- The instant I visited the site (using Firefox), Adobe's Acrobat Reader crashed, but not before shellcode was able to download, install and run two programs
- A fake "Antivirus XP 2010" (av.exe) began running, which closely resembled the Microsoft Security Center
- It pretended to identify dozens of threats while scanning the VM
- It disabled Avast antivirus, which was running on the VM
- It changed the ".exe" file association to point to it first (the Control Panel's Folder Options, File Types), so it would try to start itself anytime a program ran
- It started a twin keep-alive program, which would occasionally check to see whether av.exe was still running (say, if you closed it using Task Manager), and restart it if it had been closed
- It added some registry settings to Internet Explorer and Firefox to ensure that each time these programs were started, it was also kicked off
Its real goal is to pretend to identify all kinds of threats, at which point it tries to force you to purchase the "antivirus" cure.
If you do get infected, be aware that the av.exe file is secreted away pretty well in your local user "Documents and Settings" folder.
cd "c:\Documents and Settings\jsmith\Local Settings\Application Data\
rem Now "unhide" the 'av.exe' file...
attrib av.exe -h -s -r
rem Rename it to render it useless...
ren av.exe av._x_
rem Move up two levels in the folder structure...
cd ..\..
rem Now rename the "keep-alive" helper program
ren *.exe *._x_
rem Now reboot and run Antivirus to clean up
Sophos has written extensively about the fake antivirus phenomenon.
The real problem here is Adobe.
ReplyDeleteAnd IE6, and Flash, and Office file formats... etc., etc.
ReplyDeleteI have gotten this a few times recently. It's awful. Sometimes the file is in "All Users" rather than a particular user. Sometimes it's not within "Local Settings"
ReplyDeleteI find it puts a lot of junk in "WINDOWS\system32" as well
I ended up booting off a CD using BartPE and deleting the files that way before booting XP.
I used "ASSOC .EXE=exefile" to reassociate .exe files to executables.
Using the free version from malwarebytes.org seems to corral that pesky little rascal and give it the heave-ho ...
ReplyDelete