Tobold's Blog
Wednesday, December 21, 2011
Win 7 Internet Security 2012

What sounds like an antivirus program is in reality a disguised malware program, and it took over my laptop yesterday. My wife had received a fishy looking e-mail from her sister, consisting of only a link to a file on the site of Star Computer Services, Canada. I didn't click on that link, but googled the site instead, which resulted in a legit looking link to that domain name. So I followed that Google link, and was infected by that virus within seconds. What was so scary about that is that I have a firewall, updated anti-virus program, and everything else by the book running. And just by surfing to the main domain name, without any additional "OK" click, the virus was able to completely take over my computer.

The nasty thing was that the malware program blocked all attempts to remove it. Any attempt to open a browser or the antivirus program resulted in a big window telling you that the browser or antivirus was infected by trojans, and that only Win 7 Internet Security 2012 would be able to remove all these nasty viruses. Even restarting in safe mode didn't help. The only way to finally remove it was following the instructions from this site, burning a registry edit and a specific removal program onto a CD on a different computer and running those on the infected computer.

I then uninstalled the useless freeware antivirus which had failed to stop the virus, and installed Microsoft Security Essentials instead. I didn't dare trying if that one would prevent the infection if surfing to the same infected site again, but it is a good, free anti-virus. And unlike the free anti-virus I was using before, it doesn't nag you to buy the "professional" version every time you update it. Scanned every single file on the computer, which took all night, and it seems I got completely rid of the virus.

Before you fire off a comment telling me how stupid I am to catch a virus, and how that could never happen to you with your superior virus protection setup, I dare you to surf over to and see how effective your protection really is (maybe download the removal tools first). I had done all the usual stuff to protect me against viruses, and it didn't help a bit.
Infections like that are why I have a USB stick loaded with killbox, hijack this and a few other utilities. Sounds like you were unlucky enough to pick up some scareware.
There's this really annoying thing called User Control something that asks you for authenticating with administrator privilages everytime a process starts on your machine. As annoying as it may be, this will also ask you ALWAYS if any application you did not intentionally ran starts.
Also, there are security settings in your brovser on the Advanced tab that will do the same thing about every file that is being downloaded with a page or as a download. That includes scripts that push viruses to your machine.
It is a good way t protect your machine if you are willing to withstand the annoyance factor.
I've had that exact same virus, its a nightmare to remove, it hijacked everything I was trying to do, took all day for me to work out the removal. Thankfully, I reconised it for what it was, unlike a family member last month, who paid the virus scammers £50 for the privalage of infecting thier computer. Microsoft don't ask for your credit card details folks, don't fall for it.
Are you sure you want to encourage people to visit a site that you think is infected?
There is a reason why that isn't a link.

A month ago, I would have mocked you no end for falling for this (in private, of course: wouldn't dream of teasing you on your own website!).

Then I got phished.
You give explicit instructions on how to infect one's computer and dare people to follow them. I say that's a bigger faux pas than actually linking to the site.

Still.. from what I can tell, the exploit in question (if there's any) would probably be in your version of Flash. That's the only possible infection vector that I identified in that site. All of the javascript was boilerplate, and aside from some (poorly) hidden SEO links, the HTML was pretty normal. But even if Flash was vulnerable and even if the browser didn't run Flash in a sandbox, UAC would stop it. All without any need for an antivirus application. What browser and OS were you running?
It's a constant war between scammers, trojan writers and the security people with normal computer users caught in between.

Working in IT (programmer) I'd like to think I'm clever enough to avoid these problems and keep myself protected but all it takes is one clever site and you're undone.
I'm just curious, what free antivirus program were you using?

Don't do as I described below!

I've got a computer here at work which I can reinstall quickly with some Ghost-like program so I decided to try this out by installing Avast antivirus program on it which I'm using at home. Completely free but you have to register once a year to keep it free. The nagging is there IIRC, but it's like months apart or something. Anyway, it seemed to prevent the intrusion flawless. I'm restarting the comp right now to see if I can see any problems but there doesn't seem to be any. I will reinstall it shortly anyway just to be sure.

I know that I've unintentionally ended up on some fishy sites myself on my private computer and Avast has caught everything so far, so I can really recommend it. AV programs also often have problems with games but I haven't had any problem with it so far regarding that either. I can really recommend it if you're interested.
I've visited the site and nothing special seems to have happened. Should I be scared of what exactly?

