[volanova]

Hey guys, thought I'd give any security techs a heads up on this. I'm with Villanova University's IT help desk, and we've been getting a ton of calls regarding this XP Antivirus 2008. The proliferation device of choice seems to be phishing fake ecards apparently coming from a greetingcards.org. Many of the emails originate from the domain hinet.net

We've been just reimaging the hard drives of the people who's computers are infected. McAfee picks up the malware but can't clean it.

I found a possible solution of stopping the malware from starting using msconfig, starting in safe mode, then doing a system restore. We're currently testing it on a couple of infected machines to see if it will work. I'll post with the results when we can figure it out.

[kniht]

There is a software (freeware) that will remove XP Antivirus 2008 but I'm not allowed to reveal it seeing as how I don't have the credentials for malware removal. Post in the Malware Removal & HJT logs. They can direct you to the product.

http://forums.techguy.org/54-malware...jackthis-logs/

[Byteman]

It would be a time consuming project to clean that many infected machines-

I'm all for the reimaging in a case like this.

That variant and several others have been seen here and in all the forums for a while now....it is not the easiest to remove without good help.

However- if you run into a case where you need to remove the infection, have that machine's Hijackthis log posted in the Malware Removal forum. There definitely are several free tools that you can use to remove the infection.


http://forums.techguy.org/54-malware...jackthis-logs/

Someone will get to your problem, but it may be a few days as things are backlogged!

We are faced with a vast number of requests for malware help and we try to get back to help those who have been waiting two or more days for a reply...

[volanova]

I cross-posted over there a few minutes ago.

As of right now, reimaging is looking like the best bet for the vast majority of cases. There are a few instances where the user hasn't backed up recently or lost important material made since the last back up, and we need to do some recovery operations on these machines without infecting the new image. XPA2008 makes these recovery efforts a pain in the rear, what with how much it slows down the machine and limits administrator access.

I'm afraid though that we're going to be seriously overwhelmed with requests for repairs...fall semester begins the week after next, and this crap is just now starting to propogate, of course at the worst time possible.

[Byteman]

Well, If you do have some ready that need cleaning, (not file recovery) post a single log per new thread (one machine per thread) in the other forum.

Once you work on one, the procedure is pretty much the same for any other, and the process removes other malware, so you get a clean system.

I'd get a network wide information notice ready, make sure everyone logging in sees the information somehow-

{Free but working trial version- technically, a school should acquire a volume License.....they have discounts, please be advised that you should find out about using this at a large school}

***The makers do have a good attitude towards schools, etc:

Quote:

Non-Profit Organizations
Malwarebytes sincerely seeks to be an active participant in the community. We actively support schools, charities, churches, and municipal and governmental organizations. Please contact us if you think your organization could be eligible for sizable discounts. Proof of status may be required from the organization.

Here's our present preferred tool that should remove all or most of this:

Directions and download are there... follow the instructions.
http://forums.techguy.org/malware-re...ivirus-xp.html

After that, a couple of other small programs are advised to check for any leftovers and other rogue files.

You can get MBYTES AntiMalware and try it on a couple of PCs if you like, and have instructions ready for anyone asking about XP Antivirus, XP AV 2008, 2009, etc. MBAM Works on Win2000, XP, and Vista. http://www.malwarebytes.org/mbam.php




This infection goes by a lot of names. Basically a fake trojan alert, that disables a lot of processes, System Restore, Control Panel are some I have seen. Something you can show students> http://forums.techguy.org/general-se...ved-ecard.html

>>>http://www.bleepingcomputer.com/malw...irus-2008-2009 <<Removal guide at a very good forum which deals with all the malware removal- Skip the blue Ad there, that is not part of the fix!!!!!

I will find a good informational post about this infection that you can post for kids to see> you will no doubt be up to your necks in panicky frustrated kids by the time classes start! There are also quite a few infected websites that pop up the fake alert notice just as soon as you enter the site....only way to stop it from starting to install crap is the CTRL+ALT+DEL as the high speed connections these days take just seconds to install some of it.

Info about some old but similar scan e-card types: http://cotojo.wordpress.com/2008/02/...d-virus-alert/

http://www.ducktoes.com/blog/2008/05...llmark-e-card/

http://www.joewein.de/sw/trojan-123greetings.htm

http://cotojo.wordpress.com/2008/08/...virus-removal/

[volanova]

Great, just what I was looking for. Looks like it will at least clean a computer up enough to be able to retrieve any needed files.

We're currently in the process of trying to block some of the sources through our server...we know that the aforementioned hinet.net seems to be a spam email anyways, and there won't be any loss at filtering it through email. Looks like there are a few major URLs that they seem to be downloading from that we might be able to block as well.

The XP antivirus "official" site is pretty well done. Very official looking to the untrained eye, or to someone that doesn't notice that the fake endorsements are just jpgs and not links. (I'm going to insert some @s into it to make it non-clickable) Moderator edited: {I've removed your link- we'd rather not have a chance of someone getting infected, please!}

Visit at your own risk, as it is potentially a bad thing. We visited it on a laptop the other day that we were trying to intentionally infect, and it appears as though simply visiting the site doesn't do any harm, but like I said, do it at your own risk. I just tried visiting the site and it might have been taken down, perhaps Microsoft, Intel, and PC Mag got a bit uppity at their logos being used for such things.

[Byteman]

Hi,

Glad to be of help. There are many sites automatically installing this crap- it depends on the security apps and settings on any given computer, whether the thing gets installed or not.... merely closing the window on the alert popup will not stop it usually- much better to CTRL+ALT+DEL and end task on iexplore.exe.

Anyone actually opening the link in the infected email or IM message will be infected very quickly.

MalwareBytes Anti Malware can provide protection against it- but, they need to have a registered, pay-for program, so I would look into asking about a volume license, which you can use to have the kids keep the program as a fully working one. I've contacted the maker about the situation- the trial version works, don't get me wrong, but in a large school environment or on a domain as Villanova surely is, things might be different.

If you are pre-screening, and they are not able to log onto the school network yet due to the infection, then you definitely will be needing the maker's help with this!

[Byteman]

Hi,

Anyone wishing to contact the maker of the Malwarebytes Antimalware program to ask about any Volume or other license available, at the page below you will be able to do so:

http://www.malwarebytes.org/contact.php