Nasty Malware Going Around

[RocketMan]

There is a nasty new rogueware out in the wild called AntiSpy Protector 2009.  There are also variants called PC_AntiSpyware2010 and Advanced Antivirus.  It is also known by the anti-malware companies by one of its common filenames, Braviax.exe.  Braviax has been out for a year or so, but this newest variant started appearing sometime last month.

Most rogues can usually be dealt with, but this one drops two extremely difficult to dig out rootkits on your system that kill almost all anti-malware processes and programs.  It will not allow any of the well known anti-malware programs to run after they have been installed.  It stops most file, service, or hidden process scans.  It prevents the use of almost all good anti-rootkit scanners.   It changes permissions on important system files, and generally causes havoc with your system.
If it pops up on your screen, just pull the plug on your PC.  Unlike most other rogues, this one has been known to self-install without any user intervention at all.  Granted, pulling the plug on your Windows machine can sometimes cause problems, but the misery caused by this bug is far worse.  It's much easier to deal with the aftereffects of an unexpected power down than it is to root out this malware.

I've dug out a lot of malware in my time, but this one is by far the worst I have ever encountered.  It took me four days of research to find a the tools and a process to dig this one out.  If you run across it, shoot me a message and I will pass on what I have learned.

Be careful out there.

[RaspberrySurprise]

This is why good backups are essential, because sometimes is far far easier to kill it with fire and just repartition, reformat, and reinstall.

[Standing Wolf]

The gods be thanked the government is waging war against the people who write that stuff!

[Jim147]

The gods be thanked the government is waging war against the people who write that stuff!

I'll sleep better tonight knowing that.

jim

[RocketMan]

This is why good backups are essential, because sometimes is far far easier to kill it with fire and just repartition, reformat, and reinstall.

Agreed, RaspberrySurprise.  I image every machine I have to a Windows Home Server box, so no problems there.
This one that I finally killed is on a customer's box.  No backups at all.  Of course we are going to have that discussion.

[Harold Tuttle]

I had some fun with "total Security" on my kids PC
once it was running it disabled IE, the task manager, symantic and spybot

i finally was able to taskmanager it off as it was starting, from a reboot, then use symantic to kill it off

[grislyatoms]

I ran into this a couple of weeks ago. 4-5 machines. Would not allow any antivirus ware to even launch.

Had to nuke the drives and re-image. I concur, it's pretty nasty.

[Silver Bullet]

This is why good backups are essential, because sometimes is far far easier to kill it with fire and just repartition, reformat, and reinstall.

That, or use a Macintosh.

What the heck is malware, anyway ? 

[Perd Hapley]

It's something grown-up computers get.   

[Jim147]

What the heck is malware, anyway ?

 

That would be the clothes mal wares. You know Firefly. I guess some people just don't like his taste in shirts if they have to call them nasty.

jim

[MikeB]

Combofix or Malwarebytes should work on these. If they don't, use Bitdefender rescue CD, run that, then run Combofix or Malwarebytes. The rescue cd will load a version of Knoppix and then run the antivirus against the hard disk, this prevents the rootkit from loading so it can be removed. I've used this method on this virus/malware. No need to nuke the drive.

For real bad infections I usually run all three. Combofix sometimes needs to be run twice to complete cleanup. If you can't load internet sites after cleanup you may need to reset the TCP/IP stack. Some of these infections inject a process into the stack, once it's removed by the anti-malware software internet won't work without resetting the stack.

Combofix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Malwarebytes
http://www.malwarebytes.org/

Bitdefender Linuxdefender rescue CD
http://download.bitdefender.com/rescue_cd/

How to reset TCP/IP stack
http://windowsxp.mvps.org/winsock.htm

[lee n. field]

Combofix or Malwarebytes should work on these.

Assuming the malware will let them run.  A lot of them block processes now, which means they are basically impossible for Joe Enduser to deal with.

These day I usually end up pulling the drive, scanning on a clean computer with a good AV, and, Malwarebytes or Superantispyware.  Then and only then, put it back in the computer and scan with native apps.  Each pass finds new crap.

Oh, yeah.  Current home user grade Mcafee and Norton are worthless.

[MechAg94]

I think I had some version of this a few months ago.  None of the anti-virus or anti-malware programs would work on it.  They either would not install or would not update.  All the web sites for those programs were blocked. 