(For reference: up-to-date Ubuntu 11.10 / latest firefox / run from a separate account I keep for visiting "unsafe sites").
What browser did you use to visit the site?
After some additional reading:

Win 7 Internet Security 2012 is malware which spreads via trojan.

I understand that if it managed to auto-install without you confirming any "execute this" dialogs, then it could be that your machine was already vulnerable. As bad as it is windows security, I remember that the auto-install while visiting a website resolved some time ago....

Here is where some computer inner-working-know-how helps explain the situation.

What essentially happened was a two-fold process. First, you went to the offending site. Congrats, you've got malware. But, that's not done yet, far from it. Flash, Java, and JavaScript can only do so much. It can put something on your screen, make it look like a program is running, but in reality, it's still in a very harmless phase.

Make no mistake, at this specific point you now have the best chance to clean this. Also, and let me make this clear. This is NOT a virus. It is malware. That classification is very important. A program like malware bytes, adaware, or most other free malware removers will, at this point, find this program and remove it. Unless, that is...

You click on ANYTHING on the program. I mean anything. Even the X. As soon as you click, then BAM, virus. This installs what is called a 'rootkit'. Once this happens, you will need the assistance of an antivirus program. A good one for this situation is actually the TDSSKiller, by Kapersky, specifically designed for rootkits.

And a small note, I see this type of malware at least once or twice a week at my work, but this does't mean that antivirus software is usesless. Currently, this seems to be the type of malware that can slip by antivirus software. So, it's not that your virus software is ueless, it's that it's useless against this type since instead of the usual 'begin with virus', it begins with malware.

Oh, and a word of warning Tobold, look up what the name of what the virus actually removed. Usually you can find on TrendMicro's forum what it does, and with it being the holiday shopping season, if you or your wife were shopping online, personal information entered after the infection may be at risk.

Also, a common process of these programs works as follows.

Malware -> Rootkit on Click -> Rootkit disables all antivirus and antimalware software -> rootkit disables many common avenues to get help. So, make sure everthing works, especially the stuff you don't use too often.
I've never used anti-virus software, it just seems like a waste of time and CPU. The few times I've gotten a virus I just download something to get rid of it and then go on my way. And one of those times no virus software I could find could remove the virus, so I had to boot from CD and remove the infected files (with randomly-generated names) by hand.

(The last experience also made me think : how do non-computer people even manage to use computers? They are still way too complicated.)
This is a huge PITA to remove and chances are that whatever AV you had won't block it. Malwarebytes will remove some versions of it, but not others. And there's a "very special episode" version that redirects your .exe extensions.

At work I will struggle with it, but honestly at home, if I get it again, I'm going directly to format c:
I deal with this every day. And get asked every time why the anti virus software did not catch it. Rogue Anti Virus do not act like a virus and thus can typically get past AV software at least long enough to get burrowed into the system. And as for the UAC they do not seem to have trouble getting past it either. I have had computers come in with Norton, McAfee, BitDefender,Kapersky, pretty much no AV software is protection.
I was hit with a variety of that virus twice. My parents were hit by it once. MY best friend once as well. One of those occasions resulted in a complete reinstall because I couldn't even get a killing program to work.

As far as I can tell, it is almost always a flash ad that does it. It's why I use noscript.

It's certainly a doozy of a virus though, and has a reputation of being a learning tool for the cocky. I know more than a few people that felt superior and couldn't see how ANYONE could get a virus off the internet. The "You have to be stupid!" cries very quickly dry up when they end up getting it, and from then on they are kinder and gentler.
That alot of actual malware doesn't require you to click "OK" on something is not really new. As long as you run with "common" software (Windows, Adobe etc.) you are always at risk that even a non-public bug is used to infect your pc. And even the "best" anti-virus just have a realistic chance of 50-60% to really catch a virus before it hits you.

So what to do? Run Linux? Maybe (not always an option). Have a regular backup? Yes, man.

Fact is, as long as youre computer is online, there will be a risk. The only question that matters is: How big is that risk?
My brother got last year's version, apparently only a couple days after it came out. Similar thing, from a link which appeared innocuous. He ended up paying Norton $50 or so to remove it and guarantee to do it again if he somehow got another infection.
My sons compter got this one. Here are some tips to get rid of it.

