This is a nasty and fairly sophisticated (programmatically) one assuming it is what I have had to clean up a few times. The cleverness of this malware is not in its' distribution vector, which is fairly typical, but instead in the authenticity of the warnings and social engineering tricks used. Also, it is interesting in the way it so cleanly integrates into the Windows experience to subtly trick the end-user. I read this write-up last year on it (called Antivirus 2008 at the time, which had morphed from Antivirus XP and Antivirus Vista originally). http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/ I just repeatedly remind users that we handle all antivirus and anti-spyware scanning centrally and they should never have to put protection on any of our site's computers. I also repeatedly pass out names of a few, select, trusted protection suites for home use instead of encouraging them search for one on their own. - Joe Joseph M. Deming System Administrator MATRIX/H-Net 415 Nat Sci Bldg East Lansing, MI 48824 (517) 884-2472 [log in to unmask] From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of Kramer, Jack Sent: Monday, March 30, 2009 10:13 AM To: [log in to unmask] Subject: Re: [MSUNAG] Antivirus2009 There's a whole bunch of variants of this - I keep seeing "Internet Antivirus Pro" popping up. ---- Jack Kramer Computer Systems Specialist University Relations, Michigan State University w: 517-884-1231 / c: 248-635-4955 ________________________________ From: l duynslager > Reply-To: l duynslager <[log in to unmask]> Date: Mon, 30 Mar 2009 10:02:41 -0400 To: <[log in to unmask]> Subject: [MSUNAG] Antivirus2009 Excerpted From SANS NewsBites Vol. 11 Num. 24: --Ransomware Scheme Incorporates Phony Antivirus Program (March 25, 2009) A sophisticated form of ransomware is spreading on the Internet. Users are tricked into downloading malware that appears to be a legitimate utility called Antivirus2009. The malware actually encrypts numerous document types. When the user tries to open one of the encrypted files, an alert pops up, offering a utility, FileFix Pro 2009, that can decrypt the file. The application decrypts one document, then demands that the user pay US $50 to buy the software to decrypt the rest. http://www.computerworld.com/action/article.do?command=viewArticleBasic& articleId=9130539&source=rss_topic17 http://www.theregister.co.uk/2009/03/25/scareware_ransomware/ http://www.zdnetasia.com/news/security/0,39044215,62052554,00.htm __________ Information from ESET NOD32 Antivirus, version of virus signature database 3974 (20090330) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com