02-11-2010, 02:59 PM
|
#1 (permalink)
|
Master EcoModder
Join Date: May 2008
Location: Maynard, MA Eaarth
Posts: 7,908
Thanks: 3,475
Thanked 2,952 Times in 1,845 Posts
|
Beware of "Internet Security 2010" -- worst Trojan EVER!
Hello Folks,
I'm just finishing up reinstalling Windows on a laptop for a client, that was infected by a Trojan malware program, that calls itself "Internet Security 2010" -- PLEASE KEEP YOUR FIREWALL & ANTIVIRUS UP TO DATE!!! Update Windows with all the security updates, as well. Microsoft has a big job ahead of them, fighting this thing...
*This* *is* *the* *worst* *Trojan* *malware* *EVER*!
It installs in the "Safe" mode of Windows.
It prevents you from using System Restore to reverse its installation.
It blocks you from getting to websites that help you fight it.
It blocks you from downloading files, by shutting down the browser.
You cannot install another browser like FireFox.
It blocks your antivirus.
It blocks you from using RegEdit.
It modifies the hard drive so you cannot read the drive in Linux.
It pops up continuously with warnings that your machine is infected (NO KIDDING!) and they want to sell you the "solution". I am *sure* that while it might make the symptoms go away, it would remain infected. You have to pay them to let them continue to use your computer.
If it gets a foothold on you computer, it downloads and installs additional Trojan programs.
Google "Internet Security 2010" and you will see lots of evidence of this huge threat.
It seems to do something even more: when I tried to install WinXP from an installation CD -- the hard drive is not "seen". You would have to buy a new hard drive, and that might not work. I tried putting in another old hard drive, and it was not "seen" either, but it might have other issues... I *was* able to install Linux on that other hard drive -- it was "seen" by Linux. The only plausible explanation I can come up with is that this malware *moves* something required for running Windows from the hard drive controller to the hard drive; thus making it impossible to even use a new hard drive to reinstall Windows.
Have I raised your awareness enough to get you to take steps to prevent your Windows machine from getting this? Please do this -- this is a very, very serious challenge.
|
|
|
Today
|
|
|
Other popular topics in this forum...
|
|
|
02-11-2010, 03:08 PM
|
#2 (permalink)
|
Pokémoderator
Join Date: Dec 2007
Location: Southern California
Posts: 5,864
Thanks: 439
Thanked 532 Times in 358 Posts
|
Neil -
Yeah, I stopped using Firefox on one of my PCs after a Trojan called "Windows Police Pro" got into it. My PC got nailed within 48 hours of it being discovered. It hides copies of itself in the "System Volume Information".
CarloSW2
|
|
|
02-11-2010, 03:10 PM
|
#3 (permalink)
|
Wannabe greenie
Join Date: Aug 2008
Location: Yorba Linda, CA
Posts: 1,098
Thanks: 5
Thanked 53 Times in 40 Posts
|
Quote:
Originally Posted by NeilBlanchard
Have I raised your awareness enough to get you to take steps to prevent your Windows machine from getting this? Please do this -- this is a very, very serious challenge.
|
I've seen two versions of this. The first was fairly easy to remove (install Malwarebytes and manual updates from a flash drive, reboot into Safe Mode and run a clean.) The second was a bit harder, as it would automatically delete the Malwarebytes application file when you tried to execute it. (Solution was to install Malwarebytes, rename the executable to something else before running it, then running a clean.)
It seems that they're continually updating it to make it harder to remove. Best advice is not to get it at all, and that's by running an alternative browser such as Firefox, and updating not only Windows, but the Flash Player, Shockwave, Java, Adobe Reader and Firefox.
Better yet, get away from Windows if at all possible.
|
|
|
02-11-2010, 03:19 PM
|
#4 (permalink)
|
Pokémoderator
Join Date: Dec 2007
Location: Southern California
Posts: 5,864
Thanks: 439
Thanked 532 Times in 358 Posts
|
Neil -
Another thing I did was take the hard disk out and attach it as a USB external disk. This didn't fix Registry problems, but it allowed a non-infected system to do successive cleanups.
