400,000 PCs Infected With Fake "Antivirus 2009"

nandemoari writes "The second month of Microsoft's campaign against fake security software has resulted in the removal of the rogue "Antivirus 2009" application from almost 400,000 infected PCs. Microsoft claims that December's version of the Malicious Software Removal Tool (MSRT) — the free utility included in Windows Update every month — specifically targeted 'Antivirus 2009.' According to Microsoft, MSRT removed the rogue application from over 394,000 PCs in the first nine days after it was released on December 9."

Tomorrow's Headline

[meadowsoft (831583)]

"over 394,000 PCs report massive amounts of virus infections due to the accidental removal of Antivirus 2009"

When will the Malcious software removal tool...

[by Anonymous Coward]

Remove my win32 directory?

Re:The relationship between Windows 95/98 and DOS

[adminstring (608310)]

Here's some fun trivia: Contrary to popular belief, Windows only rode on top of DOS through version 3.11. 95 and 98 only looked like they did, by optionally loading 16-bit legacy DOS drivers as part of the Windows startup process, and by providing both DOS VMs and an option to boot into DOS Mode (which actually was MS-DOS) for backwards compatibility with legacy DOS apps.

This page [microsoft.com] has a pretty good overview of Windows 95 architecture, with some diagrams that show the various OS components, none of which is a full copy of DOS that has a GUI riding on top of it as found in Windows 3.11 and earlier. Instead, there is a 32-bit kernel which uses 32-bit device drivers exclusively, unless the user installs a legacy DOS driver.

If any DOS apps are run within Windows 95, they run in their own DOS virtual machine, and if no DOS apps are running, no DOS VM is created. These VMs are similar to those in Windows NT; what is not similar to Windows NT is the ability to load DOS device drivers to support legacy hardware that had no 32-bit protected-mode driver.

Those DOS drivers almost always ran slower than 32-bit drivers and frequently caused problems, to the extent that one of the first steps in troubleshooting a Windows 95 system was to check the autoexec.bat and config.sys for unneeded DOS drivers, or simply renaming those files to get rid of the gunk.

If there really were a copy of DOS running underneath Windows 95, renaming autoexec.bat and config.sys would have removed all the device drivers, leaving you with no access to your CD-ROM drive due to a lack of MSCDEX.EXE, which is needed by all versions of DOS, including the "DOS Mode" of Windows 95.

Re:The relationship between Windows 95/98 and DOS

[X3J11 (791922)]

Try deleting the hidden system files (.SYS) in the root of your boot drive and see how far Windows 9x gets while booting.

The 9x Windows did ride on top of DOS, but replaced (and I'm using the word very loosely) DOS with its own kernel and drivers. DOS was still there, hiding in the background, but most everything was handled by the 32-bit protected mode code of 9x.

Also, there was no "virtual machine" for DOS in 9x. Windows took a snapshot of the DOS environment before it took over, and was able to present this environment to the user via V86 mode. This was, more or less, the same way Quarterdesk's DesqView software worked, except without the pretty graphics of the Windows GUI. A virtual machine implies much of the hardware is emulated, which it was not.

Renaming autoexec.bat and config.sys would have no bearing on the Windows environment because once Windows took over, it used its own .ini files and the registry to store and retrieve hardware and software configuration information.

Any drivers/TSRs run before Windows started would still be present after Windows loaded. In fact, one simple change to a single file cause Windows to not even load, booting instead to a plain old C:\ prompt. One could then later start Windows by executing WIN.COM.

Even Windows ME had DOS still hiding underneath it all. Windows versions based on the NT kernel are the only ones that did not rely on some version of MS-DOS to bootstrap Windows.

I really don't think you know what you are talking about.

Re:The relationship between Windows 95/98 and DOS

[adminstring (608310)]

The question of whether 9x "rides on top of" DOS is related to the two somewhat distinct issues of the use of DOS during the boot process, and support for DOS device drivers once Windows 95 has booted.

To me, the fact that the DOS 7 kernel IO.SYS is used to bootstrap Windows 95 does not indicate that 9x "rides on top of DOS" any more than the fact that LILO or GRUB might be used to bootstrap Linux means that Linux "rides on top of" LILO or GRUB.

