Skip to content

I managed to fall foul of my first web page virus this week

August 15, 2008

As an IT professional I consider myself very aware of the dangers of computer viruses and how to avoid them. I have had to clean up other peoples computers many times and have yet to get an infection on my own computers.

So how was it that, on a clients site, a major corporation no less, with anti-virus software installed locally and some form of corporate Internet firewall, I managed to infect the PC I was working on?

The virus in question was IE Antivirus, a spoof anti-virus program, which hijacked Internet Explorer, automatically redirecting to its own URL, regardless of the URL I actually typed in. For obvious reasons I shall not give out the URL it redirected too, I really do not want to encourage the spread of any virus.

The Symantec description of the virus is here.

Looking at the Symantec description of the virus, it would appear that the purpose of the infection is to get the infected user to register the anti-virus software, by paying of course, in order to get rid of the virus. Thereby not only giving money to the virus writer, but also your credit card and address details. It should go without saying that there is no way you should trust any anti-virus software that so forcefully attempts to encourage you to buy their product. It seems obvious that the virus and the removal software come from the same source and the idea is that desperate and less computer literate users will be fooled into paying for the software and the author gets an income and your details for selling on to goodness knows who.

It does make me wonder if the software actually does remove the virus and if there is another sting some time later to coerce yet more more money out of infected users. Or even if, once the initial infection is removed, what other, more sinister things might be going on now that you have given the software unlimited access to your data. Either way, there was no chance whatsoever I was going to give money to this source for a removal method that I had no reason to trust.

How I got infected.

How I got infected is a little embarrassing to say the least. It was Beijing 2008 Olympics opening ceremony day and like many across the globe I was keen to get some news and sights of the opening ceremony and so entered the appropriate search phrase into Google. Among the results was a blog entry talking about the opening ceremony and in the responses to the blog posting were several items claiming to be links to live updates on the opening ceremony.

LIke a fool chasing gold, I blinding clicked each of the links, not even thinking about what might be behind them. One of them said a download was required to view the associated video. You’d have thought that alarm bells would have rung loudly at this point, but no, on I clicked and by the time I realised what I’d done, it was too late.

On initial infection the virus redirects your browser to its own website and pops up a spoof warning of virus infection and attempts to convince you to download and install its own virus removal program. It was at this point that I realised my daft mistake and did not proceed with the download. I did not want to risk an further compromise of the system and I certainly was not going to trust an anti-virus solution that pre-infected me with a virus, in order to get me to install it to remove the virus.

Initial attempts at detection and removal.

With damage done, it was time to identify and remove the bugger.

The locally installed McAfee anti-virus completely failed to block the infection, and so did the corporate firewall. A post infection scan of the PC using the installed McAfee also failed to find anything.

With Internet access effectively disabled, I had to start up a colleagues PC in order to start investigating. A search of the name of the web page that Internet Explorer was being redirected to showed that this nasty little virus had infected a significant number of people, with posts in all sorts of technical forums moaning about its presence. Yet none giving credible removal descriptions. The only removal method I could see was to download some software, with a suspicious sounding name, that required a registration fee in order to perform the removal.

More searches on the virus revealed it has several guises, all relating to anti-virus removal. Several posts recommended software to remove it and all seemed suspicious. None of the recommended software names were recognised industry leaders in anti-virus software and all required a payment before the virus would be removed. Deeply suspicious, I decided that trusting in these anonymous suggestions was a bad move and failing to find any other removal instructions I decided to start the removal attempt myself.

Removal Failure

Having removed virus infections of other computers before, I was confident that I could be done with this one as well.

First up was to boot into safe mode and have a play. It seemed obvious to search the registry for the names that I was seeing come up as redirects. This drew a blank, as did a registry search for the executable names that I had uncovered in the Internet searches.

Time to try more scan options.

Another McAfee scan, still in safe mode, failed to find anything, even after an update. The next option was to fall back on a known web search that I have used before, ActiveScan from Panda Security. A full scan warned it could take some time, and take some time it did, close to 2 hours, the result was nothing found. Time to try something else. At home I use the free anti-virus and firewall software Avast!. Of the various home solutions on offer its the one I find the most useful and least intrusive. They also offer a free online scan, sadly this too found nothing.

By this time I was getting desperate, the day was nearly over and I really wanted to have the virus removed before it was time to go home. I had time for one more try. So I headed for the Microsoft website and downloaded Microsoft® Windows® Malicious Software Removal Tool and Windows Defender, both failed.

Dejected and somewhat annoyed I gave up and headed home for the weekend. Maybe I would have better luck on Monday. Except I was off on Monday and a colleagues was covering for me.

Success!

Said colleague had much better luck than me and after confirming the negative results from the software mentioned above found and downloaded Malwarebytes, installed and updated, it removed the virus and all has been good since.

Advertisements

From → Internet

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: