Beware of "Internet Security 2010" -- worst Trojan EVER!

[NeilBlanchard]

Hello Folks,

I'm just finishing up reinstalling Windows on a laptop for a client, that was infected by a Trojan malware program, that calls itself "Internet Security 2010" -- PLEASE KEEP YOUR FIREWALL & ANTIVIRUS UP TO DATE!!! Update Windows with all the security updates, as well. Microsoft has a big job ahead of them, fighting this thing...

*This* *is* *the* *worst* *Trojan* *malware* *EVER*!

It installs in the "Safe" mode of Windows.
It prevents you from using System Restore to reverse its installation.
It blocks you from getting to websites that help you fight it.
It blocks you from downloading files, by shutting down the browser.
You cannot install another browser like FireFox.
It blocks your antivirus.
It blocks you from using RegEdit.
It modifies the hard drive so you cannot read the drive in Linux.
It pops up continuously with warnings that your machine is infected (NO KIDDING!) and they want to sell you the "solution". I am *sure* that while it might make the symptoms go away, it would remain infected. You have to pay them to let them continue to use your computer.

If it gets a foothold on you computer, it downloads and installs additional Trojan programs.

Google "Internet Security 2010" and you will see lots of evidence of this huge threat.

It seems to do something even more: when I tried to install WinXP from an installation CD -- the hard drive is not "seen". You would have to buy a new hard drive, and that might not work. I tried putting in another old hard drive, and it was not "seen" either, but it might have other issues... I *was* able to install Linux on that other hard drive -- it was "seen" by Linux. The only plausible explanation I can come up with is that this malware *moves* something required for running Windows from the hard drive controller to the hard drive; thus making it impossible to even use a new hard drive to reinstall Windows.

Have I raised your awareness enough to get you to take steps to prevent your Windows machine from getting this? Please do this -- this is a very, very serious challenge.

[cfg83]

Neil -

Yeah, I stopped using Firefox on one of my PCs after a Trojan called "Windows Police Pro" got into it. My PC got nailed within 48 hours of it being discovered. It hides copies of itself in the "System Volume Information".

CarloSW2

[Clev]

Quote:

Originally Posted by NeilBlanchard

Have I raised your awareness enough to get you to take steps to prevent your Windows machine from getting this? Please do this -- this is a very, very serious challenge.

I've seen two versions of this. The first was fairly easy to remove (install Malwarebytes and manual updates from a flash drive, reboot into Safe Mode and run a clean.) The second was a bit harder, as it would automatically delete the Malwarebytes application file when you tried to execute it. (Solution was to install Malwarebytes, rename the executable to something else before running it, then running a clean.)

It seems that they're continually updating it to make it harder to remove. Best advice is not to get it at all, and that's by running an alternative browser such as Firefox, and updating not only Windows, but the Flash Player, Shockwave, Java, Adobe Reader and Firefox.

Better yet, get away from Windows if at all possible.

[cfg83]

Neil -

Another thing I did was take the hard disk out and attach it as a USB external disk. This didn't fix Registry problems, but it allowed a non-infected system to do successive cleanups.

CarloSW2

[Piwoslaw]

Niel, you seem to know quite a lot of details about that trojan. Maybe you have something to do with it? And you formatted your disk and reinstalled to get rid of evidence? Ha! Gotcha!

[NeilBlanchard]

Hi Carlos,

I had to do that (put it in an external enclosure) to get the files we needed -- I copied them onto my Mac, then onto a thumb drive and now they are back on the refurbished laptop.

Linux could not mount the drive, and Mac could not delete the Internet Security 2010 files, because it can't write to NTFS -- even as root...

Like I said, this version is evil itself!

[MetroMPG]

Neil, do you know how your client got infected?

[NeilBlanchard]

Hi Darin,

They had let the antivirus get slightly out of date, and they were literally in the process of upgrading it to the latest version when this struck... They also used IE and had not kept up with the Windows patches (though they did have WinXP SP3).

Bad luck, bad timing, bad karma...

It is ALL BETTER now. But it was a close thing...

Oh, I got a much better answer to why the HD was not "seen" by the WinXP installation: "the hard drive not being seen by the XP install CD is probably just not loading the AHCI drivers.

You can load the AHCI drivers from a floppy or turn off AHCI in the BIOS. If you tried a Vista or 7 install it should also see the drive just fine."

There is no toggle in the BIOS for this, unfortunately. I replied that MS forces you to install those drivers from a floppy -- and this machine has no floppy! Someone else responded that a custom "slipstreamed" installation CD can be made with these drivers integrated, but how much of a pain would that have been? If we could use Vista or Win7 (we cannot) then this would have been a non-issue.

Thankfully, it is now working, and it did not come to this.

[jamesqf]

I can't resist a bit of a quibble here. This is only the second-worst malware program around. The undisputed first place of course goes to Windows :-)

[Wonderboy]

Ahaha amen jamesqf. I've seen far worse than this trojan. Like clev said, malwarebytes takes it right down. I'm convinced that the people who write programs like malwarebytes and spybot S&D are the people who make these pesky, yet harmless-to-data trojans to keep computer repair techs busy and wealthy. Virus scanning and spy/malware scanning can take so long sometimes that it has become easier and less time consuming to just reinstall windows, which isn't something I've managed to do in under an hour.


Step 1: Cause time consuming computer problems w/ trojans
Step 2: ???
Step 3: Profit! for a bunch of people (like me) who fix computers for a living.

I don't think it's right, but it's not the most evil ploy I can think of.