Job security is the probability that an individual will keep his or her job, and with the rate of computer clean up that I have to do that unfortunately seems to be going up and not down, I think I have job security for a while (Honestly, this is not the kind of job security that I want). We have had many posts on TGM about viruses, spyware, rogueware, yet the “my computer is infected” calls continue to come in, as people continue to fall for the tricks that get them infected.

The latest rogueware infection is called DesktopSecurity2010. What will happen if you get infected with the DesktopSecurity2010 rogueware

• DesktopSecurity2010 is an adware program that warns users of non-existing threats in their computers so that they purchase a certain program that removes them from the computer.
• Additionally, in order to make users think that their computer is really infected, it displays a warning message when the computer is restarted, and from time to time the screen fades to black and other times blinks with different colors.
• DesktopSecurity2010 can reach the computer when the user accesses certain websites which display banners or pop-up windows which lead to the download of this program. It can also reach the computer in a link that can be received via spam messages, fraudulent websites, etc.

What should you look out for when web surfing

DesktopSecurity2010 is easy to recognize, as it shows the symptoms below (These are some possible symptoms, you can still get infected without seeing these):

• It reaches the computer in a file with the following icon:
  
• When it is run, a screen to install the program is displayed:
  
• Once installed, it starts to carry out a system scan in search for possible malware and once finished, it displays warning messages informing users that the computer is infected:
  

 

One of the known ways that the rogueware is installing

The following post on the PandaLabs site (LINK: http://pandalabs.pandasecurity.com/making-new-friends%e2%80%a6/ (http://pandalabs NULL.pandasecurity NULL.com/making-new-friends%e2%80%a6/)) shows 1 of the ways you can get infected.  Two of the clean up jobs that I have had to do in this past week occurred because the user also fell for a greeting card email as described below (Confirmed).

Making new friends…

• Posted on 05/13/10 by Olaiz

I’m very happy because I’ve received a greeting card via email from a new friend, thought it’s not my birthday, my saint’s day or anything like that

Look what a nice card I’ve received:

Besides, it has been sent from 123greetings, which is a legal website to download and send cards, so it must be trustworthy.

I’ve clicked the picture of the message and I’ve been redirected to the website http://luxxxx.googlegroups.com/web/setup.zip, but I can’t see any greeting card here, but a Google groups website containing a link… maybe I have to follow the link in order to view it…

There’s no way. I can only see the Windows of an antivirus called DesktopSecurity2010 (http://www NULL.pandasecurity NULL.com/homeusers/security-info/218297/DesktopSecurity2010) informing me that my computer is infected and that I have to pay the license in order to eliminate the malware. I think that I got infected and I have neither a greeting card nor a new friend…

Now, talking seriously, yesterday we commented how this false antivirus was using Google Groups users (with malicious intentions) to be distributed. In fact, the URL from which the rogueware is downloaded is like the following:

http://Google Groups user.googlegroups.com/web/setup.zip

Some of these users are felixss, gorlum or misterxyz.

Google has reacted to this and has started blocking these malicious users. So, if you try to access any URL that uses these malicious users, the following message is displayed informing you that the user cannot be found:

Even so, some malicious accounts may still be active, so don’t trust messages like this and don’t follow any link like those we’ve previously mentioned in this post.

So what can you do to help protect yourself

• If you get a link, email, instant message, asking you or telling about something you were not expecting, even if it seems to be from someone you know, DO NOT TRUST IT! Getting a message from grandma saying check out the new pictures i upload and realizing she is 80 years old, ask yourself, does grandma really know how to upload pictures? It only takes a minute to call the person, and get a response to “did you send me….. message”, if they did, they will tell you instantly. If they didn’t they will be the 1st to say “What are you talking about”.
• Because of Twitter, the use of link shorting sites seems to have become the norm.  The problem is that a link to   http://bit.ly/dr9Ucz (http://bit NULL.ly/dr9Ucz) could be a link to many place. How do you know if it is a safe link or not a safe link.  Again, even if the link is sent to you by someone you know, DO NOT TRUST IT unless you were specifically expecting it. For the record, http://bit.ly/dr9Ucz (http://bit NULL.ly/dr9Ucz) is actually a link to techgeekandmore.com, and TGM does not list shorten links on the TGM site, because we want you to know where you are clicking to.  One thing you can do to check shortened links is visit sites that expand the shortened link.  (If you use one of these link expander services and copy the link, be careful to copy the link and NOT accidently double click on the link) Some of the sites you can visit to use to expand links

-> LongURL (LINK: http://longurl.org/ (http://longurl NULL.org/)), PrevURL (LINK: http://www.prevurl.com/index.php (http://www NULL.prevurl NULL.com/index NULL.php)), ExpandMyURL (http://longurl NULL.org/) (LINK: http://www.expandmyurl.com/ (http://longurl NULL.org/)), URL Snoop (http://urlsnoop NULL.com/) (LINK: http://urlsnoop.com/ (http://urlsnoop NULL.com/)), Securi.net (http://sucuri NULL.net/?page=tools&title=check-url) (LINK: http://sucuri.net/?page=tools&title=check-url (http://sucuri NULL.net/?page=tools&title=check-url)). At all the sites, enter the shortened URL and click to find out where the link will lead

-> In addition if you use Firefox to browse the web, you can install LongURLPlease (LINK: http://www.longurlplease.com/ (http://www NULL.longurlplease NULL.com/)), or LongURL (LINK: http://longurl.org/tools (http://longurl NULL.org/tools)), which are Firefox browser extensions that automatically preview the destination URL for shortened links from just about any shortener you can name.

• As always make sure that your PC is updated with all the latest Windows Updates, your Anti-virus is updated, your install of JAVA is updated, your install of Adobe Flash player is updated, Your PDF reader is updated. Most viruses, spyware, rogueware use problems with these programs to get into your computer. Use can use sites like File Hippo (LINK: http://www.filehippo.com/ (http://www NULL.filehippo NULL.com/) ) to check and make sure your programs are up to date.

What to do if you do get infected

If you still get infected, you can use SuperAntispyware and Malwarebytes programs to clean your machine, I recommend downloading both before you get any infection.  Run them on a regular basis (Regular = once a week or so), even if your computer does not show any signs of issues.

To download both programs I recommend using Ninite (LINK: ninite.com)

If you would like to see more information on ninite you can see the TGM post http://www.techgeekandmore.com/2009/12/25/software-two-must-haves-for-the-new-pc-pc-decrapifier-and-ninite/

If after running SuperAntispyware and Malwarebytes, you are still infected, then you will need to use a PE (Physical Environment) disk.  The PE disk that TGM recommends is UBCD (LINK: http://www.ubcd4win.com (http://www NULL.ubcd4win NULL.com)). The how to for the UBCD can be found at http://www.ubcd4win.com/howto.htm (http://www NULL.ubcd4win NULL.com/howto NULL.htm) .