Malware masquerading as Microsoft Security Essentials?

W

Whoever

Beauregard T. Shagnasty said:
What is it you do with your computer that you find 50 (or even 15)
viruses in apparently only a few-year period?

I haven't found as many as 50 viruses ever, since I got my first home PC
nearly three decades ago!


I received 70+ emails last Saturday alone which were infected. Granted, it
was an unusual number in a single day but I often get at least one or two a
day that have some sort of bug in them.
 
M

mm

Per Dennis:

Yes. I have not looked into the browser-based version but from
context of the advertisements I've received it seems like it
promises the ability to connect to a PC that has no TeamViewer
software installed on it.

So if you wanted to use TeamViewer to run an antivirus scanner from
your computer to work on the other person's, would that work? Or does
there have to be a CD in the cd drive of the person you are helping?
 
F

FromTheRafters

mm said:
I don't know about those two, but I had Norton AV and AVG real-time
scanners running together for 2 years or more, with never a problem.

I disabled one for a day or two and figured out which one generated
which message, that is, which one was finding the viruses (because
only one message would appear) but I forget which one it was. Might
have to do with which one I installed first, I suppose.

Yes, but perhaps more correctly, which one you installed *last*. :blush:)

[...]
 
F

FromTheRafters

Whoever said:
I received 70+ emails last Saturday alone which were infected.
Granted, it
was an unusual number in a single day but I often get at least one or
two a
day that have some sort of bug in them.

:blush:D
 
M

mm

Same here. I keep telling her not to open attachments, not to install
software when offered, and not to visit websites except for the few she
always visits (QVC, etc.). But she obviously has done something.


"The NEW Norton Power Eraser takes on difficult to detect crimeware
known as "scareware" or "rogueware" that cybercriminals use to trick
you into unknowingly downloading threats onto your PC. This growing
form of crimeware uses bogus pop-up alerts or security messages that
scare you into thinking your PC has been infected and needs to be
fixed immediately.

[AS TO YOUR MOTHER, Dennis, ETC. THIS PARAGRAPH ESPECIALLY]
It can be so tricky that it automatically downloads onto your PC even
if you didn’t actively click on anything!

The Norton Power Eraser is specially designed to aggressively target
and eliminate this type of crimeware and restore your PC back to
health.

You should use Power Eraser only when nothing else will remove the
threat and you are willing to accept the risk that the scanner may
quarantine a legitimate program.

Norton Power Eraser BETA
Click here to try out the latest BETA version of Norton Power Eraser

http://security.symantec.com/nbrt/overview.asp?lcid=1033# "

I haven't used this and don't plan too, because I'm pretty sure my
problem won't require it.
 
D

David H. Lipman

From: "Dennis" <[email protected]>

| On Thu, 07 Oct 2010 03:18:07 -0400, Steel

| I actually said "FedEx your PC to me." She replied "What's a PC?"

| No wonder I'm losing my hair!

I was just given a PC that is purported to the have malcious "Microsoft Essential
Security" infection.

After I do my email and Usenet bit, I will be examining it.
 
D

David H. Lipman

From: "mm" <[email protected]>


| So if you wanted to use TeamViewer to run an antivirus scanner from
| your computer to work on the other person's, would that work? Or does
| there have to be a CD in the cd drive of the person you are helping?


Remote Access and Remote Control are two different things.
 
D

Dennis

I was just given a PC that is purported to the have malcious "Microsoft Essential
Security" infection.

After I do my email and Usenet bit, I will be examining it.

Please let us know how the removal goes...
 
D

David H. Lipman

From: "Dennis" <[email protected]>

| On Thu, 7 Oct 2010 17:15:11 -0400, "David H. Lipman"

| Please let us know how the removal goes...

So far...

Old WinXP SP3 w/512MB { arghhhhhh }

Slow as sh!t. Wasn't willing to waste the time. It did have the fake MSE window.

Pulled hard disk and placed it on a surrogate PC and I am using the NEW version of my
Multi AV Scanning Tool, v7, Avira command line scanner module (soon to be relaesed on
PCTipp )

Avira found TR/FakeAV.htg in %appdata% and a malicious Java Jar containing Java/Agent.BH
and a couple more trojans in .CLASS files.
 
D

Dennis

Old WinXP SP3 w/512MB { arghhhhhh }

Sounds like what I will be dealing with.
Avira found TR/FakeAV.htg in %appdata% and a malicious Java Jar containing Java/Agent.BH
and a couple more trojans in .CLASS files.

Are the Jar & .CLASS problems related to the fake MSE window? Or are
they unrelated?
 
D

David H. Lipman

From: "Dennis" <[email protected]>

| On Thu, 7 Oct 2010 19:53:10 -0400, "David H. Lipman"

| Sounds like what I will be dealing with.

| Are the Jar & .CLASS problems related to the fake MSE window? Or are
| they unrelated?

Good questions. It is still being scanned. Noted were malicious HTML files in the IE
cache as well as malicious PDF files.

When I view the total report I'll make an assessment but I presume we have a case the
vulnerability/exploitation coupled with a malcious website.

