mac which has had almost no threats. The only real-world attack that I know of for the Mac was a Trojan-infected version of Apple iWork that you would get from a pirated torrent download site. Besides that, the only Mac threats have been proof-of-concept attacks developed by researchers but never used.

Other fake emails are trying to infect your computer with a [...]]]> Be careful of fake emails pretending to be from your bank or shopping sites. Many are phishing scams trying to get your personal information. To avoid those scams, it’s best to go directly to the site instead of clicking to the site from an email.

Other fake emails are trying to infect your computer with a virus. This fake email with a shipping alert has been making the rounds lately:

Subject: Shipping Notification

Message Body:

Shipping Notification Thank you for shopping with us. We look forward to serving you again.

The following is your receipt. Please retain a copy for your records.
Qty  Item no  Description  Price  S&H  Tax  Return
Code
1 FC864-2038B Msg Drma7303 White 650.99 6.95 3.37 ____

Merchandise total 650.99
Shipping and handling 6.95
Tax on mdse 6.75% 3.37
Invoice total 706.31

Welcome to the convenience of shopping JCPenney Catalog

Doing a web search, we confirmed that this was malicious from Cisco Security:

Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain a shipping notification attachment for the recipient.  The text in the e-mail message instructs the recipient to open the attached file to view the notification.  However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the targeted system with malicious code.

E-mail messages that are related to this threat (RuleID2979) may contain the following files:

Shipping Notification.zip
Shipping Notification.exe

Microsoft just came out with a beta of their next version, Microsoft Security Essentials 2.0 featuring:

The Atlantic Monthy magazine has a great article titled The Enemy Within on the history of Conficker and where we are now. It’s a fascinating read for both technical security buffs and non techies.

It starts:

The Enemy Within by [...]]]> I have mentioned several times that Conficker is considered the most dangerous virus to date.

The Atlantic Monthy magazine has a great article titled The Enemy Within on the history of Conficker and where we are now. It’s a fascinating read for both technical security buffs and non techies.

It starts:

The Enemy Within by Mark Bowden

When the Conficker computer “worm” was unleashed on the world in November 2008, cyber-security experts didn’t know what to make of it. It infiltrated millions of computers around the globe. It constantly checks in with its unknown creators. It uses an encryption code so sophisticated that only a very few people could have deployed it. For the first time ever, the cyber-security elites of the world have joined forces in a high-tech game of cops and robbers, trying to find Conficker’s creators and defeat them. The cops are failing. And now the worm lies there, waiting …

Image credit: Alex Ostroy

How to Remove XP AntiSpyware [...]]]> Gina Trapani wrote up a great article on the infamous Antispyware 2009 and how to get rid of it. This software pretends to be legitimate antivirus software, but is itself a virus. There are many variants of the software and I wrote about one of them called Antivirus XP 2008.

How to Remove XP AntiSpyware by Gina Trapani

It’s been a long time since I’ve had to deal with a malware-laden PC, but my long streak of luck ran out this weekend when a family friend–who describes himself as computer illiterate–called. “Every time I try to do anything on the computer,” he told me, “I get a message saying it’s infected, and I have to pay $69 to clean it, but I tried to do that and I couldn’t.” He couldn’t even navigate to the Mozilla site to download Firefox; Internet Explorer was completely hijacked.

Read the rest of How to Remove XP AntiSpyware

Blurb from Microsoft:

Early tests show MSE to be very [...]]]> Microsoft officially released Microsoft Security Essentials (MSE) today. It is a free tool to protect your computer from malware, viruses, spyware, rootkits, and trojans. Unlike the previously released Microsoft Malicious Software Removal Tool (MSRT), MSE runs all the time and actively searches for threats.

Blurb from Microsoft:

Early tests show MSE to be very effective at catching threats. It updates itself automatically and without hassle.

It takes over all antivirus functions and is recommended to be run as the ONLY antivirus software on a computer. You should not run it alongside other popular software such as Norton Antivirus, McAfee, or AVG. Presumably this would cause the antivirus software to fight it out on your computer, hurting system resources and confusing one antivirus program, for example, when it finds a virus in the other antivirus’ quarantined vault.

I recommend this for all Windows computers: Windows XP, Vista, and 7.  The only exceptions are pirated versions of Windows since MSE requires Windows Genuine Advantage to run and make sure that your copy of Windows is legit.

MSE has a small footprint with low minimum requirements:

• For Windows XP, a PC with a CPU clock speed of at least 500MHz and at least 1GB of RAM
• For Windows Vista and Windows 7, a PC with a CPU with clock speed of at least 1.0GHz and at least 1GB of RAM
• VGA (display): 800×600 or higher
• Storage: 140MB of available hard-disk space
• An Internet connection is required for installation and to download the latest virus and spyware definitions

The Conficker worm has started to update infected machines with a mystery package of data.

