Alert: Another Fake Anti-Virus program

If anything can get under my skin, this will do it. It seems we have another “Anti-Virus” program out there who’s only goal is to scare the user (who probably doesn’t know any better) into believing that the “sky is falling” and then requiring them to give up their credit card number in order not to get hit with the “falling sky”. I’ve have had to spend a lot of my time this past week cleaning this one up because a couple of clients didn’t know any better. There have been numerous versions of this malware scam over the past few years, some examples are

A

* Ad-Protect
* AlfaCleaner
* Antispyware Soldier
* Anti-virus 2008 * Anti-Virus 2009
* AntiVermins
* AntiVirGear
* AntivirusGold

B

* BraveSentry
* BreakSpyware

C

* CmdService
* ContraVirus

D

* DeluxeCommunications
* Dr. AntiSpy

E

* ErrorSafe

M

* MalwareWipe
* MrAntispy
* Mirar
* Movieland
* MySpyProtector

P

* PestCapture
* Pest Trap
* Popcorn.net
* PSGuard

S

* Seekmo
* Smitfraud
* SpyAxe
* SpyCrush
* SpyDawn
* SpyFalcon
* SpyHeal
* SpyLocked
* SpyLocker
* SpyMarshal
* SpySheriff
* SpyShield
* SpySoldier
* SpywareKnight
* SpywareLocked
* SpywareQuake
* SpywareStrike
* Starware
* SystemDoctor

T

* Toolbar888

U

* UnSpyPC

V

* VirusBlast
* VirusBurst
* VirusBurster
* VirusRay
* VirusRescue

W

* Winfixer

Z

* Zango Search
* Zlob

and now joining the list is a Rogue Anti-Virus programs comes SaveSoldier. Here is information on the malware from the Panda Website ( http://www.pandasecurity.com/homeusers/security-info/212755/SaveSoldier (http://www NULL.pandasecurity NULL.com/homeusers/security-info/212755/SaveSoldier) ).

Effects

SaveSoldier is an adware (http://www NULL.pandasecurity NULL.com/glossary/glossary NULL.aspx#ADWARE) program that carries out the following actions:

It reaches the computer downloaded from the following website:

When the file is run, it is installed in the affected computer and starts scanning the system in search for possible malware.

Once ended, it displays a warning message like the following, informing users that their computer is infected:

If the button "Remind me later" is clicked, the interface of the program is displayed, which is like the following image:

If users decide to follow the program’s instructions and remove the threats, the program will require a registration code:

This code is obtained after purchasing the antivirus solution. Therefore, the user will be redirected to a website where it can be purchased:

On the other hand, if users do not follow the program’s recommendations, it will display warning messages like the following to make them think their computer is infected:

<?xml version="1.0" encoding="utf-8"?>

Infection strategy

SaveSoldier creates a directory called SaveSoldier in the folder SaveSoldier Software (created by itself) of the Program Files directory and a group of programs with the same name in the Start menu.

SaveSoldier creates the following files in the folder SaveSoldier Software\SaveSoldier of the Program Files directory:

SAVESOLDIER.EXE, which is a copy of itself.

SAVESOLDIERSVC.EXE

UNINSTALL.EXE

SaveSoldier creates the following entries (http://www NULL.pandasecurity NULL.com/glossary/glossary NULL.aspx#CLAVE) en el Windows Registry (http://www NULL.pandasecurity NULL.com/glossary/glossary NULL.aspx#REGISTRO):

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
SaveSoldier = C:\Program Files\SaveSoldier Software\SaveSoldier\SaveSoldier.exe – min
By creating this entry, SaveSoldier ensures that it is run whenever Windows is started.

HKEY_LOCAL_MACHINE\SOFTWARE\SaveSoldier
Install_Dir = C:\Program Files\SaveSoldier Software\SaveSoldier
By creating this entry, SaveSoldier creates a new directory.

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Uninstall\ SaveSoldier
DisplayName = SaveSoldier

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Uninstall\ SaveSoldier
UninstallString = C:\Program Files\SaveSoldier Software\SaveSoldier\uninstall.exe

HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_SAVESOLDIERSVC\ 0000
Class = LegacyDriver

HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_SAVESOLDIERSVC\ 0000
ClassGUID = {8ECC055D-047F-11D1-A537-0000F8753ED1}

HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_SAVESOLDIERSVC\ 0000
DeviceDesc = SaveSoldier Security Service

HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_SAVESOLDIERSVC\ 0000
Service = SaveSoldierSvc

HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_SAVESOLDIERSVC\ 0000\ Control
ActiveService = SaveSoldierSvc

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SaveSoldierSvc
DisplayName = SaveSoldier Security Service

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SaveSoldierSvc
ImagePath = C:\Program Files\SaveSoldier Software\SaveSoldier\SaveSoldierSvc.exe

HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SaveSoldierSvc\ Enum
0 = Root\LEGACY_SAVESOLDIERSVC000

HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SaveSoldierSvc
Start

HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SaveSoldierSvc\ Security
Security

<?xm
l version="1.0" encoding="utf-8"?>

Means of transmission

SaveSoldier can be voluntarily downloaded from the website belonging to the company that has developed it.