1) Keep a program like Malwarebytes on a CD/DVD that you can boot up form. This way you boot from the CD and run the program to clean up your other drives.

2) Boot into command line safe mode. Normal safe mode doesn't work. From the command line you can launch regedit and delete the keys associated with the virus/malware. You will need to then find the existing exe that you downloaded and delete that one also. And after all thay most of your extension mappings will be corrupted so you have to reassign them.

3) As Mika said Flash is a very big contributor to all of this stuff. It's not their fault per se, but the holes in their application are real easy to exploit. Be very careful when using Flash or even having it on your computer. Another super big culprit are images on web sites.

4) Did I mention Malwarebytes? It's free or you can pay a onetime fee for it where it runs in realtime. It is many times better are fixing, cathcing and resolving these types of viruses/malware. it is way better than Norton, Kasperski, SA, McAfee, etc.

5) Having said all this once you click on something and an exe starts there is almost nothing that can stop it. So go back to point one and have a CD ready.
which freeware antivirus were you using? avg?
You only get the infection if you go to site after looking up via google. you will get redirect to

if you were to go directly to its fine.
Tobold: Have you taken a look at Sims: Free to Play for iOS? Dunno if you actually have any iOS devices, but it's different than the Facebook games and I'm torn between liking it for the faithful sim elements and hating it for the Zynga type F2P elements.
-To those smarter than I, would a Firefoxs addon such as NoScript or AdBlock theoretically be successful against this type of attack?

This happened to my father a few months ago. I don't think it was exactly the same fake program, but very similar. The malware wouldn't let the browser or anti-virus open. It would just cause this fake program to open asking for credit card info to unlock the program and clean the malware.

It also set the "protected operating system file" flag on all the files on the computer. Most files and folder appeared to be gone (just hidden). I ran a batch script over his commonly used folders to unhide the files, but I didn't know what stuff was supposed to be hidden from before.

Some previously hidden files (before virus) are probably unhidden now. Hopefully, my father doesn't mess with them. System Restore will probably work if he messes with a critical file, and I did a backup of his hard drive just in case.

Luckily, this malware was only trying to steal money. It didn't seem to delete any files. Very annoying, but at least the files are still pretty much intact and computer working normally again.
Wow. Lotta useful, helpful, friendly advice doled out with good humour and humility.

What have you people done with The Internet?
NoScript and AdBlock can only protect you if the vulnerability is in one of the browser extensions (like Flash) that they can prevent from running. They don't help against vulnerabilities that are in the browser itself or in the operating system.
Yeah, I got a similar one a few months ago from a flash ad. It was the "redirect all .exe" files version that Numtini mentioned. That took hours to purge (good thing that regedit can run as a .com program).

So, as much as I would like to support websites by allowing their ads, I now run a flash blocker.
I got the exact same thing yesterday, although I got a couple of bonus trojans as well. Just finished re-installing Windows 7 so I can know it's clean.
Two words

Kaspersky Labs

Get it pay for it, well worth the price.

Frankly any other AV is just about as good as freeware AV. Trend, Mcafee, Norton are all so old they are really jokes these days.

The only way to stop Day Zero on your Adobe or MS vulnerabilities is to have an AV that runs at Kernel level interrupts.

Oh and by the way it's entirely possible that the nasty is not completely gone.
I'll try that one on my work machine, Tobold;)
Angry Gamer, Kaspersky Labs may be good but not perfect. Several computers I have had to clean had it as their anti virus. Didn't help. Nowadays it is not a matter of if you get a virus but when.
I found this "Win 7 Internet security 2012" all over the screen of a laptop I'd left idling unattended yesterday & also a persistent Adobe Flash update notice window.

MS security essentials did full scan, found nothing but W7IS2012 was still rampant. McAfee was fogged over but performed an update anyway -- and immediately aftewards gave me a window that a trojan had been removed. AND now, as you can see, I'm back up running.

-JD Hunter
Hilliard, FL, USA
Post a Comment

Links to this post:

Create a Link

<< Home
Newer›  ‹Older

  Powered by Blogger   Free Page Rank Tool