CarloSW2
|
|
|
02-11-2010, 04:05 PM
|
#5 (permalink)
|
aero guerrilla
Join Date: Oct 2008
Location: Warsaw, Poland
Posts: 3,750
Thanks: 1,336
Thanked 749 Times in 476 Posts
|
Niel, you seem to know quite a lot of details about that trojan. Maybe you have something to do with it? And you formatted your disk and reinstalled to get rid of evidence? Ha! Gotcha!
__________________
e·co·mod·ding: the art of turning vehicles into what they should be
What matters is where you're going, not how fast.
"... we humans tend to screw up everything that's good enough as it is...or everything that we're attracted to, we love to go and defile it." - Chris Cornell
[Old] Piwoslaw's Peugeot 307sw modding thread
|
|
|
02-11-2010, 04:19 PM
|
#6 (permalink)
|
Master EcoModder
Join Date: May 2008
Location: Maynard, MA Eaarth
Posts: 7,908
Thanks: 3,475
Thanked 2,952 Times in 1,845 Posts
|
Hi Carlos,
I had to do that (put it in an external enclosure) to get the files we needed -- I copied them onto my Mac, then onto a thumb drive and now they are back on the refurbished laptop.
Linux could not mount the drive, and Mac could not delete the Internet Security 2010 files, because it can't write to NTFS -- even as root...
Like I said, this version is evil itself!
|
|
|
02-11-2010, 04:52 PM
|
#7 (permalink)
|
Batman Junior
Join Date: Nov 2007
Location: 1000 Islands, Ontario, Canada
Posts: 22,534
Thanks: 4,082
Thanked 6,979 Times in 3,614 Posts
|
Neil, do you know how your client got infected?
|
|
|
02-11-2010, 11:28 PM
|
#8 (permalink)
|
Master EcoModder
Join Date: May 2008
Location: Maynard, MA Eaarth
Posts: 7,908
Thanks: 3,475
Thanked 2,952 Times in 1,845 Posts
|
Hi Darin,
They had let the antivirus get slightly out of date, and they were literally in the process of upgrading it to the latest version when this struck... They also used IE and had not kept up with the Windows patches (though they did have WinXP SP3).
Bad luck, bad timing, bad karma...
It is ALL BETTER now. But it was a close thing...
Oh, I got a much better answer to why the HD was not "seen" by the WinXP installation: "the hard drive not being seen by the XP install CD is probably just not loading the AHCI drivers.
You can load the AHCI drivers from a floppy or turn off AHCI in the BIOS. If you tried a Vista or 7 install it should also see the drive just fine."
There is no toggle in the BIOS for this, unfortunately. I replied that MS forces you to install those drivers from a floppy -- and this machine has no floppy! Someone else responded that a custom "slipstreamed" installation CD can be made with these drivers integrated, but how much of a pain would that have been? If we could use Vista or Win7 (we cannot) then this would have been a non-issue.
Thankfully, it is now working, and it did not come to this.
Last edited by NeilBlanchard; 02-11-2010 at 11:43 PM..
|
|
|
02-12-2010, 12:07 AM
|
#9 (permalink)
|
Master EcoModder
Join Date: Jun 2008
Location: Earth
Posts: 5,209
Thanks: 225
Thanked 811 Times in 594 Posts
|
I can't resist a bit of a quibble here. This is only the second-worst malware program around. The undisputed first place of course goes to Windows :-)
|
|
|
The Following 2 Users Say Thank You to jamesqf For This Useful Post:
|
|
02-12-2010, 02:04 AM
|
#10 (permalink)
|
Master EcoModder
Join Date: Jun 2008
Location: Chicago
Posts: 674
Thanks: 40
Thanked 39 Times in 27 Posts
|
Ahaha amen jamesqf. I've seen far worse than this trojan. Like clev said, malwarebytes takes it right down. I'm convinced that the people who write programs like malwarebytes and spybot S&D are the people who make these pesky, yet harmless-to-data trojans to keep computer repair techs busy and wealthy. Virus scanning and spy/malware scanning can take so long sometimes that it has become easier and less time consuming to just reinstall windows, which isn't something I've managed to do in under an hour.
Step 1: Cause time consuming computer problems w/ trojans
Step 2: ???
Step 3: Profit! for a bunch of people (like me) who fix computers for a living.
I don't think it's right, but it's not the most evil ploy I can think of.
__________________
|
|
|
|