I ended up getting a SATA/USB adapter, pulled out the hard drive, and scanned it with my laptop with Norton and then with Malwarebytes.  Norton actually caught and cleaned most of it.  Malwarebytes found one more item.  When I put the hard drive back in, I was able to get my anti-virus updated along with a couple other programs.  No problems since then. 

[Monkeyleg]

I'm not sure if what I have is the same as what you folks are talking about. Yesterday a program installed itself, and keeps giving me a constant warning that my computer is affected. If I click on the icon, I get a promotion for Antivirus Pro 2010. It won't go away, and it wasn't there before.

It lets me run my programs, but it's still a pain in the neck.

I still haven't upgraded my OS, so maybe this is the time to do so.

[Perd Hapley]

Upgraded your OS from what?  If you haven't already done so, back up all of your important data, while you still can. 

[Monkeyleg]

My old laptop runs Windows 2000. I only need it for one very simple purpose, so I haven't bothered to change operating systems. Somewhere around here I have Windows XP.

[Silver Bullet]

It's something grown-up computers get.   

 

Guess I'll keep using my iBrat.   

[RocketMan]

I'm not sure if what I have is the same as what you folks are talking about. Yesterday a program installed itself, and keeps giving me a constant warning that my computer is affected. If I click on the icon, I get a promotion for Antivirus Pro 2010. It won't go away, and it wasn't there before.

It lets me run my programs, but it's still a pain in the neck.

I still haven't upgraded my OS, so maybe this is the time to do so.

Sorry Dick, but you have the bug I was referring to.  One of its names is Antivirus Pro 2010.
The rootkit pair that does most of the nastiness will not let any of the usual disinfection tools run.  That includes ComboFix (not a tool for the faint of heart, btw) and Malwarebytes.
Pulling the drive and scanning it on another computer will not kill the rootkits.  They are still present and active when the drive is placed back in the original computer and booted.
The rootkit files themselves are not visible to Windows or in a DOS box.  Attempting to change their attributes does nothing to make them visible in most instances, although some have reported success with that. 
Some rootkit scanners like rootkitrepeal will show them, but cannot kill them.  The filenames are win32k.sys:1 and win32k.sys:2, if I remember correctly.  Not to be confused with the normal win32k.sys file that is part of Windows.  I need to go back to my notes to remember for sure.
You need to take care of it.  One of its reported actions is a keylogger that captures passwords and such.
Unfortunately, I think this bug is going to bring a lot of business my way.

[Gewehr98]

Dust off and nuke it from orbit.

[RocketMan]

Dust off and nuke it from orbit.

While the infection can be cured, it does take a fair amount of work.  It may be simpler to do just what GW suggests if all backups are up to date.

[Silver Bullet]

 

That would be the clothes mal wares. You know Firefly. I guess some people just don't like his taste in shirts if they have to call them nasty.

jim

That would be, "What the heck does malware, anyway ?"

 

[BryanP]

Bitdefender Linuxdefender rescue CD
http://download.bitdefender.com/rescue_cd/

I've found this one to be extremely useful.  It boots a Knoppix environment and if it can detect an internet connection it will download the most recent patterns for BitDefender before it starts scanning your machine.

[RocketMan]

I've found this one to be extremely useful.  It boots a Knoppix environment and if it can detect an internet connection it will download the most recent patterns for BitDefender before it starts scanning your machine.

I use BitDefender on most of my machines, but I have not heard of their rescue CD.  I'll have to give it a try.
Thanks for the info, BryanP.

[MikeB]

Assuming the malware will let them run.  A lot of them block processes now, which means they are basically impossible for Joe Enduser to deal with.

These day I usually end up pulling the drive, scanning on a clean computer with a good AV, and, Malwarebytes or Superantispyware.  Then and only then, put it back in the computer and scan with native apps.  Each pass finds new crap.

Hence the reason for the whole paragraph I had written.

Combofix or Malwarebytes should work on these. If they don't, use Bitdefender rescue CD, run that, then run Combofix or Malwarebytes. The rescue cd will load a version of Knoppix and then run the antivirus against the hard disk, this prevents the rootkit from loading so it can be removed. I've used this method on this virus/malware. No need to nuke the drive.

Especially the bold part, which apparently skipped when writing your response.

Booting off a linux live cd and running the scan is the same as running the scan on another computer. As well if someone found the virus a few days ago, there is a decent chance combofix or malwarebytes has a new definition file.

[RocketMan]

Mike, your statement presumes that the BitDefender rescue CD is even keyed to find and delete those particular rootkit files.  It may not be.