Malware masquerading as Microsoft Security Essentials?


D

Dennis

Does anyone know of malware that might masquerade as Microsoft Security
Essentials? My mother, who is 80+ years old, has a PC that I gave her
several years ago. I configured it for her and update it every time she
visits (she lives 500 miles from me). I never installed Microsoft
Security Essentials. Suddenly she is getting a popup claiming to be from
Microsoft Security Essentials saying it has detected a severe threat.
Not being there to actually see what is going on, I am suspicious that
she inadvertently downloaded some malware.
 
Ad

Advertisements

B

Beauregard T. Shagnasty

Dennis said:
Does anyone know of malware that might masquerade as Microsoft
Security Essentials?

I personally am not aware of any.
My mother, who is 80+ years old, has a PC that I gave her several
years ago. I configured it for her and update it every time she
visits (she lives 500 miles from me). I never installed Microsoft
Security Essentials. Suddenly she is getting a popup claiming to be
from Microsoft Security Essentials saying it has detected a severe
threat. Not being there to actually see what is going on, I am
suspicious that she inadvertently downloaded some malware.

I think you will find she installed it from Windows Update .. where it
appeared, and needs to be physically/manually UNchecked to refuse it.
And it will continue to re-arrive checked.

I had the same kind of situation with my mother 250 miles away (who died
at 87), so my brother and I told her not to accept any kinds of updates
or software installation, and to let us do it. Fortunately my brother
was close by. I bought her her first computer for her 80th birthday.
 
D

Dennis

I think you will find she installed it from Windows Update .. where it
appeared, and needs to be physically/manually UNchecked to refuse it.
And it will continue to re-arrive checked.

I had turned her Automatic Windows Updates off. Unless she turned it on
somehow this shouldn't be the problem.

Can Microsoft Security Essentials even coexist with her other real-time
scanner ... Avira Free?
I had the same kind of situation with my mother 250 miles away (who died
at 87), so my brother and I told her not to accept any kinds of updates
or software installation, and to let us do it. Fortunately my brother
was close by. I bought her her first computer for her 80th birthday.

Same here. I keep telling her not to open attachments, not to install
software when offered, and not to visit websites except for the few she
always visits (QVC, etc.). But she obviously has done something.

I told her to turn it off and take it up to the local computer repair
store and ask them what it might be. It's hard to troubleshoot something
like this from a distance. ;-)
 
D

Dennis

Can Microsoft Security Essentials even coexist with her other real-time
scanner ... Avira Free?

Correction ... she still has AVG.

***

Follow-up: I walked her thru the steps to check to see if "Windows
Automatic Updates" was turned on. She says it is turned off.

I had her look thru Add or Remove Programs to see if Microsoft Security
Essentials was installed. She couldn't find it under the list of
installed programs that began with "Microsoft*".

I asked her to start AVG in order to perform a scan. She said AVG
wouldn't start.

I then asked her to start Task Manager to see what was running. That
wouldn't start.

Granted, she is 82 years old and may not be performing these steps
correctly, but I am beginning to think something is amiss. ;-)
 
F

FromTheRafters

Dennis said:
Does anyone know of malware that might masquerade as Microsoft
Security
Essentials?

Many of the rogue security applications (scareware FakeAV) servers have
the capability to use a list of names and skins to make them look like
products that the intended victim might be familiar with and therefore
trust.
My mother, who is 80+ years old, has a PC that I gave her
several years ago. I configured it for her and update it every time
she
visits (she lives 500 miles from me). I never installed Microsoft
Security Essentials. Suddenly she is getting a popup claiming to be
from
Microsoft Security Essentials saying it has detected a severe threat.
Not being there to actually see what is going on, I am suspicious that
she inadvertently downloaded some malware.

The pop-up can be ignored (although that might be risky) or closed by
using (ctrl+alt+del) task manager. If it is clicked on, a visit to their
"bad" website results from a script which will run that pretends to be a
scan in progress, and informs you that you are infected with everything
under the sun and that you should do even more clicking to fix the
problem...and you know where that leads.

If *you* see the pop-up, You can use task manager to locate the (Message
from Webpage/Internet Explorer) entry which when right-clicked gives you
the option to "maximize" the window where the rogue's IP address or name
can be found in the address bar.

A real security program pop-up will *not* be a webpage made to look like
a security program pop-up.

If she has actually executed the malware, then you will need to attempt
removal.
 
