VISTA Antivirus 2008 - Warning

[Kodiak]

So, today I opened up an e-mail which I thought was from someone I knew...

and I got saddled w/ VISTA Antivirus 2008, which is a virus/spyware/malware combo the likes of which I've never seen before. This thing was able to change the windows registry to lock me out of my own start menu, the run prompt, and "My Computer". The thing is though, that this virus looks EXACTLY like windows security in almost every detail, so much so that I actually "bought" upgraded security through it (yeah, I have to make a phonecall to cardmember services tomorrow ). After an hour or so of me going "WTF IS THIS SHIT!" I took a break to go to church.

I talked to my buddy there who works in IT and he agreed to come over this afternoon to take a look. He's good at what he does (probably why he does it for a living) and it took him OVER FOUR HOURS to fix it. The solution involved Norton, several single-shot fixes, and microsoft's recommended anti-malware program. My system is fine now.

The moral of this story is:

1. Don't open e-mails without paying close attention. The one I got was so low-tech it slipped by, posing as an e-mail from my friend James.
2. Google any and all error messages your comp spits out that look shady.
3. Always have a friend who knows more about computers than you do.

[General Zod]

A virus called XP Antivirus 2007/8 has been floating around on the interweb for some time now. I suppose this is the new variant, but really. Never use your credit card for anything on the internet without double and triple-checking everything about the company you're buying from. To say nothing of downloading software.

[Stark]

No solution to anything involving Norton implies competence.

[Darth Wong]

I think it needs to be pointed out that not everyone who works in IT knows what he's doing. You'd be amazed how many people bluffed their way into IT jobs and then made themselves comfortable by making things so convoluted that they couldn't be easily replaced.

[White Haven]

Ooh boy, that one. Vista Antivirus 2008, XP Antivirus 2008, XP Antivirus 2009, Malware Protector 2008...all the same thing, and all of a new strain and/or distribution method that's EXPLODED over the last week or so. Easily 2/3 of the systems I worked on from customers this past week were that little vicious bastard, not sure how, but it's been incredibly fast-spreading.

[Kodiak]

I think it needs to be pointed out that not everyone who works in IT knows what he's doing. You'd be amazed how many people bluffed their way into IT jobs and then made themselves comfortable by making things so convoluted that they couldn't be easily replaced.

Fair enough. I do know that I'm familiar enough with computers to know when something is not a "garden variety" computer virus. My buddy got my system up and running again, and without further incident. After reading online blogs about this virus, it seems that this one truly is a monster and my friend did everything right.

[Darth Wong]

How does it spread? Does it tell you to click on something, like most E-mail viruses, or is it taking advantage of some system vulnerability?

[General Zod]

How does it spread? Does it tell you to click on something, like most E-mail viruses, or is it taking advantage of some system vulnerability?

Every version of it I've ever seen try and get me you have to actually click on it. So it depends more upon user ignorance than anything really high-tech.

[Stark]

How does it spread? Does it tell you to click on something, like most E-mail viruses, or is it taking advantage of some system vulnerability?

Depending on the version, after the first 'foolish click' it visually impersonates the windows security dialogs, looking 'legitimate' and doing an end-run around the whole 'do you trust this software' popup thing.

[Kodiak]

How does it spread? Does it tell you to click on something, like most E-mail viruses, or is it taking advantage of some system vulnerability?

Depending on the version, after the first 'foolish click' it visually impersonates the windows security dialogs, looking 'legitimate' and doing an end-run around the whole 'do you trust this software' popup thing.

Yes, that was the kicker. It so accurately portrayed honest-to-goodness windows security dialog that I didn't even see it coming. It all started with a click on an e-mail that looked like my friend sending me a link to a funny video. Most insidious.

[General Zod]

Yes, that was the kicker. It so accurately portrayed honest-to-goodness windows security dialog that I didn't even see it coming. It all started with a click on an e-mail that looked like my friend sending me a link to a funny video. Most insidious.