The fact that legacy DOS device drivers can be loaded during the real-mode portion of the 9x boot process (but need not be kept around afterwards, and by default are not) only indicates that Windows has been designed to tolerate DOS device drivers in order to provide backwards compatibility.

This is a big difference between 9x and 3.x, which requires DOS drivers for sound and CDROM support. This is also the biggest difference between 9x and NT as regards DOS support - NT will not tolerate legacy DOS device drivers at all. This fact makes it perfectly clear that NT does not "ride on top of" DOS, while the fact that 9x is built to tolerate DOS drivers muddies the waters as to whether or not 9x "rides on top of" DOS. To me, the fact that these legacy drivers are not required indicates that 9x is an OS rather than a GUI, and that is the point I was getting at with the CD-ROM driver example.

Taking this reasoning a step farther, the fact that 32-bit hard disk drivers are available under Windows 3.1 leads some to consider 3.1 itself to be somewhat of an OS (or, along with DOS, one of the two components of an OS) rather than simply a GUI, because previous GUIs such as GEM for DOS had no device drivers of their own and relied entirely on DOS for driver support. There is some merit to this argument, and my take on the situation is that there isn't a clear line between GUI and OS where early versions of Windows are concerned, but rather a gradual shift from total reliance on and tolerance of DOS for bootstrapping and drivers in early versions of Windows (which were mere window managers like GEM) to a total lack of reliance on DOS code for these functions in later versions starting with NT 3.1, which first used NTLDR to begin the boot process. Windows 95's place on this spectrum is that it requires some DOS code to boot, but afterwards doesn't require any non-32-bit device drivers at all.

If, when we say that Windows 3.11 "rides on top of" DOS 6, we mean that Windows 3.11 is an application environment which takes advantage of the filesystem and driver support provided by DOS, I don't think that we can accurately say the same thing about Windows 95, which is an OS with a 32-bit kernel and some 16-bit components which uses DOS for bootstrapping but does not need any DOS filesystem or driver support once it's up and running. To me this doesn't equate to having DOS "hiding underneath" Windows 9x. It seems more accurate to me to say that Windows 9x has built-in support for DOS drivers and apps for backwards-compatibility reasons, and uses it during the boot process.

Malwarebytes

[oahazmatt (868057)]

At my job, we've used Malwarebytes to fix about 200 PCs with this so far. It's a good alternative.

Agree!

[MxTxL (307166)]

Malwarebytes is awesome! The AV2009 malware is a tough one to remove, but Malwarebytes takes is right off.

Re:Agree!

[enharmonix (988983)]

Malwarebytes is awesome! The AV2009 malware is a tough one to remove, but Malwarebytes takes is right off.

I swear by them. In fact, I removed Symantec AV from my computer (since it only protects against exploits nobody uses anymore and slows your PC down more than any virus). I use Windows Defender to monitor system changes and do periodic sweeps w/ Malwarebytes. System is much faster now and still clean.

Re:

[cjb658 (1235986)]

Yup, and AV 2009 is about the worst spyware there is. It installs a God damn driver just so that DNS queries to antivirus sites don't resolve, even though your hosts files stay clean.

Re:Malwarebytes

[Finallyjoined!!! (1158431)]

Yup, I've removed it from 14 Windows PC's belonging to neighbours & friends. Malwarebytes was a handy tool.

The annoying thing though, most of them installed it themselves, deliberately, thinking they were doing "good".

Bah. Hang the authors of "Antivirus 2009" up by their nadgers.

Combofix was the only thing that worked for me

[transporter_ii (986545)]

Particularly bad virus. It blocked all antivirus web sites and even blocked programs on the computer. I could put Spybot Search and Destroy on the computer, but it wouldn't even start. What I finally had to do was rename combofix.exe to something else like fix.exe, and then it ran and removed MS Antivirus 2009. I did try to Malwarebytes but it wouldn't even install, even if I renamed it.

Re:Combofix was the only thing that worked for me

[Lumpy (12016)]

rename the spybot exe name. you can do the same with hijack this.

That way you can eradicate the registry entries, then DO NOT REBOOT but yank the power cord.