Ad

Advertisements

D

David H. Lipman

From: "Dennis" <[email protected]>

| Does anyone know of malware that might masquerade as Microsoft Security
| Essentials? My mother, who is 80+ years old, has a PC that I gave her
| several years ago. I configured it for her and update it every time she
| visits (she lives 500 miles from me). I never installed Microsoft
| Security Essentials. Suddenly she is getting a popup claiming to be from
| Microsoft Security Essentials saying it has detected a severe threat.
| Not being there to actually see what is going on, I am suspicious that
| she inadvertently downloaded some malware.

YES !

http://www.bleepingcomputer.com/virus-removal/remove-fake-microsoft-security-essentials-alert
 
D

Dennis

From: "Dennis" <[email protected]>

| Does anyone know of malware that might masquerade as Microsoft Security
| Essentials? My mother, who is 80+ years old, has a PC that I gave her
| several years ago. I configured it for her and update it every time she
| visits (she lives 500 miles from me). I never installed Microsoft
| Security Essentials. Suddenly she is getting a popup claiming to be from
| Microsoft Security Essentials saying it has detected a severe threat.
| Not being there to actually see what is going on, I am suspicious that
| she inadvertently downloaded some malware.

YES !

http://www.bleepingcomputer.com/virus-removal/remove-fake-microsoft-security-essentials-alert

BINGO! Sounds like the problem! I just called my mom and told her to
FedEx the pc to me so I can fix it.

I wonder how new this malware is and how she got it. She claims she
didn't visit any unusual websites nor open any attachments. But who
knows...

Thanks David!
 
D

David H. Lipman

From: "Dennis" <[email protected]>

| On Wed, 6 Oct 2010 16:55:15 -0400, "David H. Lipman"

| BINGO! Sounds like the problem! I just called my mom and told her to
| FedEx the pc to me so I can fix it.

| I wonder how new this malware is and how she got it. She claims she
| didn't visit any unusual websites nor open any attachments. But who
| knows...

| Thanks David!

Malwarebytes' personnel and Grinler (BleepingComputer) have been tracking it for 2~3
weeks.

Malwarebytes' Anti Malware (MBAM) should be effective on it.

There are chances she mistakenly clicked on something. It may have been dormant for a
period.

There is also a chance it was installed through the vulnerability/exploit vector without
her knowledge.
 
D

David H. Lipman

From: "Li'l Abner" <[email protected]>


| I ran into it 3 days ago on a computer that was infected with all sorts of
| things as per my post in alt.privacy.spyware. The subject line in that
| thread was "AntivirusGT" which was what I started out with. The fake MSE
| came alonmg after I had gotten rid of the GT one. It turns out it had a
| rootkit infection in the master boot record called Rootkit Whistler.
| ComboFix detected it but didn't fix it. fixmbr in the recovery console is
| what finally ended it all. I really have no idea if the fake MSE thing was
| connected or not. I kind of doubt it.

You said...
"...fixmbr in the recovery console is what finally ended it all."

I can only surmise you had that rare variant of the TDSS that actually trojanizes the MBR.
 
M

mm

I had turned her Automatic Windows Updates off. Unless she turned it on
somehow this shouldn't be the problem.

Can Microsoft Security Essentials even coexist with her other real-time
scanner ... Avira Free?

I don't know about those two, but I had Norton AV and AVG real-time
scanners running together for 2 years or more, with never a problem.

I disabled one for a day or two and figured out which one generated
which message, that is, which one was finding the viruses (because
only one message would appear) but I forget which one it was. Might
have to do with which one I installed first, I suppose.

Whichever one it was, it found the virus etc. 98 % of the time. But
about 1 time out of 50, or maybe 1 out of 15, the other one did, which
I guess means that the first one failed to find something. That just
made me want to keep them both, despite the warnings I read.

in 2 years the second one found a virus 3 or 4 times, which would mean
that the first one found something 45 or 60 tims. That might be about
right.

I couldn't draw many conclusions from 3 or 4 examples, but iirc the
*name* of the virus was, all but maybe the first time when I didn't
pay attention, only one word, with no period or extension. But then
again, those don't reflect anything about the actual file, do they?

Oh, yeah, eventually I had my email program, Eudora, set, and it's
still set, to not dl any email that was greater than 40K, which
allowed almost all the real emails, but very few virus attachments
were small enough to get by. (When an email is too big, Eudora will
still dl the first thousand bytes or something, mostly the headers. If
I look at the headerss and subject, I decide I want the email, Eudora
allows easy 1 by 1 exceptions, and it gets the whole email. .

Same here. I keep telling her not to open attachments, not to install
software when offered, and not to visit websites except for the few she
always visits (QVC, etc.). But she obviously has done something.

I posted to say that last Thursday, I got the Microsoft security
Essentials virus this thread is about, on a frend's computer.

I had her computer because after the XP welcome to windows screen, she
got a blue screen with text, and could go no further.

