Nasty Trojan causes Task Manager and Registry Editor to stop working
June 1, 2008 on 7:40 pm | In Information, Knowledge Base, Malware, On the Radar | No CommentsI received a call from a friend over the weekend asking for help to rid his neighbor’s computer of a nasty Trojan. Apparently, he had been working on the problem for days and didn’t know what else he could do, so I took a look and it was indeed a nasty infection. The computer had McAfee and Norton security products installed, but they apparently didn’t help prevent the infection, so we removed them and installed CounterSpy and F-Secure.
What happened was the Trojan hijacked the desktop and changed it to a Bright Red background with a warning stating that the computer was infected with a malicious program and provided a link to for the user to click to purchase a program that would clean the computer. Obviously, this was not a legitimate link, so I copied the link location to notepad and it pointed to hxxp://antispyspider.us/69. DO NOT GO TO THIS LINK, IT IS VERY BAD! Some other things this infection did was change the IP address and subnet mask; disabled the Task Manager and Registry Editor; and caused Internet Explorer to launch every couple of minutes to connect to the malicious site. There was also a service that was added to the computer and it launched when Windows XP started.
The steps we used to try and defeat this nasty infection included:
- Running “msconfig” to disable all programs from starting
- Disabled the “Service” that was installed
- Turned off the System Restore feature, since we didn’t want anything malicious to be included in a restore
- Installed and ran CounterSpy, which found many malicious files, registry entries, and cookies. We removed everything successfully
But we could not kill the Trojan, so I googled “AntiSpySpider” and found a very good web page showing how to kill this critter and if you need the instructions, you can get them from:
http://www.bleepingcomputer.com/malware-removal/antispyspider
The fix includes running a program to restore the registry editor, as well as a file to restore the task manager. The instructions do a great job showing the victim how to remove this threat, so if you are one of the unfortunate souls, try this fix. Then if you get it removed, you might consider running CounterSpy and F-Secure Internet Security; both of these programs have been quite dependable protecting our computers, as well as people we know.
Malicious PDF File Outbreak Today
October 26, 2007 on 12:17 pm | In Malware, On the Radar, Vulnerabilities | No CommentsThere are a Couple of things worth mentioning today: The malicious Psycho Kitty eCard is still circulating, because I received one today with the subject of:
Subject: You have yet to open your ecard.
The body of the email reads, “Someone sent you this Psycho Kitty card. It is Hilarious!” and of course, there is a link the criminals want you to click that points to an IP Address.
The other notable news from today is about a PDF Malware Spam outbreak throughout the Internet. My F-Secure Anti-virus program has a nice little feature called “Security News” and during high levels of malicious activity, a balloon will pop up by the system clock with a warning to the consumer.
Today, the balloon popped up with an F-Secure Level 2 Security Alert and it read,
“Malicious PDF files being spammed out in volume. The files have “report” themed subjects and CVE-2007-5020 exploit that they use to download further components from the net.“
As usual, F-Secure protects against this threat; but other Anti-virus program may not, so please be aware that malicious PDF files are currently being spammed and you need to be extra cautious before opening them.
Also, Make sure you have the latest version of Adobe Acrobat and Acrobat Reader, because Adobe recently released security patches to address a critical vulnerability that if exploited, could have given the attacker complete control of the infected system.
To learn more about the latest PDF Threat, visit the F-Secure advisory at:
http://www.f-secure.com/v-descs/exploit_w32_adobereader_k.shtml
Or the SANS advisory at:
http://www.f-secure.com/weblog/archives/00001303.html
Stay safe out there…cyberspace is a hostile place!
Subject: Football Fan Essentials
September 9, 2007 on 11:44 am | In Malware, On the Radar | No CommentsLately, anytime something “newsworthy” crops up, the spammers and phishers jump all over the story and as many people know, today is the NFL’s opening day. Well, it didn’t take long for malicious e-mails to start surfacing, in fact, I received one this morning with the subject line of “Football Fan Essentials”.
In this particular e-mail, the bait is an “Online Game Tracker” and by clicking a link pointing to “http://IP address”, the victim is led to believe they will be able to follow the scores of the football games throughout the day. However, the unsuspecting victim will most likely become infected with a variant of the Storm Worm.
As usual, when I saw this, I did my homework and checked out the SANS Internet Storm Center Diary for any late-breaking news about this latest threat and sure enough, they were on top of it. Here is the story:
http://isc.sans.org/diary.html?storyid=3361
F-Secure also posted a warning on their Blog at: http://www.f-secure.com/weblog/
Anyone who reads security news blogs and articles understands that it is never a good idea to click on any link containing an IP Address and this link is no different. Don’t take the bait…just delete the e-mail!
Watch out for the “Storm”
August 21, 2007 on 8:24 pm | In Malware, On the Radar | No CommentsThe Storm Worm is mutating and you need to be aware of this latest outbreak. This critter’s signature changes every 30 minutes or so; therefore, you cannot rely on your AV or Anti-spyware software to detect and stop the attack.
SANS has a good write-up about this latest threat and you can read it at:
http://isc.sans.org/diary.html?storyid=3298
Here is a variation I received today and if you read the SANS article, there are a lot of similarities; but what is important here is to realize this is just another example of a social engineering trick designed to tempt the unfortunate victim into clicking the link; which by the way is an IP Address…another dead giveaway that this is not an e-mail you should trust. Below is a sample of the e-mail I received and of course, I changed the e-mail address and link address to protect the readers; but the content is very similar to the SANS example.
Subject: Secure Registration
From: “Recipes Galore” <spoofed address@spoofed domain>Welcome Member,
Thank You for Joining Recipes Galore.
User Number: 866599439
Your Temp. Login ID: user1846
Your Password ID: tk604Your temporary Login Info will expire in 24 hours. Please login and change it.
Use this link to change your Login info: http://www.xxx.yyy.zzz/
Enjoy,
Welcome Department
Recipes Galore
Be careful out there! There’s nasty weather ahead!
Entries and comments feeds. Valid XHTML and CSS. ^Top^ Powered by WordPress with jd-nebula-3c theme design by John Doe.