I've seen the link in question, and it doesn't really even look all that accurate unless you're not paying attention to what you're clicking at all. It looks more like someone made a .gif in photoshop but saved it at a shitty resolution that it winds up looking slightly fuzzy.

[Stark]

Yeah, but it's enough for 'regular people'.

[Kitsune]

Don't security updates come with the little yellow shield as part of updates?

[loomer]

I would like to suggest that in future, you keep your credit card the fuck away from the internet, even when using reputable websites.

Just use a bloody gift card. Sure, you pay like, five dollars more (here in Aus), but it's a small price to pay for the added security (and anonymity).

[Resinence]

I've seen a lot of this thing recently, and had to fix it via a remote connection yesterday (now THAT sucks ass...).

Here's the batch file I used, if anyone needs to quickly get rid of this fucker:

@ECHO OFF
regsvr32 /u shlwapi.dll
regsvr32 /u wininet.dll
net stop vav.exe
net stop XPAntivirus.exe
net stop XPAntivirusUpdate.exe
net stop xpa.exe
net stop xpa2008.exe
cd %ProgramFiles%
cd %ProgramFiles(x86)%
del /Q /F "VAV"
del /Q /F "XP Antivirus"
reg delete "HKEY_USERS\Software\XP antivirus"

There will still be some shortcuts and stuff around, but the program will be crippled, so you can just remove the shortcuts yourself with rightclick when you see them.

[Dominus Atheos]

How does it spread? Does it tell you to click on something, like most E-mail viruses, or is it taking advantage of some system vulnerability?

Every version of it I've ever seen try and get me you have to actually click on it. So it depends more upon user ignorance than anything really high-tech.

Assuming he's actually Windows Vista, and he didn't turn UAC off, there should have been several warning dialog boxes pop-up, one from Internet Explorer, one from UAC, and one from Windows Defender, before it could install into his system.

Of course anyone who turns UAC off is an idiot, and deserves whatever they get. If someone posted on one of the Linux forums I'm a member of that something bad had happened to his computer because he always ran as Root, I'd laugh my ass off. (even though I've been tempted to do so several times one my Linux install. Of course my admin password contains lower case letters, uppercase letters, numbers, and symbols. Anyone who whines about clicking a continue button doesn't deserve to have a computer.)

[Stark]

A dialog box people don't understand isn't very useful; most people just learn habits, not a deep understanding of their computer, and they quickly simply click through the popups. It's not smart, but that's the reality, and that's the world viruses live in. Denying it simply makes you a useless security commentator.

[Resinence]

And the default Vista account doesn't require a password to elevate privileges. So they basically just learn to hit continue, because "that makes the thingie work gud, cancle makes it not work gud".

[Glocksman]

How does it spread? Does it tell you to click on something, like most E-mail viruses, or is it taking advantage of some system vulnerability?

Every version of it I've ever seen try and get me you have to actually click on it. So it depends more upon user ignorance than anything really high-tech.

Assuming he's actually Windows Vista, and he didn't turn UAC off, there should have been several warning dialog boxes pop-up, one from Internet Explorer, one from UAC, and one from Windows Defender, before it could install into his system.

Of course anyone who turns UAC off is an idiot, and deserves whatever they get. If someone posted on one of the Linux forums I'm a member of that something bad had happened to his computer because he always ran as Root, I'd laugh my ass off. (even though I've been tempted to do so several times one my Linux install. Of course my admin password contains lower case letters, uppercase letters, numbers, and symbols. Anyone who whines about clicking a continue button doesn't deserve to have a computer.)

I was surfing my local paper's site and had it pop up twice within a half hour, and got the Internet Explorer warning about it trying to install some kind of cab file each time.
I naturally tried shutting the browser down, but had two more popups occur while I was shutting down the existing ones asking if I was *sure* that I wanted to leave my system vulnerable because the 'scan' found 20 threats.