There's a thread here up about a week or less that describes what
happened, but in short, AVG on a flash drive got rid of what it called
CRYPTIC.AZC, and the computer worked for about 10 minutes, when a fake
Microsoft Sec. Ess. told me I had a problem.

I fell for it and clicked on something, and in the last 16 hours I've
removed 57 instances of 15 or 20 different malware. But I didn't click
on any attachments, I hadn't installed any software, and I don't think
I even opened the web broswer. So maybe your mother didn't either.

Did I get them all in the 10 minutes the computer was running
before the new problem started,
Or in the 10 minutes or so it ran afterwards, though not connected
to the net, a viruses whose files were already present might when
installed themselves
Or did the computer have it when I got the computer, but AVG didn't
find it all, and it flourished after I started windows to completion?
 
Ad

Advertisements

M

mm

Correction ... she still has AVG.

***

Follow-up: I walked her thru the steps to check to see if "Windows
Automatic Updates" was turned on. She says it is turned off.

I had her look thru Add or Remove Programs to see if Microsoft Security
Essentials was installed. She couldn't find it under the list of
installed programs that began with "Microsoft*".

I asked her to start AVG in order to perform a scan. She said AVG
wouldn't start.

I then asked her to start Task Manager to see what was running. That
wouldn't start.

Granted, she is 82 years old and may not be performing these steps
correctly, but I am beginning to think something is amiss. ;-)

No no, she's right. Task Manager wouldn't start for me either with
the phoney-MSE problem, and on my other friend couldn't start her AVG
with whatever problem she has.
 
B

Beauregard T. Shagnasty

mm said:
Whichever one it was, it found the virus etc. 98 % of the time. But
about 1 time out of 50, or maybe 1 out of 15, the other one did, ...

What is it you do with your computer that you find 50 (or even 15)
viruses in apparently only a few-year period?

I haven't found as many as 50 viruses ever, since I got my first home PC
nearly three decades ago!
 
D

Dennis

LOL! FedEx it to me, I do call saying that too many times to my mom
when she had a laptop computer I gave her. :)

I actually said "FedEx your PC to me." She replied "What's a PC?"

No wonder I'm losing my hair!
 
M

mm

What is it you do with your computer that you find 50 (or even 15)
viruses in apparently only a few-year period?

I haven't found as many as 50 viruses ever, since I got my first home PC
nearly three decades ago!

These were in emails I was being sent, not by anyone I know, probably
from those who got my address from Usenet. So the answer to your
question is probably that with some ngs, I haven't munged my email
address, or that the bad guys managed to unmung it.

But I've only gotten one by email in the last couple years.

I also a few years ago stopped getting email for pornography. Does
anyone know why?

And I realize some time in the last 6 months I stopped getting email
to buy prescription drugs. Anyone know why?
 
Ad

Advertisements

D

Dennis

I use the locally-installed version.

As opposed to the browser based version?

I am definitely going to look into installing this after I clean up my
mom's PC.
 
P

(PeteCresswell)

Per Dennis:
As opposed to the browser based version?

I am definitely going to look into installing this after I clean up my
mom's PC.

Yes. I have not looked into the browser-based version but from
context of the advertisements I've received it seems like it
promises the ability to connect to a PC that has no TeamViewer
software installed on it.

Dunno what the tradeoffs are - or even if I've got it right - but
it seems like a way to get the local app installed on the remote
PC without driving to it if nothing else. And who knows? Maybe
the tradeoffs aren't all that bad and the browser version would
be 100% sufficient.

I used to use Remote Desktop. But RD takes awhile to get going
- especially if you VPN to the remote PC. The TeamViewer
connection comes up almost instantaneously: doubleclick the name
of the remote PC on TeamViewer's list and *Shazam!*... you're
looking at the desktop.
 
P

(PeteCresswell)

Per Dennis:
I actually said "FedEx your PC to me." She replied "What's a PC?"

No wonder I'm losing my hair!

That's where I am with all my extended family users.

Then I have to go to work an interact with really-sophisticated
users who, I fear, sometimes think I am patronizing them when I
forget who I'm working with.
 
Ad

Advertisements

D

Dennis

doubleclick the name
of the remote PC on TeamViewer's list and *Shazam!*... you're
looking at the desktop.

Sounds like the locally installed copy on the remote PC is always
running in the background.

I'm not sure TeamViewer would have helped in this situation ... don't
know if the malware on my mom's PC would have allowed TeamViewer to
connect. But it sounds worthwhile for a lot of the other "support" phone
calls I get from my mom. Trying to imagine what exactly she is doing or
talking about is a real challenge.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top