This is a nasty and fairly sophisticated (programmatically) one
assuming it is what I have had to clean up a few times. The cleverness of
this malware is not in its’ distribution vector, which is fairly typical,
but instead in the authenticity of the warnings and social engineering tricks
used. Also, it is interesting in the way it so cleanly integrates
into the Windows experience to subtly trick the end-user. I read this
write-up last year on it (called Antivirus 2008 at the time, which had morphed
from Antivirus XP and Antivirus Vista originally).
http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/
I just repeatedly remind users that we handle all antivirus and
anti-spyware scanning centrally and they should never have to put protection on
any of our site’s computers. I also repeatedly pass out names of a
few, select, trusted protection suites for home use instead of encouraging them
search for one on their own.
-
Joe
Joseph M. Deming
System Administrator
MATRIX/H-Net
415 Nat Sci Bldg
East Lansing, MI 48824
(517) 884-2472
[log in to unmask]
From: MSU Network
Administrators Group [mailto:[log in to unmask]] On Behalf Of Kramer,
Jack
Sent: Monday, March 30, 2009 10:13 AM
To: [log in to unmask]
Subject: Re: [MSUNAG] Antivirus2009
There’s a whole bunch of variants of
this – I keep seeing “Internet Antivirus Pro” popping up.
----
Jack Kramer
Computer Systems Specialist
University Relations, Michigan State University
w: 517-884-1231 / c: 248-635-4955
From:
l
duynslager >
Reply-To: l duynslager <[log in to unmask]">[log in to unmask]>
Date: Mon, 30 Mar 2009 10:02:41 -0400
To: <[log in to unmask]">[log in to unmask]>
Subject: [MSUNAG] Antivirus2009
Excerpted From SANS NewsBites Vol.
11 Num. 24:
--Ransomware Scheme Incorporates Phony Antivirus Program (March 25, 2009) A
sophisticated form of ransomware is spreading on the Internet. Users are
tricked into downloading malware that appears to be a legitimate utility called
Antivirus2009. The malware actually encrypts numerous document types.
When the user tries to open one of the encrypted files, an alert pops up,
offering a utility, FileFix Pro 2009, that can decrypt the file. The
application decrypts one document, then demands that the user pay US $50 to buy
the software to decrypt the rest.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130539&source=rss_topic17
http://www.theregister.co.uk/2009/03/25/scareware_ransomware/
http://www.zdnetasia.com/news/security/0,39044215,62052554,00.htm
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 3974 (20090330) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com