Most ickies will rewrite their registry entries when they see a shutdown started.

Avast! free home edition has protected against that nasty ever cince they updated the name from 2008 to 2009.

Re:Malwarebytes

[peragrin (659227)]

the wooshing noise you heard was the sound of thousands of linux boot disks flying over your head.

Re:Malwarebytes

[Endo13 (1000782)]

That's what Unlocker is for. http://ccollomb.free.fr/unlocker/ [ccollomb.free.fr]

Re:Malwarebytes

[cbiltcliffe (186293)]

This doesn't work with some variants I've seen. The malware is running as the system, but there are also components that are running as the current user.

Set the permissions to deny SYSTEM access to that key, and the user components change the permissions back before you can delete the key. Killing the user components is useless, as the system components restart them. Killing the system components blue screens the machine, as some are linked into winlogon, and you can't kill that.

Denying your own user write access to the startup keys to get around all this is, obviously, useless.

Offline scan/deletion is the only way to go with this crap.

Re:

[fuzzyfuzzyfungus (1223518)]

Obviously not much use for home users and very small outfits; but it is situations like that where imaging tools are far more useful.

Well, let's see: I could spend who knows how long poking at this, in the hope that I might end up with a clean system(as opposed to a more subtly infected one), or I could just send down an image, and have the system running like new in 20 minutes, 18 of them unattended. Not a hard choice.

Take off and nuke the site from orbit, it's the only way to be sure.

Re:

[pdawson (89236)]

Process Explorer is your answer to this, from Sysinternals. Suspend, not kill ass the problem processes, then go into properties for winlogon, explorer, etc and the problem dlls will have their own threads inside the process. Suspend the individual threads, then go back and kill everything you suspended. Memory is now clean, go kill the problem files off disk and out of startup entries, then reboot.

Re:Malwarebytes

[Endo13 (1000782)]

Try this instead.

1. Run Hijackthis and look for any suspicious startup entries. Even the average computer user will be able to rule out most entries as things they recognize, meaning you won't have to google more than a handful, which will probably take 5-10 minutes at the most.
2. Install Unlocker. http://ccollomb.free.fr/unlocker/ [ccollomb.free.fr]
2. Browse to locations of files linked to by suspicious startup entries. Check date created.
3. Go to Windows directory, sort files by date, google suspicious files found since above date. Remove files confirmed to be malware or files for which you cannot find any information. (If you can't find any info on them, they're either randomly generated malware names, or malware too new to show up yet in a search.)
4. Do the same in Windows\System32.
5. Run a system cleanup to delete all Temp files and Temporary Internet Files.
6. Now delete the original malware folder.
7. Delete the startup entries with Hijackthis.
8. Restart computer. Should be clean.

The best part is, this will work with virtually *any* malware infection, and will generally catch things that even Malwarebytes misses.

Wait a pain...

[Chabo (880571)]

I was tasked with getting this thing off my mom's laptop. That was tougher than any other piece of malware I've ever dealt with.

I also had to convince my dad that there was no easy way to sue the "manufacturer" of this program.

Re:

[plover (150551)]

I hope one of those fakers takes Microsoft to court over this and publicly identifies themselves. There are many pissed-off users that would be happy to take a baseball bat to them. One of them would likely be on the jury.

Wildly annoying one.

[fuzzyfuzzyfungus (1223518)]

In having to do support for assorted windows users, I've seen assorted popup/redirect stuff pushing that particular fine piece of software a lot. Most disconcertingly, it even happens to users visiting what one would think of as reputable sites, on machines with fully updated AV that reports no issues.

I really don't have the time or interest to figure out if the AV is just sucking, and not reporting infections that actually do exist, or if whoever is pushing the software has compromised a bunch of ad providers; but it seems to be a big issue in windows land(poor bastards).

Good job Microsoft!

[Chryana (708485)]

Now let's hope Symantec is not going to sue them... :)

how many users will complain about removal?

[hguorbray (967940)]

I wonder how many of the clueless will complain to microsoft that the removal tool removed software THEY HAD PAID FOR

iirc some of the malware and adware 'vendors' had eulas that forbade users to remove their programs

It'll never happen, but I'd like to see one of those guys try to sue microsoft for violating their EULA -would microsoft try to claim that the EULA was invalid?....

