Print

Print
Re: [MSUNAG] Antivirus2009

This is a nasty and fairly sophisticated (programmatically) one assuming it is what I have had to clean up a few times.  The cleverness of this malware is not in its’ distribution vector, which is fairly typical, but instead in the authenticity of the warnings and social engineering tricks used.   Also, it is interesting in the way it so cleanly integrates into the Windows experience to subtly trick the end-user.  I read this write-up last year on it (called Antivirus 2008 at the time, which had morphed from Antivirus XP and Antivirus Vista originally). 

 

http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/

 

I just repeatedly remind users that we handle all antivirus and anti-spyware scanning centrally and they should never have to put protection on any of our site’s computers.  I also repeatedly pass out names of a few, select, trusted protection suites for home use instead of encouraging them search for one on their own.

 

-          Joe

 

Joseph M. Deming
System Administrator

MATRIX/H-Net
415 Nat Sci Bldg
East Lansing, MI 48824
(517) 884-2472
[log in to unmask]

 

 

From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of Kramer, Jack
Sent: Monday, March 30, 2009 10:13 AM
To: [log in to unmask]
Subject: Re: [MSUNAG] Antivirus2009

 

There’s a whole bunch of variants of this – I keep seeing “Internet Antivirus Pro” popping up.
----
Jack Kramer
Computer Systems Specialist
University Relations, Michigan State University
w: 517-884-1231 / c: 248-635-4955


From: l duynslager  >
Reply-To: l duynslager <[log in to unmask]">[log in to unmask]>
Date: Mon, 30 Mar 2009 10:02:41 -0400
To: <[log in to unmask]">[log in to unmask]>
Subject: [MSUNAG] Antivirus2009

Excerpted From SANS NewsBites Vol. 11 Num. 24:
 
--Ransomware Scheme Incorporates Phony Antivirus Program (March 25, 2009) A sophisticated form of ransomware is spreading on the Internet.  Users are tricked into downloading malware that appears to be a legitimate utility called Antivirus2009.  The malware actually encrypts numerous document types.  When the user tries to open one of the encrypted files, an alert pops up, offering a utility, FileFix Pro 2009, that can decrypt the file. The application decrypts one document, then demands that the user pay US $50 to buy the software to decrypt the rest.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130539&source=rss_topic17
http://www.theregister.co.uk/2009/03/25/scareware_ransomware/
http://www.zdnetasia.com/news/security/0,39044215,62052554,00.htm




__________ Information from ESET NOD32 Antivirus, version of virus signature database 3974 (20090330) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com