Nasty new virus - warning!

blacbird · Jun 14, 2011

On my business computer today, as I was trying to do the most innocuous thing, google the website for my local veterinarian (baby kitties need their final kitten shots), a pop-up warning emerged, and the connection to the internet was disabled. This thing is called XP Antivirus 2012, and it is a really nasty invasive horror. If you see it, don't do anything but get thee quick to a solution. It blocks all access to Internet sites, on every browser, and also access to standard software like word-processors and spreadsheets. All with the appearance of being a warning to download protection software, and very slick format, too.

But it is a total spyware/malware virus, and is trying to extract things like e-mail addresses, passwords, and credit card info. And it is a beeyatch to get rid of. I'm still working on that part.

It is also apparently very new. Via another computer I was able to do a search on it, and the earliest warning I could find was dated June 8. Be ye all very wary.

Deleted member 42 · Jun 14, 2011

Here's some more information; it's a very nasty Trojan, with multiple names, and multiple ways of installing backdoors.

http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012

http://www.2-spyware.com/remove-xp-antivirus-2012.html

kuwisdelu · Jun 14, 2011

Medievalist said:
Here's some more information; it's a very nasty Trojan, with multiple names, and multiple ways of installing backdoors.

http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012

http://www.2-spyware.com/remove-xp-antivirus-2012.html

Ah, thanks. I was about to ask if it was a real virus or a trojan. It's been a while since we've seen the former.

blacbird · Jun 14, 2011

kuwisdelu said:
Ah, thanks. I was about to ask if it was a real virus or a trojan[/b]. It's been a while since we've seen the former.

Doesn't much matter, in practical terms.

kuwisdelu · Jun 14, 2011

blacbird said:
Doesn't much matter, in practical terms.

Other kinds of malware are much easier to avoid with enough knowledge. It's just knowing what to look out for that can be difficult. Not that that's any comfort once you do get one, in which case yeah, they're all equally as bad.

KTC · Jun 14, 2011

Ack...I had a similar one a year or so back. Such a pain. I had co-workers who actually believed the warning. A pain to get rid of. This one sounds even more malicious. Thanks for the warning!

Soothing Snow · Jun 14, 2011

I had that not too long ago. It really is a pain in the ass to get rid of...

Quentin Nokov · Jun 15, 2011

Ah, I think my sister had this virus. It truly was a nasty little bugger. She couldn't do anything. She couldn't run Avast, she couldn't even restore it. Her disk drive didn't work; it pretty much crippled her computer. Luckily a friend she went to school with fixed it for her. He had to scan her computer with another in order to get rid of the spyware. It works fine now, though she still bought another. Lol.

Margarita Skies · Jun 15, 2011

Sounds a lot like the nasty Win7 Internet Security 2011 I got a month and a half ago. Same dog, different name. Oh, sorry, I didn't mean to offend dogs...

AmericaMadeMe · Jun 15, 2011

This is precisely the kind of malware that doesn't require an exploit or a backdoor, but just the willing participation of the end user. You can't protect people from themselves.

areteus · Jun 15, 2011

Yet another cautionary tale to all and sundry - when sticking your browser in other parts of the internet, make sure you wear a condom

I'm not sure, but I think things like pop up blockers and spyware/malware screens and a decent firewall should help prevent these sort of things. Though they are getting more and more insidious as the technology outstrips the best defenses.

I had something similar to this a while back. I think I remember I killed the internet connection (which stopped it doing much more harm and transmitting any details anywhere) and ran the deepest, scorched earth style virus scan I could to get rid of it.

Another one before that got in deeper before I was even aware it existed. A friend who knew his way around a Win XP system folder (I have a couple of tech guys in my circle, most of them have to deal with this sort of thing every day) had to go into the registry and manually delete the virus files. It didn't actually get rid of all of it, but apparently it crippled it enough to stop it auto-reinstalling (so my desktop PC has a few MB of a program somewhere on it that can't do anything but equally cannot be found unless you know the filename...). Nasty buggers...

shelleyo · Jun 15, 2011

I picked one up doing an image search recently. It loaded when I viewed the picture, locked me out of everything while alerting me to viruses on the machine, and left the only clickable thing on my computer the button to buy the software.