One can always dream.

-I'm just sayin'

Re:

[cbhacking (979169)]

An amusing notion, but it'll never happen for two reasons:
1) EULAs may or may not be enforceable in their usual sense, but a requirement that you can't remove the software doesn't even make sense. The concept of a EULA is that you must agree to the terms in order to use the software. If you're not using the software (i.e. you remove it) you're not bound by the terms anymore.
2) Since this is intentionally malicious software and almost certainly constitutes at least one form of fraud, the owner publicly ident

Re:how many users will complain about removal?

[Amazing Quantum Man (458715)]

iirc some of the malware and adware 'vendors' had eulas that forbade users to remove their programs

But if you remove it, you're in violation of the EULA, and therefore are not allowed to use the program, so you must remove it!

Absolutely no problem there.

Re:

[Actually, I do RTFA (1058596)]

I wonder how many of the clueless will complain to microsoft that the removal tool removed software THEY HAD PAID FOR

Well, it's malware, not scareware. That is, it only acts scary to get it downloaded/installed, not to get money. Otherwise, they would have tracked down the payments by now. And if they had paid for it, the customers probably used a credit card. So a large number of them could get it refunded because of the fraud involved.

It'll never happen, but I'd like to see one of those guys try to su

Re:

[Naturalis Philosopho (1160697)]

Yup. I'm just being argumentative to point out how screwed up our legal system is... You can bet the "manufacturers" of AV 2009 would use some equally screwed up argument if they were every brought to the bar. I would love to see the makers of AV 2009 in court though. For anything.

Is this troublesome to anyone else?

[baomike (143457)]

The idea of MSFT deleting a program (albeit a piece of malware) from my machine bothers me.
When will their idea of malware differ from mine?
Will they always do it correctly (no collateral damage)?

Re:Is this troublesome to anyone else?

[Volante3192 (953645)]

Well, the reason you install these programs like Defender is so it deletes the malware for you.

Replace Microsoft with Kaspersky, AVG or one of those other "reputable" AV vendors and ask the same question. They have just as much ability to delete a program.

Re:

[enharmonix (988983)]

The idea of MSFT deleting a program (albeit a piece of malware) from my machine bothers me.
When will their idea of malware differ from mine?

I had to use Real VNC at my last job and Windows Live OneCare (or whatever it's called) detected and removed it. I would think MRT would ignore questionable software, but for apps/services targeting Joe Sixpack, don't be surprised to see some things like VNC or IRC software flagged as malware.

Understating the menace.

[Rahga (13479)]

This family of infectors is probably, by far, the worst spyware/hijacking peice of junk I've ever seen. I can't help but feel that 400,000 isn't nearly the number that has actually been infected, simply because nobody I know actually uses MSRT, and I seriously doubt that any machine that gets infected with it could actually get back into the condition where it can download and/or install MSRT, or virtually any other software. It's just that bad.

Re:Understating the menace.

[PCM2 (4486)]

nobody I know actually uses MSRT

You might be surprised. The version of MSRT that comes from Windows Update runs in the background once a month and only alerts you when it notices a problem. I've never knowingly run it, but sure enough, if I check my Windows Update history I've installed the December edition.

On a side note, maybe this explains the persistent disk thrashing episodes I still get with Vista, maybe once a month or so...

Re:

[enjo13 (444114)]

Literally every single Windows user I know has been infected with this. I removed it several times over the holidays. My wife (and many of her coworkers) where infected...

I know it's not necessarily a representative sample, but I'd be shocked if it was only 400k machines in total.

Re:Understating the menace.

[gad_zuki! (70830)]

>simply because nobody I know actually uses MSRT

MSRT is packaged with windows update. If they have automatic updates set as theyre supposed to then they run it every month. Its just not obvious to the end user. MS uses MSRT for a lot of things. Last time they took down one of the bigger botnets.

Ive seen PCs with "Antivirus 2009" and its precessors still able to use automatic updates. Im sure malware writers will now just disable the service. I believe some versions of Antivirus 2009 did shut down the service.