<?xml version="1.0" encoding="utf-8"?>

Further Details

SaveSoldier is 712,704 bytes (http://www NULL.pandasecurity NULL.com/glossary/glossary NULL.aspx#BYTE) in size.

As additional information, a website that promotes another fake antivirus has been detected. In this case, it is called TrustNinja. The interesting thing is that both the format and content of this website is the same as the website of SaveSoldier . Only the references to SaveSoldier have been replaced with TrustNinja.

The file downloaded from this website is called TRUSTNINJA.EXE and once run, a program with the same interface and functions as SaveSoldier is installed on the computer. Even the fake results displayed when the scan is finished are the same. The only thing that changes is the name of the program.

As always, the 1st line of defense is to not click on every pop up that you see without reading it 1st. Additionally, if your not sure what the message or the pop up is for, its always better to click on deny or no on a pop up if your not sure what its for or at least take the time to run a quick search on Bing or Google with the name of the pop up. There are many sites out there that will tell you what the pop up is and if it is safe.

Software: Panda AV offering FREE USB Vaccine to help stop malware from spreading via external drives

As a tech, one of the biggest headaches involves someone bring there USB key (or external hard drive) from home, full of malware infections because the user doesn’t know how to protect their home pc. They go to the office and start “Copying that Excel sheet” or even better “The cute pictures of their kids” so that it can be seen on every pc. Unfortunately as that drive keeps getting plugged in, every machine it goes into get infected with malware because of what is know as the autorun feature.

Panda Labs is offering a FREE download (http://www.pandasecurity.com/usa/homeusers/downloads/usbvaccine/ (http://www NULL.pandasecurity NULL.com/usa/homeusers/downloads/usbvaccine/) ) that can be used on your external drives and on each pc, which will basically disable the autorun feature. With the feature disabled, you should be able to scan your external drive, and make sure its ok, prior to it being able to cause malware havoc.

********************************************************************

From the Panda Website

There is an increasing amount of malware which, like the dangerous Conficker worm, spreads via removable devices and drives such as memory sticks, MP3 players, digital cameras, etc. To do this, these malicious codes modify the AutoRun file on these devices.

Panda USB Vaccine is a free solution designed to protect against this threat. It offers a double layer of preventive protection, allowing users to disable the AutoRun feature on computers as well as on USB drives and other devices:

Vaccine for computers: This is a ‘vaccine’ for computers to prevent any AutoRun file from running, regardless of whether the device (memory stick, CD, etc.) is infected or not.

Vaccine for USB devices: This is a ‘vaccine’ for removable USB devices, preventing the AutoRun file from becoming a source of infection. The tool disables this file so it cannot be read, modified or replaced by malicious code.

This is a very useful tool as there is no simple way of disabling the AutoRun feature in Windows. This provides users with a simple way of disabling this feature, offering a high degree of protection against infections from removable drives and devices.

*********************************************************************

Just remember that this needs to be used both on the external drives and PC. Even if you don’t have an external drive yourself, its a good thing to run it on your pc, in case some one visits (or your kids or co-workers) and brings an external drive with them.

Alert: CA Anti-Virus does it again! Releases an update that start treating system files like virus

For the second time in ONE MONTH, CA releases an update that incorrectly treats legit files as virus infected files. The “False positive” this time reports that windows and various programs files are infected with the StdWin32 virus. The issue occurred Thursday 8/13 but I still am getting reports from some clients of machines that are basically broken still from this update today. The problem this time comes for those using the CA Threat Manager version of software ( http://www.ca.com/us/products/product.aspx?ID=5926 (http://www NULL.ca NULL.com/us/products/product NULL.aspx?ID=5926) if you would like to see what’s different in Threat Manager)

The problem release quarantined (and renamed the files to .AVB) various binary files, breaking programs like MS Visual Studio,Exchange and Arcserve. It seems that eventually it even started to detect some of CA Anti-Virus own files as infected files and moving even those files into quarantine. The net result of all of this was a really messed up system.