Anyway, Vista (I left UAC on) didn't warn me of anything during or after the events, but paranoid old me ran a deep virus scan using the most 'secure' options, but my AV app (NOD 32 3.0) came up clean.

[Dominus Atheos]

And the default Vista account doesn't require a password to elevate privileges. So they basically just learn to hit continue, because "that makes the thingie work gud, cancle makes it not work gud".

The problem is even with just the continue button, people still complain it's annoying. If it actually required you to enter your password, even more people would turn it off. Hell, I completely understand why it's necessary and like I said, even I've been tempted to just run as root all the time.

[Dominus Atheos]

A dialog box people don't understand isn't very useful; most people just learn habits, not a deep understanding of their computer, and they quickly simply click through the popups. It's not smart, but that's the reality, and that's the world viruses live in. Denying it simply makes you a useless security commentator.

If you have a better security model that people won't simply turn off, I'd love to hear it.

[Dominus Atheos]

Every version of it I've ever seen try and get me you have to actually click on it. So it depends more upon user ignorance than anything really high-tech.

Assuming he's actually Windows Vista, and he didn't turn UAC off, there should have been several warning dialog boxes pop-up, one from Internet Explorer, one from UAC, and one from Windows Defender, before it could install into his system.

Of course anyone who turns UAC off is an idiot, and deserves whatever they get. If someone posted on one of the Linux forums I'm a member of that something bad had happened to his computer because he always ran as Root, I'd laugh my ass off. (even though I've been tempted to do so several times one my Linux install. Of course my admin password contains lower case letters, uppercase letters, numbers, and symbols. Anyone who whines about clicking a continue button doesn't deserve to have a computer.)

I was surfing my local paper's site and had it pop up twice within a half hour, and got the Internet Explorer warning about it trying to install some kind of cab file each time.
I naturally tried shutting the browser down, but had two more popups occur while I was shutting down the existing ones asking if I was *sure* that I wanted to leave my system vulnerable because the 'scan' found 20 threats.

Anyway, Vista (I left UAC on) didn't warn me of anything during or after the events, but paranoid old me ran a deep virus scan using the most 'secure' options, but my AV app (NOD 32 3.0) came up clean.

Yep, if you had been using XP or had turned UAC off, that would have installed spyware without you even knowing it, requiring you to go through all the trouble Kodiak went through or even worse: reformat your hard drive, losing all the data you have on it. Anyone who says UAC isn't worth it is a moron.

[Stark]

If you have a better security model that people won't simply turn off, I'd love to hear it.

Don't be a dumbass. I just pointed out being an elitist idiot isn't helping, your goal-post shifting is irrelevant. If you're going to talk security, the people involved are often the weakest element, and simply saying ZOMG 99% OF WORLD DON'T DESERVE TO HAVE COMPUTERS is utterly useless. Next you'll say people who write down their passwords don't deserve to use a computer, instead of it being an issue that every security scheme needs to consider. You know, that planning and thinking part, not the part where you make worthless ivory-tower statements?

Even more amusing, most people DON'T turn UAC off, because they don't even know how. They just get used to clicking through it, and most people have no idea what the information presented even means. I guess they failed the Atheos Computer Licence Exam. UAC is good, but it's never going to be able to stop your average idiot fucking themselves up (and if it could they'd just complain about 'limitations' or 'crippleware' or 'nags' or whatever).

[General Zod]

Yep, if you had been using XP or had turned UAC off, that would have installed spyware without you even knowing it, requiring you to go through all the trouble Kodiak went through or even worse: reformat your hard drive, losing all the data you have on it. Anyone who says UAC isn't worth it is a moron.

Utter nonsense. I'm using XP Professional and I've never had any of that bullshit malware installed. Why? Because I don't blindly click every single link I see.

[Stark]

I'm pretty sure he means that without UAC, there's no additional step between 'click link' and 'you're fucked'. It provides a moment for the user to realise 'oh shit' and save themselves, even if it's not very useful for ordinary users since they lack the knowledge to make that determination.