That said, the real problem here is why legitimate sites are service up the pop-under ads for antivirus 2009. Ad networks need to start vetting their clients. People should just start blocking all ads as a security threat.

family tech support

[EpsCylonB (307640)]

Yep, got called round to my brothers house to fix his computer cos it had this stuff on it.

I don't know exactly what it was supposed to be doing, the computer would boot up into winxp and then just freeze. Safe mode worked but safe mode with networking did not, so I guess it was calling home somewhere (thinking about it now I should have just unplugged the network cable to see if that stopped the computer freezing).

Anyways I didn't have any stuff with me and without net access I decided the path of least resistance was to reinstall windows (my brother did not have anything he wanted to keep).

I should have brought round a ubuntu live cd with me.

When will people learn

[TheGeniusIsOut (1282110)]

I do not have anti-virus/spyware/malware software installed, the only firewall I have is in my router, my computer is on and connected nearly 24/7, and I have not gotten any viruses/malware/spyware in at least 3 years. Windows XP fully updated, careful browsing/downloading habits, and liberal use of free online scanners for suspicious software before execution has served me well. The problem is too many people are click happy and ignore common sense, basic safe computing habits, and in general are looking for a quick fix they don't have to think about. This leads to people falling prey to the pop-up ads claiming their computer is infected so they can download the latest botnet zombification software. Up until a year ago, I was having to clean my sister's PC on a weekly to monthly basis due to all the crap she downloaded off the internet. After convincing her to try the safe habits I practice for a month, in which time her computer worked perfectly, she realized she was the source of her computer problems and corrected her attitude towards computer security, with no problems to this day.

I'm tired of users like you

[by Anonymous Coward]

I'm not saying this as flamebait but I'm really tired of users who consistently post in forum after forum that they don't run antivirus, firewall, or antimalware applications. Then, just like you, they claim they don't have any infections. How would you know even if you had an infection without running a scanner? Online scanners are great but they only cover files that you're going to run of your own volition. They do not cover infections that occur through holes in the browser and/or OS. This is where the fundamental problem lies in your strategy.

Case in point, lets say you browse to a website that uses a hole in your browser to get code onto your system that opens a port via UPNP in your router. Then through the open port your machine starts infecting/spamming others. How would your methods guard against that?

Safe computer habits are great when you can trust your Operating System and browser to be secure all while you're not logged in with an account with "Administrator" (root) level privileges. Too bad Windows can't be trusted to be secure and, therefore, necessitates the need for antivirus, antimalware, and firewall.

Re:

[st0rmshad0w (412661)]

From the CBL a few months back:

News Alert - 2008/09/22 - A/V is not keeping up
It has become apparent that reliance on Anti-virus software for protection against spam bots is increasingly ineffective, and is reaching "disaster" status.

A large non-profit security organization has recently reported that only 23% of the 30,000 "unique" infections they see per day are detected by _any_ of 35 of the most popular A/V products, and percentage only reaches 50% after the infections have been in the wild for a month. And this includes well-known long standing botnets like Srizbi or Storm.

Many of our correspondants have told us that they've run a whole battery of A/V products on an infected machine that are provably infected with a known bot (by the email they emit), and not found anything.

Given the failure of A/V to help identify/eradicate infections, we can only continue to assert that the best way to prevent bot emission (and CBL detection) is to secure your networks so that ONLY mail servers can send email to the Internet.

Spam bots are out-pacing AV software by leaps and bounds.

At least Zunes are safe

[MrNonchalant (767683)]

Thanks Microsoft for thoughtfully protecting all the Zunes from this outbreak.

Very few PCs run Windows?

[flyingfsck (986395)]

If only 400,000 machines were infected, then it would seem that Apple And Linux have taken over the desktop.

Re:

[cbhacking (979169)]

The malware may try and stop Windows Update from running (many of them do). For that matter, the kind of people likely to install something like this (it spreads either through Trojans or as scareware, not through system exploits) are probably statistically more likely to have Windows Update turned off entirely. For that matter, this isn't a worm that spreads automatically - it takes substantial user error to get infected in the first place.

All this means that the only infections the MSRT can get to were ei

Why do they know this?