It could be the vulnerability/exploitation of the PDF or the malicious Java Scripts.

BTW: The was also an Alureon hit on a TMP file in the TEMP folder wihich hints at a TDL3
RootKit. It is still in Program Files so it will take a little while before it hits
..\windows

It took a while before I could even scan it because the chassis was blanketed with dust
and the CPU cooling fan was choked. I always like to do a little PM before I power-up a
platform I'm given to work on.
 
P

(PeteCresswell)

Per mm:
So if you wanted to use TeamViewer to run an antivirus scanner from
your computer to work on the other person's, would that work? Or does
there have to be a CD in the cd drive of the person you are helping?

I would say "Yes" as long as the scanner can run while Windows is
up and running.
 
P

(PeteCresswell)

Per Whoever:
I received 70+ emails last Saturday alone which were infected. Granted, it
was an unusual number in a single day but I often get at least one or two a
day that have some sort of bug in them.

Spam? or from known sources?
 
W

Whoever

Per Whoever:

Spam? or from known sources?


Spam. I average around 1,500 emails a day to a couple of addresses that I
monitor. I run spampal which drops all but ~150 before they get to my email
client. Of those ~150, the majority of them are also spam and auto-trashed
by another set of filters in my email client before I have to see them.
 
B

Buffalo

Steel" <""Fake99XX1199999fake\"@(Big)(Steel)theXfactor.com said:
LOL! FedEx it to me, I do call saying that too many times to my mom
when she had a laptop computer I gave her. :) I am glad that phase
with her ended when the laptop bit the dust and was tossed in the
trash-can. Now she has a cellular phone, and she needs help to
understand that sometimes bless her soul.

:)
Buffalo
 
D

Dennis

The TeamViewer
connection comes up almost instantaneously: doubleclick the name
of the remote PC on TeamViewer's list and *Shazam!*... you're
looking at the desktop.

I looked at the TeamViewer pdf brochures on their website but could not
find an answer to this:

Does the software that is installed on the remote site run in the
background ... waiting for someone with the full version to connect with
it? Or does the remote user have to start a program (TeamViewer
QuickSupport?) every time?
 
M

mm

I looked at the TeamViewer pdf brochures on their website but could not
find an answer to this:

Does the software that is installed on the remote site run in the
background ... waiting for someone with the full version to connect with
it? Or does the remote user have to start a program (TeamViewer
QuickSupport?) every time?

The very first time I think the two sides have to be incommunication
by instant messaging or email or phone, or a personal visit, because
there is some password-type number that has to be relayed to the
remote site.

After that, I haven't installed it yet, (but I laid down the law for
that girl I help and told her I had to install it or I wouldn't keep
helping her).

However, my guess would be that whichever way it is envisioned and
designed to run most of the time, it could work either way you say.

Loads of programs these days have parts that insert themselves in the
start-up routines, ready to go in a second's notice, instead of 5
seconds if you hadn't run them at startup. People like me turn off or
uninstall most of those things. Using an option within the program or
msconfig.exe if necessary.

OTOH, any program at all can be inserted in the Startup folder, for
example, so that it starts when Windows starts. I used to have both
solitaire and my email program starting at boot time.

It talks about unattended computers working with this, so in that
case, the program has to be running already. OTOH, other than that,
it's a decision to be made, probalby by whoever runs the remote
computer.
 
P

(PeteCresswell)

Per Dennis:
Does the software that is installed on the remote site run in the
background ... waiting for someone with the full version to connect with
it? Or does the remote user have to start a program (TeamViewer
QuickSupport?) every time?

It's an option you set at install time on the remote PC.

I always set it to start itself whenever Windows starts up.

Otherwise, you have to tell the user to start it.

There's another little angle: default operation is for the
remote instance of TeamViewer to offer up a one-time password
that the user has to tell to whoever wants to connect.

e.g. 4f27px

I find that way over the top for my users - who I wouldn't even
want to have to start the app for me.

So, when I install it on the remote, I take advantage of the
"User-Defined" password at install time and make it the same
value for all the people (family members) that I support.

Going that route, I just enter that PW in my end, tell it to
remember that PW, and I can connect instantly just by
double-clicking.

The only other thing is that each remote user is identified by a
nine-digit number e.g. "475 884 409". TeamViewer offers a
facility where you can associate each users number with a name
you make up and have them appear on a list where ever/whenever
you are.

The user-defined PW route definitely is not for everybody. If
one were to do it without telling the user, I'd call that a major
breach of trust.
 
D

Dustin

I looked at the TeamViewer pdf brochures on their website but could
not find an answer to this:

Does the software that is installed on the remote site run in the
background ... waiting for someone with the full version to connect
with it? Or does the remote user have to start a program (TeamViewer
QuickSupport?) every time?

My experience with the free version is as follows:

The user you want to team view with, installs and runs the program. It
gives them a unique code; you fire up your copy and put this code in
teamviewer to "dial out". and it does the rest. As the code isn't the
host ip address, I'd bet most of the data is routed thru teamviewer
servers and not a direct connection between the two computers.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top