I immediately turn it off and restarted in safe mode and had to keep redoing that until I found out what to disable that would let me get back online, to find out how to get rid of it. While I was able to remove most of it, it had done something to my browsers so that when I clicked a link in a Google search, I was redirected to other sites. It was maddening. After a few days of trying to stop the browser hijacks with manual changes, I downloaded Hitman Pro, which has a free 30-day trial in which it can actually be used as opposed to just showing you what's wrong and requiring payment to fix the problems.

That was the only thing that worked for me. I now run AVG anti-virus on this laptop and my main computer. It's not something I worried too much about before, because I ran online scans regularly and don't do the sorts of things most associate with picking up viruses.

Since then, AVG has blocked similar viruses about 20-25 times, all from using Google image search and clicking on a photo. That's wild.

Shelley

whacko · Jun 15, 2011

If you do get a suspicious pop-up, don't hit Close, Okay or the X in the top corner.

Go into Task Manager, Ctrl Alt and Del, and end all your internet processes, e.g iexplore.exe.

That should stop the bugger getting in.

Regards

Whacko

newbound · Jun 15, 2011

Yep, I had this nasty little thing invade my computer over a year ago (an older version of it), and bleepingcomputer helped me clear it up. I love sites like that! *kisses*

Jersey Chick · Jun 15, 2011

I got one like this as well late last year - I had to pay someone to get rid of it because no matter what I did, it wouldn't. go. away.

People who design these viruses should burn in hell, IMHO. They need to get a life.

Margarita Skies · Jun 15, 2011

whacko said:
If you do get a suspicious pop-up, don't hit Close, Okay or the X in the top corner.

Go into Task Manager, Ctrl Alt and Del, and end all your internet processes, e.g iexplore.exe.

That should stop the bugger getting in.

Regards

Whacko

Thank you so much. Never thought it would be that simple.

Margarita Skies · Jun 15, 2011

Oh, and I don't remember if I mentioned it before, but I got the Win7 bastard doing a google search too.

Jersey Chick · Jun 15, 2011

That's how I got it. A Google image search.

zanzjan · Jun 15, 2011

AmericaMadeMe said:
This is precisely the kind of malware that doesn't require an exploit or a backdoor, but just the willing participation of the end user. You can't protect people from themselves.

Though trickery is definitely part of it. In the earlier versions of this, the close-this-window "x" on the pop-up was a fake, and essentially behaved like a yes-please-install-this "x".

One thing you can do (aside from the obvious don't use IE, don't run as administrator, don't use outlook) if you get pop-ups or other strange browser ephemera that you don't trust is just kill your browser process rather than try to close it down. If you pull up your task manager (ctrl-alt-del will give you that option, at least on XP [dunno about win7]) select the processes tab, and find your browser (firefox.exe, frex) and click "End Process". Obviously you don't want to go killing processes willy-nilly if you don't know what they are.

-Suzanne

AmericaMadeMe · Jun 15, 2011

zanzjan said:
Though trickery is definitely part of it. In the earlier versions of this, the close-this-window "x" on the pop-up was a fake, and essentially behaved like a yes-please-install-this "x".

One thing you can do (aside from the obvious don't use IE, don't run as administrator, don't use outlook) if you get pop-ups or other strange browser ephemera that you don't trust is just kill your browser process rather than try to close it down. If you pull up your task manager (ctrl-alt-del will give you that option, at least on XP [dunno about win7]) select the processes tab, and find your browser (firefox.exe, frex) and click "End Process". Obviously you don't want to go killing processes willy-nilly if you don't know what they are.

-Suzanne

Yes, but the end users who have the greatest proclivity for malware infections are the ones who are still using XP, who still won't spend the money for paid Internet Security software subscriptions, who still use Internet Explorer, who turn off automatic updates, turn off UAC.......I think we can see the pattern.

In the end, these "social engineering' outbreaks aren't attributable Microsoft or even Apple, in the case of the MacDefender bug, but to the end users who actually click on these preposterous pop-ups. You can't protect people from themselves......and maybe you shouldn't even try.