[pembo13 (770295)]

Why do does the malaware removal tool report back about what it finds? Do all such tools do that?

Depends

[Sycraft-fu (314770)]

Some do, some don't, some are configurable. A lot of companies want their tools to check in so that they can measure how widespread something is and react accordingly. For example NOD32 can be configured anywhere from submitting no information to submitting anonymous statistics as well as files it flags as potentially unsafe but can't identify. They want the information because it helps them better update their virus database and respond to new threats faster.

Also many corporate AV/AM products can do very full reporting back to the central server. They'll check in and say when they ran, what they found, where it was, etc.

One rogue program removed per month?

[rrohbeck (944847)]

So how long will it take to clean up the entire population of Windows PCs?
This kind of propaganda is counterproductive. First of all, this is a negligible effect, secondly it pretends that MS takes care of Windows users, and thirdly it doesn't emphasize that safe computing is far more important than all security software in the world.

Our website got hit by a AV2k9 redirect issue

[pjp6259 (142654)]

I'm not sure how this happened. Our personal little website (prestopnik.com), got hit by these guys. The put some redirect rules into our .htaccess file, such that if you were visiting our site from one of about 6 different domains, it redirected you to their site. We didn't see it for a long time, because we usually just visit our site directly, but if you were coming from a link in yahoo mail, or found it via google or something you got redirected.

Our hosting tech support said one of our computers was infected, but from looking online, I didn't see signs of an infection on our side, but I'm still not 100% sure what happened, and if we are clean now. I think we run on our shared machine for hosting (linux though), maybe they got in like that?

Re:Our website got hit by a AV2k9 redirect issue

[Bert64 (520050)]

They may have keylogged you, and got your password to the hosting machine...
Or they could have exploited vulnerable webapps on it...
Unusual for a linux hosted website to get hit by something like this, but not unheard of. You need to make sure the machine wasn't rooted tho, and reinstall if it was.

Time for Linux

[MrJimbo (1442441)]

My wife's Windows XP laptop was infected with this virus. This was her last straw. She came to me and asked if there is anything that can be done. I told her she can reduce her exposure to these pieces of malware if we were to install Linux on her laptop. It's been 5 days since we installed Ubuntu 8.10, and while there are some slight differences, she is enjoying it. I had been running Ubuntu for some time now.

Re:Time for Linux

[TheNetAvenger (624455)]

Sorry about your wife's laptop, but this doesn't happen without the user specifically installing the software.

Even on Linux, she won't be any safer if she isn't instructed not to click on crap and install it.

You would be safer running Vista, as this malware (not virus) was not able to get installed on Vista even when users told it yes. If by chance it even did get installed on Vista, it would have had limited damage compared to XP; things like redirect the web sites, turn off anti-virus etc. (Vista users basically didn't have this problem)

So you convince her to move to Vista yet?

You could also set her up as a 'user' and not let her run crap in administrator mode, and if she needs something installed, have her do the run as and actually type in the password so she knows that she is modifying the computer. (Yes on XP)

On, Vista, have her run as User as well, the password prompt is just automatic and doesn't require her to do 'run as'...

---

I love the stories of 'the last straw' and how horrible Windows is, especially when it is something users have done to themselves. If Windows or MS is guilty of anything here, is that they made Windows too easy for users and hasn't educated people enough. (Like you should have done for your spouse.)

PS She should smack the crap out of you for not explaining what to click on and what not to click on to install, especially from the internet.

Re:MS patting themselves on the back

[cbhacking (979169)]

Nope. Try a little research, please. This program spreads through two methods, Trojans and scareware (tricking the user into thinking that his computer is infected, so he buys and installs AV2k9 as a "fix"). Such software can do anything the user can (which, provided you run the program with root/Administrator credentials - like you would if installing something - is anything at all).

In either case, it's a simple matter of Problem Exists Between Keyboard And Chair. The prevalence of malware for Windows does make scareware more likely to work, but in the end it's still a matter of the user telling the OS to do something stupid (run a malicious program) and the OS obeying just like it's supposed to.

Re:

[Chabo (880571)]

Most people DO run AV software, and every machine I fixed that was infected with this malware had AV software installed and updated.