CA released the following statement:

“Last night, CA released a new updated antimalware engine. This new release has resulted in false positive detections of a number of files. CA Threat Manager customers are the only customers being affected by this issue. This is not a result of signature updates and does not impact CA consumer Internet security products.
To resolve the issue, CA has rolled back the new engine and re-released its previous antimalware engine. CA customer support representatives are on call to answer customer questions and to provide remediation support. A remediation tool to rename the quarantined files is now available through CA support and will soon be accessible online.
CA is aggressively working to resolve the issue, assist any customers who have been affected, as well as identify the root cause of the incident. We apologize for this inconvenience and look forward to the roll out of our new antimalware engine, which will ultimately offer our customers many benefits including enhanced malware protection and improved performance.”

Additionally from CA Tech Support

For the files which are already renamed or quarantined, we have uploaded the rename and un-quarantine tool to below mentioned link.
ftp://ftp.ca.com/outgoing/8888888/17943192-01 (ftp://ftp NULL.ca NULL.com/outgoing/8888888/17943192-01)
File name: Renameavb2exe_with_date.rar
File Name: CA_Unquarantine.rar
File Name: Password.txt

Please download and run the rename tool or un-quarantine tool first to restore the files and then update the machines to version 34.0.0.6674.

Thanks
Tech Support

(SOAPBOX)

With all the increased Malware and Virus threats out there I understand why there is a need to update signature files on any Anti-Virus program every few hours. However, considering how much more of our lives are now depended to online activity, AV companies can NOT get careless with things like this update. For CA this is the 2nd time in a month, and I’m sure this has got to cost them customer. I have recommended CA to my clients for a few years now as McAfee and Symantec have been bloatware in the past, but it is really hard to continue support for a product that makes the same mistake 2x’s in such a short time frame.

Software: How did anyone get this approved as a concept.

I just came across a new release from Sophos antivirus, it is a Klingon version of Sophos anti-virus. I know the new Star trek Movie was just released, and part of me can see how trying to get some Trekkie out there to look at your product, but (really) someone had the nerve to have gone up to a member of management somewhere and said “You know if we translate our software into Klingon we can tap into a seriously underserved part of the market”. Even better is that whoever took that meeting in management agreed.

Sophos doesn’t rank as a top choice for Anti-virus in my opinion, but if your a trekkie (or want to mess with someone who uses a computer and really isn’t into Star Trek, so they wouldn’t have a clue what they were seeing) you can download the software from the Sophos website http://www.sophos.com/klingon-anti-virus/ (http://www NULL.sophos NULL.com/klingon-anti-virus/) .

Next we will have a Tribble.a virus. Beam me up.

From the Klingon website itself:

Why did we translate it into Klingon?

Our routine monitoring of sub-space transmissions alerted Sophos that the loss of the Klingon battlecruiser Klothos was not due to Romulan incursion into the Khitomer system, but a result of trying to remove VBS/PeachyPDF-A from the battle computer using M’swoN’kar after Commander Kor opened an attachment from the system S’cam-419.

Immediately our Product Marketing away team embarked on a mission to explore strange new worlds, to seek out new life and flog them Network Access Control solutions. Sadly they chose Qo’noS as their first destination and when their severed heads were beamed back to Sophos, the engineering team created this software, not in a spontaneous display of gratitude to the Klingon race (as the Register would have you believe) but to honour their memory.

Conflicker – Test your pc

A very simple test has been developed to check and see if your pc has been infected with the Conflicker worm. If you go to confickerworkinggroup.org (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html (http://www NULL.confickerworkinggroup NULL.org/infection_test/cfeyechart NULL.html)), you will get a page where you should see 6 images. There is also a chart below the 6 images showing how to interpret if your infected or not.

Conflicker – It just wont go away. (UPDATE)

Something that was brought to my attention. In my previous post, I said to install Malwarebytes and Avast Antivirus, if your infected. If you have an already installed Antivirus you will need to uninstall it prior to installing Avast as having 2 antivirus programs could cause more problems and its not recommended ever.

Conflicker – It just wont go away.

There are reports that new payloads are being downloaded to machines infected with various versions of Conflicker. The conflicker worm will connect via p2p and download files that can be very annoying (if your lucky) and could cause you to have your information compromised (if your unlucky) once they are on your machine. One of the payloads that it seems to download is for a program called spyware protect 2009.

This program will look like a legit program telling you that your machine has been infected, but in fact, it is designed to trick you into giving up personal and credit card information. This is not a real program, if a fake program that was written by someone who wanted to get information and money out of people.

