Saturday, March 06, 2010

Warning: Popular Photo Site IZIsmile.com Is Hosting Malware

If you ever visit the photo site IZIsmile, be warned that it appears to be hosting some pretty nasty malware this morning. One of the virtual machines I use to surf was pwnt (infected) this morning and the sequence of events went something like this.
  • The instant I visited the site (using Firefox), Adobe's Acrobat Reader crashed, but not before shellcode was able to download, install and run two programs
  • A fake "Antivirus XP 2010" (av.exe) began running, which closely resembled the Microsoft Security Center
  • It pretended to identify dozens of threats while scanning the VM
  • It disabled Avast antivirus, which was running on the VM
  • It changed the ".exe" file association to point to it first (the Control Panel's Folder Options, File Types), so it would try to start itself anytime a program ran
  • It started a twin keep-alive program, which would occasionally check to see whether av.exe was still running (say, if you closed it using Task Manager), and restart it if it had been closed
  • It added some registry settings to Internet Explorer and Firefox to ensure that each time these programs were started, it was also kicked off
It's a pretty nasty little piece of work, though it could have been much worse.

Its real goal is to pretend to identify all kinds of threats, at which point it tries to force you to purchase the "antivirus" cure.

If you do get infected, be aware that the av.exe file is secreted away pretty well in your local user "Documents and Settings" folder.

cd "c:\Documents and Settings\jsmith\Local Settings\Application Data\

rem Now "unhide" the 'av.exe' file...

attrib av.exe -h -s -r

rem Rename it to render it useless...

ren av.exe av._x_

rem Move up two levels in the folder structure...

cd ..\..

rem Now rename the "keep-alive" helper program

ren *.exe *._x_

rem Now reboot and run Antivirus to clean up

Sophos has written extensively about the fake antivirus phenomenon.


4 comments:

fboness said...

The real problem here is Adobe.

directorblue said...

And IE6, and Flash, and Office file formats... etc., etc.

SteveBrooklineMA said...

I have gotten this a few times recently. It's awful. Sometimes the file is in "All Users" rather than a particular user. Sometimes it's not within "Local Settings"

I find it puts a lot of junk in "WINDOWS\system32" as well

I ended up booting off a CD using BartPE and deleting the files that way before booting XP.

I used "ASSOC .EXE=exefile" to reassociate .exe files to executables.

Johnnyreb™ said...

Using the free version from malwarebytes.org seems to corral that pesky little rascal and give it the heave-ho ...