Computer security firms watching the malicious program noticed that it sprang into life late on 8 April.

The activity on [...]]]> The BBC has an article on Conficker, the virus that everyone seemed to think passed us by on April 1st.

The Conficker worm has started to update infected machines with a mystery package of data.

Computer security firms watching the malicious program noticed that it sprang into life late on 8 April.

The activity on its update system delivered encrypted software to compromised machines. It is not yet clear what the payload contains.

The Conficker virus variants are thought to be present on millions of PCs around the world.

Spam connection

The updating activity has begun about a week later than expected. Analysis of the “C” variant of Conficker (aka Downadup) revealed that its updating mechanism was due to go live on 1 April.

The belated updates were spotted by researchers for Trend Micro following the arrival of a new file in one of the directories in so-called “honeypot” machines deliberately seeded with Conficker C.

Analysis showed that the file had arrived via the peer-to-peer file transfer system that infected machines use to communicate.

In a bid to avoid alerting people to its activity, the update is slowly being trickled across the population of machines harbouring the C variant. Exact figures for the number of Conficker-infected machines are hard to determine, but the minimum is widely believed to be three million.

“The Conficker/Downad P2P communications is now running in full swing,” wrote Ivan Macalintal from Trend Research on the company’s security blog.

Once it arrives on a machine, the package of data randomly checks one of five different websites – MySpace, MSN, eBay, CNN and AOL – to ensure its host still has net access and to confirm the current time and date.

Following this check the data package removes all traces of its installation.

The strong encryption on the payload has, so far, prevented detailed analysis of what it actually does. However, security experts speculate that it is a “rootkit” that will bury itself deep in Windows in order to steal saleable data such as bank website login details.

Security researchers are continuing to analyse the payload to get a better idea of what it is intended to do.

Symantec said it too had noticed the increased activity of Conficker and its analysis suggested a link with another well-known virus called Waledac. This malicious program steals sensitive data, turns PCs into spam relays and opens up a backdoor so the machine can be controlled remotely.

The security firm noticed that the update also included an instruction to the worm to remove itself on 3 May, 2009. However, the Waledac imposed backdoor on the machine will remain open, so its creators can still control compromised PCs.

An Arlington, VA client was recently infected by that Antivirus 2009 malware. It has been the most pernicious malware that I have seen recently, [...]]]> Microsoft recently reported that their Malicious Software Removal Tool (MSRT), which was included in Windows Updates on December 9, 2008, has now removed over 400,000 copies of the nefarious “Antivirus 2009″.

An Arlington, VA client was recently infected by that Antivirus 2009 malware. It has been the most pernicious malware that I have seen recently, as most users can be tricked into installing it. Many fake sites exist that you might find during a normal web search. The sites appear to be a standard Windows Control Panel page which pretends to search for and find viruses. If you click “Ok” or “Remove All” you will be infected.

It will eventually take away all administrative rights from you and ask for your credit card to update and remove the viruses. Of course, it never removes anything, but instead gives your credit card info to the bad guys to use as they wish. Your computer is also a zombie ready to do whatever they ask of it.

The problem is that the dialog boxes and alerts look just like legitimate ones that might appear from Microsoft. See the fake Antivirus 2009 alert above.

I mentioned another variant of this malware called Antivirus XP 2008 in an earlier post.

While there are other tools you could use, Microsoft’s Malicious Software Removal Tool (MSRT) is a real solution that will remove and protect the computer from this Malware. It is available as a critical update from Microsoft.

It is not always apparent how to run Microsoft’s Malicious Software Removal Tool (MSRT). If you have it installed, you can just go to Start – Run and they type mrt

The gang was identified publicly in May by Joe Stewart, director of malware research at SecureWorks, a computer security firm in Atlanta. Mr. Stewart, who has determined that [...]]]> This NY Times article talks about how a gang in a Russian town is using Microsoft administrative tools to infect private and government computers. A few excerpts:

The gang was identified publicly in May by Joe Stewart, director of malware research at SecureWorks, a computer security firm in Atlanta. Mr. Stewart, who has determined that the gang is based in Russia, was able to locate a central program controlling as many as 100,000 infected computers across the Internet.

The system infects PCs with a program known as Coreflood that records keystrokes and steals other information.

“The great thing about this system is that from one computer it is possible to push out updates to all machines in a corporate network at once,” Mr. Stewart said. “This is a useful tool that Microsoft has provided. However, the bad guys said, ‘We’ll just use it to roll out our Trojan to every machine in the network.’ ”

The gang then uses the passwords to access your bank account and transfer out money. Scary stuff.

This only affects Microsoft operating systems, so Macs are safe. In order to protect PCs, I suggest using:

• hardware firewall (included in routers)
• Windows Vista or XP with Service Pack 3 (latest)
• Anti-virus software such as AVG Free or Avast.

If you get infected by something like this Coreflood virus, you should do a complete re-install of your system.