Your computer has been infected! With the latest fake Anti-Virus software, that is.

If you are using a PC, chances are pretty good that you have some kind of Anti-Virus (AV) software installed on your computer. And more likely than not, the AV software you are using has, in the past, prompted you for some virus or suspicious program it has found, very much like the image shown here:

There is one catch here, however. The Anti-Virus program shown in action here is actually a fake! This piece of software itself is the virus! Welcome to the latest and the greatest fake Anti-Virus market, where you can find Anti-Virus 2010, Spyware Protect, or any sound-like-real-AV-software but in reality is malicious just like any other virus. This is the world of fake AV software, where the rogue scumware writers have made millions with fake anti-malware software that are in fact viruses themselves.

The first image shown above is just one of the many incarnations (other names used by this malware include Anti-Spyare, XP Guardian, and XP Internet Security) of the rogue malware called Anti-Virus 2010, which, not surprisingly, is the latest update to the well-known malware called Anti-Virus 2009! Yes, this is an updated version of the malware!

Let's now take a look at all the "features" of this latest incarnation. First, you will notice that the malware will actually register itself with Windows Security Center to make itself look legitimate:

Second, you will see that it will prompt you to register/purchase once the "scan" is done:

And finally, if you clicked on any of the links you will be brought to a seemingly-authentic website that is tailored to this virus:



Quite clever, isn't it? There is even more: this malware randomly picks a name when it infects a computer. Here are two other incarnations of the exact same malware:

Side effects of Anti-Virus 2010

Above we only showed the look and feel of the rogue malware Anti-Virus 2010. Underneath, this malware performs additional activities that will greatly impair the usability of the infected system:

• It will disable firewall settings on your system.
• It will disable existing Anti-Virus protection.
• It will hook executable open keys in your registry settings so that any time you open a program it will prompt you to purchase Anti-Virus 2010 first.

How to prevent malware like Anti-Virus 2010 from infecting your computer

Here at NovaShield, we believe that a proactive solution like NovaShield Anti-Malware will complete the protection of your computer along with other security products you have already installed. This is because NovaShield's approach aims at detecting and stopping new and unknown malware that tries to infect your computer whereas the more traditional signature-based solutions will try to protect your computer against known malware. Hence, when a new malware such as Anti-Virus 2010 tries to spread itself, NovaShield will be able to detect and stop it before it infects your system. A picture is worth a thousand words, here is the actual scanning results using 42 different traditional AV products on the Anti-Virus 2010 sample discussed in this post . You will see that at the time of the scan only three AV products were able to detect this new virus.

How to remove Anti-Virus 2010 if your computer is already infected

NovaShield Anti-Malware can prevent rogueware like Anti-Virus 2010 from infecting your computer. However, if your system is already infected with this malware before NovaShield Anti-Malware is installed, you need to follow these instructions to remove the malware. Then, we will recommend that you install NovaShield Anti-Malware to prevent future incidents like this.

Life After the Conficker Worm-Why You Should be Worried

April 1st, 2009 is now gone without a hitch. And despite all the hype around the now world-famous Conficker worm (see the CBS 60 Minutes special, the minute-by-minute war room report from Wired) the damage done by the worm appears to be rather limited. There is no massive outbreak; no meltdown. Armageddon? End of the world? Overstated?

While many people quickly wrote off Conficker worm as a pure hype and brushed it aside, we believe that people should in fact be worried that the Conficker worm remained rather dormant and did not cause any massive damage as predicated. There are two reasons for this cautionary note: one social and one technical.

First, The lack of activities by the Conficker worm on April 1st exemplifies the new kind of threat that average users must constantly be aware of: new breeds of malware tend to remain stealthy and perform malicious activities without triggering users' suspicion. Gone are the days of the Slammer worm, the Blaster worm, where the goal of the malware is to infect as many systems as possible in a short amount of time and subsequently cause massive network problems through DDOS attacks. Today, the majority of the malware are designed with financial goals in mind: steal user ids, passwords, account numbers, and so on. In the case of the Conficker worm, the fact that the worm stayed off the radar should cause concerns not only to security researchers but also to average users.

Second, from a technical front, the Conficker worm demonstrates how sophisicated modern-day malware has become. To give a highlight of the capabilities of the Conficker worm (across of all known variants):

• It has built-in digital signature verification algorithms to verify the authenticity of the malware binary
• One variant even uses MD6, one of the newest hashing algorithms around
• The binary is encrypted/packed
  
• It has the ability to update itself securely
  
• It makes extensive use of anti-debugging techniques
  
• It can terminate/block well-known security software
  
• It can automatically scan for and infect other systems
  

The folks at SRI has published an excellent in-depth analysis of the Conficker worm and it is well worth a read.

Because the Conficker worm can update itself automatically, the capabilities of the worm can change as demanded by the people behind the worm. Install a key logger? Sure. Hijack your web traffic? No problem. Steal some user data? Easy. The options are almost endless. And we will certainly see more variants of the Conficker worm in the future.
And, more importantly, they will run silently in the background.

New Variants of the Storm Worm invade on Valentine’s Day

On Valentine’s day (February 14th) 2009, a massive outbreak of the storm worm flooded the internet with millions of spam emails that contain links to malicious websites which, when visited, will infect a user’s computer with the storm worm. Although the storm worm was first discovered on January 17th, 2007, it has a remarkable long life because the incredible number of variants it has (over 50,000). This time is no different as new variants of the storm worm were released to the wild through malicious web sites.
Following is part of a spam email sent by the storm worm:

Subject: A Valentine card for you!
From: “Neddie”
Date: Sat, February 14, 2009 5:36 am

Neddie wants to show you an electronic greeting card and wrote to you:
“I Just Called To Say I Love You”

It is waiting for you at our card site, go ahead and see it:
http://oehee.valentinesupersite.com/?cardid=a36c434555dc7c289e165ea050
The greeting card will be stored for you for 14 days.

If a user clicks on the link in the email, they will be brought to a web site that either directly downloads the malware onto their computer or prompts the user to download the malware disguised as an electronic valentine’s day card. The file is aptly named “lovekit.exe” or “postcard.exe” so that the user will not become too suspicious. Once running, the malware will make following changes to the Windows’ registry settings so that the malware will be automatically started each time the system is started:

• HKLM\software\Microsoft\Windows\CurrentVersion\Run:promoreg=[location of the malware]
• HKCU\software\Microsoft\Windows\CurrentVersion:MyID

Because the variants are previously unseen, most of the signature-based Anti-Virus products were not able to detect the worm as of Febuary 16th, 2009 –two days after the new variants were released (see Picture 1). This underscores the difficulty traditional signature-based AV vendors have to face:


As we can see, a large majority of the Anti-Virus products were not able to detect this new storm worm variants more than 48 hours after the initial worm was reported in the wild.