Deleted member 42 · Jun 15, 2011

AmericaMadeMe said:
Yes, but the end users who have the greatest proclivity for malware infections are the ones who are still using XP, who still won't spend the money for paid Internet Security software subscriptions, who still use Internet Explorer, who turn off automatic updates, turn off UAC.......I think we can see the pattern.

You know not everyone can afford to upgrade every two years.

Moreover, for users using adaptive technology in the form of screen readers, the alert often sounds completely legit.

Let's not be overly dismissive of users who lack your sophisticated and exotic skill set. Because that would be arrogant.

AmericaMadeMe · Jun 15, 2011

shelleyo said:
I picked one up doing an image search recently. It loaded when I viewed the picture, locked me out of everything while alerting me to viruses on the machine, and left the only clickable thing on my computer the button to buy the software.

I immediately turn it off and restarted in safe mode and had to keep redoing that until I found out what to disable that would let me get back online, to find out how to get rid of it. While I was able to remove most of it, it had done something to my browsers so that when I clicked a link in a Google search, I was redirected to other sites. It was maddening. After a few days of trying to stop the browser hijacks with manual changes, I downloaded Hitman Pro, which has a free 30-day trial in which it can actually be used as opposed to just showing you what's wrong and requiring payment to fix the problems.

That was the only thing that worked for me. I now run AVG anti-virus on this laptop and my main computer. It's not something I worried too much about before, because I ran online scans regularly and don't do the sorts of things most associate with picking up viruses.

Since then, AVG has blocked similar viruses about 20-25 times, all from using Google image search and clicking on a photo. That's wild.

Shelley

You should have been using a Mozilla browser with an add-on that allows selective script blocking. That simple step would have prevented nearly every malware infection described in this thread. It's just that simple. I'm not about to suggest that Windows users could, or should, attempt to go online without paid Internet Security subscriptions, but selective script blocking is a free, unproblematic first step.

shelleyo · Jun 15, 2011

AmericaMadeMe said:
You should have been using a Mozilla browser with an add-on that allows selective script blocking. That simple step would have prevented nearly every malware infection described in this thread. It's just that simple. I'm not about to suggest that Windows users could, or should, attempt to go online without paid Internet Security subscriptions, but selective script blocking is a free, unproblematic first step.

Thank you for the useful information you've given in this thread, even if it is wrapped in condescension.

Shelley

niknicnac · Jun 15, 2011

Thank you blacbird for the warning.

AmericaMadeMe · Jun 15, 2011

Medievalist said:
You know not everyone can afford to upgrade every two years.

If Microsoft had a 2 year product cycle, I doubt the company would be in such a tenuous position. Even Apple, which does have a 2 year product cycle with OS X, is still providing security updates on Leopard, which was released in 2007.

Medievalist said:
Moreover, for users using adaptive technology in the form of screen readers, the alert often sounds completely legit.

Sadly, that doesn't seem to be the major issue with the current crop of social engineering malware.

Medievalist said:
Let's not be overly dismissive of users who lack your sophisticated and exotic skill set. Because that would be arrogant.

Sophisticated? Exotic? Me?

To put things into perspective, we're talking about issues that were addressed over 5 years ago. Selective script blocking add-ons? Not all that exotic these days.

I do try to keep advice general, since I don't want to start endorsing specific add-ons or one Mozilla browser over another, let alone specific commercial Internet Security suites. I'm not in the endorsement business.

Nasty new virus - warning!

blacbird

Deleted member 42

kuwisdelu

Revolutionize the World

blacbird

kuwisdelu

Revolutionize the World

KTC

Stand in the Place Where You Live

Soothing Snow

Quentin Nokov

King of the Kitties

Margarita Skies

AmericaMadeMe

areteus

shelleyo

Just another face in a red jumpsuit

whacko

Keeping up with the class

newbound

It's my turn!

Jersey Chick

Up all night to get Loki

Margarita Skies

Margarita Skies

Jersey Chick

Up all night to get Loki

zanzjan

killin' all teh werds

AmericaMadeMe

Deleted member 42

AmericaMadeMe

shelleyo

Just another face in a red jumpsuit

niknicnac

AmericaMadeMe