The best way you can remove Spyware Protect 2009 is to download and install Malwarebytes (http://www.malwarebytes.org/mbam.php (http://www NULL.malwarebytes NULL.org/mbam NULL.php)) and Avast (http://www.avast.com/eng/avast_4_home.html (http://www NULL.avast NULL.com/eng/avast_4_home NULL.html)) AV so that the machine installs both.

If your machine is already infected you may not be able to access those sites so you may need to download them on another pc and then burn the installs to a cd. **Do NOT put the downloads on a USB flash drive or external hard drive as those devices will also get infected as soon as you plug them into the machine that is infected. The only safe way is to burn the files to a cd as files can not be saved to cd without a 3rd party program (Nero, Roxio, etc…). Once they are installed make sure you run the software update button so that they have all the latest fixes….

Once you have completed the install and updates. Shut down your pc (NOT Reboot) and then once its completely off, turn it on and immediately start pressing the F6 key on your keyboard (Yes those keys serve a purpose). You should see a screen asking you if you want to go into safe mode as well as a number of other options.

Select safe mode and let the pc log in safe mode. In safe mode your screen will look a little funny and not all your files will appear, that is because safe mode a version that only starts just enough of the Windows operating system to turn on, but all the additional bells and whistles that everyone is used will not be operating.

Once you are in safe mode run a full scan of your entire pc using Malwarebytes and then avast. The scans will discover most of the infects and ask if you want to remove them say yes to all. Lastly an option in avast is a scan on boot up. Configure the boot up can and reboot…..

To set up Avast boot up scan:

Boot time Avast Antivirus Scanning

Avast Antivirus offers a "boot time" virus scan of your PC. This allows the antivirus engine to scan all of the files on your hard drive before any other programs load – useful in cases where you have an infection which cannot be cleaned because the "file is in use"

To schedule a boot-time scan using Avast:

Right click on the blue a logo at the bottom right of your taskbar and then select the "Start avast! Antivirus" option from the menu which appears
Avast will run a memory scan on your PC and you’ll see this screen while the scan completes and the control panel opens. Just let this finish
Once Avast! loads, you’ll see this strange looking control panel – don’t worry, we don’t need to decipher any of the buttons – we just want to click using the right mouse button anywhere in the grey area.
When you right click on the control centre, you’ll see a new menu. From this menu, select the "Schedule Boot-Time Scan…" option:
You’ll now get a new screen, as shown below. Select the option "Scan all local disks" and tick the "Advanced Options" box. Select the options "Move infected file to Chest" and "Allow delete or move" from the two menus in the bottom half of the window, before pressing Schedule:
Once you have presses OK, you will be given a prompt to reboot your PC. Check that you have no unsaved work open and then click "Yes". Your PC will reboot, and before Windows reloads, Avast will perform a virus scan.

The virus scan will take about 30-45 minutes on your PC, and should be completely automatic. The scan will be complete when your PC reloads Windows, and you need take no further action.

And as always – Make sure that you go to the Microsoft Updates site (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-US (http://update NULL.microsoft NULL.com/microsoftupdate/v6/default NULL.aspx?ln=en-US)) and make sure your system has the latest updates installed.

Commentary:

For all those who are none tech, if you had a small drip in a pipe in your house would you fix it at that moment or would you let it stay dripping so that it got bigger and then burst the pipe causing a flood and a mess. Updating your windows machine is just like that pipe, update it now and its no big deal, wait and you will have a mess.

WARNING: Conflicker Tomorrow (April 1) No Fooling

I think this has been said enough “ITS COMING”, the latest version of Conflicker is expected to start whatever it is that it is supposed to do, tomorrow (As of now I’m not aware of anyone really knowing what its going to do?) so you need to update your systems NOW. Ok let me say it 1 more time “UPDATE NOW”!

The reason computer attacks (and that’s what they are), get as big as they do, is because people don’t do what they are supposed to. Imagine everyday cars breaking down all around you, why because those owners never bothered to change their own oil or to take the car to a professional (if they didn’t know what they were doing) and getting the oil changed. Well that’s what is currently happening with computers. A computer is not a TV folks, you cant just click it on use it and click it off. A computer is like a car, you need to give your computer tune up’s, “oil” changes, check under the hood. A rule I understood early into my geek career is that “90% of all pc issues occur between the keyboard and the chair”.

As a reminder if I haven’t made it clear yet “UPDATE YOUR SYSTEM NOW!” Let me give you links and a quick how to as to how you can minimize the risk to your computer. I’m not going to tell you that this is 100% full proof, consider it like the seat belts in your car, you never expect to get into a car, but when you do, aren’t you glad you put the belt on.

To help minimize your risks…..

