Patient: Vista Virus

Virus
cc photo by Nils Geylen

I was contacted yesterday by a friend who needed urgent help. He said that his work computer had been infected by a virus after clicking a link to a Manga site. Several warning messages popped up saying there were all kinds of viruses on his computer, so he turned off the computer and unplugged the network cable.

His work computer is owned by the company he works for which has their own IT staff. However, he didn’t want them knowing he was browsing non-business related websites, so he came to me.

The first thing I did was boot up the computer to see what was going on. After starting up, it asked for a password to log into Windows Vista. However, he didn’t want to put in his password for fear of a keylogger recording the buttons being pressed.

So instead, I rebooted the computer and used the handy SystemRescueCd to bypass Windows. SystemRescueCD comes with the open source anti virus program called Clam AV. I plugged the network cable back in and updated Clam AV’s virus database. Then, I did a virus scan which took awhile. When the scan was done, Clam AV said 0 files were infected. This was odd because he told me the pop up warning messages said he had around 40 something viruses infecting his computer.

I felt pretty confident in Clam AV’s results, so I unplugged the network cable and logged into Vista. Sure enough, there were several warning messages popping up saying his computer was severely infected. One of the messages said the anti virus program had expired and that he should purchase a new registration to get rid of all the viruses. The program giving the messages was called Anti-Virus-1.

A simple Google search for “Anti-Virus-1” yielded several results stating that Anti-Virus-1 was a rouge anti-spyware program. Basically, it’s a program that gives you fake warning messages about non-existent viruses to scare you into giving them money to remove them. This was my first experience with such a convincing rogue program. Here’s more info on it and how to get rid of this particular rogue…

http://www.bleepingcomputer.com/forums/topic204619.html

My friend’s goal was to get rid of the virus without his company finding out he was visiting non-business related sites, so I showed him how to delete individual items in Internet Explorer‘s history. Then, I advised him to just contact his IT department and tell them about this rogue program and that he didn’t know how it got installed. Hopefully, they’ll just take care of it with no questions asked. I’d offer to do a clean install for him instead of contacting IT, however, I don’t have a copy of the proprietary programs his company uses.

For future reference, I told him to just bring his own laptop to work for browsing personal sites. I’m mostly on a Linux or Mac computer, so I don’t deal with viruses very often. Anyone know a better way I could have handled the situation? I think we were overly paranoid about the keylogging since we already unplugged the network. Also, I could have saved some time by just deleting his browsing history instead of trying to get rid of the virus which his company’s IT staff should be able to handle fine.

Anyways, here are some tips to prevent malware from reeking havoc…

  • Use a firewall.
  • Use a more secure browser like Firefox
  • Use a real time anti virus program like Avast! that auto updates its virus database.
  • Don’t run programs or open files from untrusted sources.

Anyone know any other helpful tips?

Alpha Mesh

Advertisements
This entry was posted in jorel314 and tagged , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s