Here's a very complete description of the insidious, really nasty virus, Antivirus Pro 2009, that is making the rounds on campus, and I'm sure on a few of your home PCs running Windows. Antivirus Pro 2009 should not be confused with real antivirus software such as Symantec Antivirus, McAfee, or AVG (I personally use this on the two Windows PCs I have at home.) Here's a description from the Symantec Security Response site about the Antivirus Pro 2008 version -- they have nothing posted (or don't know) about the 2009 version yet!
I found this really great overview of this malware while looking for removal information. (Note: Regrettably, I don't have the link to the originating web site.)
Antivirus Pro 2009 is a rogue anti-spyware program from the same family as AntiSpywareXP 2009 and XP Antispyware 2009. AntiSpyware Pro 2009 is advertised through the use of Trojans that display fake security alerts and messages stating that your computer is infected. These alerts will also automatically install Antivirus Pro 2009 on to your computer.
As part of its installation process, Antivirus Pro 2009 will configure itself to start automatically when you logon to your computer. It will also create a variety of fake malware files on your computer that are completely harmless, but are installed so they are detected by AntivirusPro 2009 when it scans your computer. When Antivirus Pro 2009 starts it will automatically scan your computer and list variety of infections that cannot be removed unless you first purchase the program. Many of these infections are the fake files that the program installed, as described above, as well as legitimate Windows files that are being called infections. It gives these false results in order to scare you into purchasing the software.
While running, you will also find that your Internet Explorer has become hijacked. When browsing the web, Antivirus Pro 2009 will randomly display a screen stating that there has been insecure internet activity and that there is a threat of a virus attack. It then prompts you to either get protection or continue to the site. Regardless of the option you select, you will instead be brought to a web page where it tries to sell you the program. This is just another scare tactic and should be ignored.
I hope to post complete removal instructions here in the very near future. This one is a baddie!
Please make sure you don't click on an OK button when you receive a pop-up window about Your computer is infected! Click here to ... while browsing web sites. Just click the close box. If a software install or some process starts up, do your best to cancel the process and not let the software install the Antivirus Pro 2009 on your PC. Better yet, use Mozilla Firefox as your primary browser and relegate using Internet Explorer on sites that absolutely require it for access.
Better yet, use Linux (Ubuntu is my personal favorite!) on your personal computer and don't even bother with Windows! It truly is a Windows replacement!
- bmaginni's blog
- Login to post comments
- 1074 reads
Recent blog posts
- Favorite Android OS-Moto Droid Apps
- Word 2007 and Page Numbering & Sections
- New Firefox 3.5 Available
- Ubuntu & French National Police
- Acrobat Reader PDF as infection vector
- Word 2007 Multilevel Lists
- Java Upgrade Problem - Error 25099
- Adding/Updating Clip Art in Office 2007
- Shopping Safely Online
- Viruses, Worms and Thumbdrives
Recent comments
- One-in-Six USB Drives Infected at Cornell
1 year 25 weeks ago - F-Secure Brastk.exe info
1 year 28 weeks ago - "Fix" is Temporary?
1 year 28 weeks ago - Great Analogy to Explain BSOD
1 year 29 weeks ago - Possible AVPro2009 Fix -- MalwareBytes
1 year 29 weeks ago - Here's an article on T.H.E.
1 year 29 weeks ago - Antivirus Pro 2009 Update
1 year 30 weeks ago - Solved--HP D-220 Video Problem
1 year 30 weeks ago - DVD Problem fix
1 year 30 weeks ago - Spam Attacks
1 year 30 weeks ago
Who's online
Syndicate
Comments
F-Secure Brastk.exe info
The F-Secure site has info about one of the nasty downloader programs (brastk.exe) dropped on systems as part of the Antivirus Pro 2009 pop-up - this mentions two variants, but no specific removal info from F-Secure.
http://www.f-secure.com/v-descs/trojan-downloader_w32_renos_gen.shtml
This link has more detail about one of the variants to this downloader Trojan:
http://www.f-secure.com/v-descs/trojan-downloader_w32_fakealert_bg.shtml
Possible AVPro2009 Fix -- MalwareBytes
Mike G. said he had some relative success getting rid of the AntiVirusPro 2009 slime from a few PCs infected when he used an anti-malware utility called MalwareBytes. I was able to remove AVP2009 from an HP Tablet PC with the MalwareBytes utility after going into Safe Mode numerous times and removing the bits of garbage AVP2009 spewed all over the Windows XP landscape. I tried the same routine on a Dell tower and things just went South -- even Safe Mode was unusable. That PC will really be better off with a fresh re-install of Windows XP from safe media.
Here's an article on T.H.E.
Here's an article on T.H.E. Journal about the significant rise of email SPAM in the 3rd quarter of 2008. The statistic is that one in 416 emails sent is SPAM! Yikes! The increase of SPAM amount is up from one in 3,333 email from 3rd quarter 2007.
The top of the article mentions that these SPAM email pose no real threat to Mac OS X and Linux/Unix users, aside from clogging up email in-boxes. Yet another reason to move away from Windows!
Antivirus Pro 2009 Update
I spoke with Mike G. in Technology and he mentioned that the only real way to avoid getting infected by this Trojan virus is to turn off the computer (!?!!) when the web site pops up the warning. The warning pop-up states that either your currect anti-virus software (such as Symantec Antivirus) is out of date (it probably isn't) or that you are currently infected. If you click to close the pop-up window or press the ALT key while tapping the F4 (ALT + F4) function - the AVPro trojan will begin installing anyway!
You have to turn off the PC to avoid getting infected. Wow! Thanks, Mike!