In all Windows operating systems up to Windows XP (Get online and) go to

windowsupdate.Microsoft.com/ which is the Windows update website. From there you will see 2 choices express and custom. If you choose express you will get the choice of updates that Microsoft has created to improve or secure your system. If you choose custom, you will see a list of all files that can be updated on your system. I choose to run custom and make sure i update everything.

If your on Vista or windows 7 all you do is go to start – windowsupdate in the start menu itself and a window will appear automatically telling you what you can choice and then it will download and install automatically.

If you run any software by Microsoft that isn’t the operating system (XP, windows 2000, etc) the you should visit http://update.microsoft.com/ (http://update NULL.microsoft NULL.com/) which will do the same updating, for all other products (office, etc), plus your windows updates all in the same place.

The problem with the software that allowed Conflicker to work, was fixed in Oct 2008. If everyone would have already been upto date, they would have made the back page news not 60 minutes.

**One more thing, if you are unable to access either of the 2 Microsoft sites, then you should check your system as you may already infected you. In that case, you may want to try running the following tools on your pc.

The Microsoft software removal tool – http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en (http://www NULL.microsoft NULL.com/downloads/details NULL.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en)

or the free trial version (which does a good job) of Malware bytes to clean your machine http://www.malwarebytes.org/ (http://www NULL.malwarebytes NULL.org/).

Online Virus Scanners

Some virus and spyware infections (the really nasty ones) will uninstall or break your installed Antivirus/Anti-spyware software. When that happens you will still need to scan your system. You have a couple of sites that offer FREE online scans of your pc, and depending on the infection, could also remove the problem from your machine.

CA Virus Scanner http://www.ca.com/us/securityadvisor/virusinfo/scan.aspx (http://www NULL.ca NULL.com/us/securityadvisor/virusinfo/scan NULL.aspx)

Trend Micro Housecall http://housecall.trendmicro.com/us/index.html (http://housecall NULL.trendmicro NULL.com/us/index NULL.html)

Something to keep in mind is that these sites should be easily accessible. If your internet is working but when you attempt to access either of these sites your web browser (Internet Explorer, Firefox, Chrome, Opera) says that the site cant be viewed or closes by itself or pops up a lot of other pages other than the one your trying to get to could also be a sign that your infected.

In most all cases to properly clean infection off a computer, the computer should be started in “safe mode with networking”. For those who don’t know how to do that, as soon as you start your computer you start pressing the F6 key (ya those keys your never use on the top of your keyboard), and you will see a message with a few choices one of which is “safe mode with networking”. If you see your opening windows screen (the one that says Windows 2000, Windows XP or Windows Vista) without seeing the choices then you didn’t press F6 fast enough. Let the computer boot up then reboot and try again.

Warning: Conficker.C is coming – April 1

Conficker (also know as Downup, Downadup, and Kido) is a computer work that goes after computers running Microsoft Windows. This worm affects computers running Windows 2000, XP, Vista, Server 2003, and even the new Windows 7 Beta software.

The worm which has a number of variations appears to have a new version that is expected as of April 1. The worm which will be able to block access to security related sites (like Symantec.com or Trendmicro.com) and it will also stop/or break security software (anti-virus, anti-spyware, firewall) that is loaded on the pc. Once the pc is infected it becomes very difficult to make the pc clean again. The worm will also go out and download/install additional malware on the pc. Some of the effects seen in the past are

- a slow pc

- pop ups advertising fake virus cleaning tools

- pop ups advertising “adult” subjects

- websites appear that are not the ones typed in by the user

Here are some of the services that the worm disables if you see these disabled and you didn’t do it, you will want to check your system

wscsvc – Security Center
WinDefend Windows Defender (available in Vista)
wuauserv – Automatic Updates
BITS – Background Intelligent Transfer Service
ERSvc – Error Reporting Service
WerSvc – Windows Error Reporting Service (available in Vista)

additionally the worm removes Restore Points in windows and removes the Windows Security center. If the following registry entry is missing, you could be infected: HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}

A fix for this worm was released by Microsoft in 2008, it is highly recommended that you make sure that all you computers are updated and have all windows updates installed.

Information sources come from

Wikipedia – http://en.wikipedia.org/wiki/Conficker (http://en NULL.wikipedia NULL.org/wiki/Conficker)

Tech Fragments website – http://techfragments.com/news/629/Software/Downadup_Win32Conficker-C_Worm_Revving_Up_to_Spread.html (http://techfragments NULL.com/news/629/Software/Downadup_Win32Conficker-C_Worm_Revving_Up_to_Spread NULL.html)

Tech Geek and More

Technology Explained for All

Category Archives: Spyware