Showing posts with label Antivirus 2009. Show all posts
Showing posts with label Antivirus 2009. Show all posts
Wednesday, January 14, 2009
Malwarebytes Link
As a (most likely final) follow up to my posts (here and here) on removing Antivirus 2009, I contacted Malwarebytes and asked if they had an alternate site where you could download their tools without being blocked. In response, they sent me this link to their free product. I can't guarantee that it will work, and I'm not planning on purposefully getting infected just to test it. However, if anyone happens to stumble across this blog looking for a way to remove the virus, the above link might do the trick.
Thursday, January 8, 2009
Removing Antivirus 2009
I've received a number of hits on my previous post about some legal issues regarding Antivirus 2009 which I suspect are from people looking for how to get rid of the malware but can't get to the big antivirus sites because Antivirus 2009 has blocked them. For anyone looking for how to get rid of the program, here's my advice:
1) Don't expect to download a tool to fix the problem. The nastiest feature of Antivirus 2009 is that blocks downloads from the major antivirus websites. In particular, Malwarebytes, which is recommended in a number of places to deal with Antivirus 2009, is blocked.
2) Get to a clean system. Just because you can't download the proper tools on a compromised system doesn't mean you can't download them at all. Go to another computer and download the tools you need. Malwarebytes Anti-Malware, mentioned above, can be downloaded here.
3) Send the tools from the clean system to the compromised system. The most obvious way to do this is via a flash drive. However, the version of Antivirus 2009 I dealt with (surprisingly) allowed me to send the mbam-setup.exe program though email.
4) Once the tool (whatever it is) is downloaded, rename it to.bat. With the version of Antivirus 2009 I dealt with, it wouldn't let mbam-setup.exe execute, but it would let blank.bat (what I renamed mbam-setup.exe) run just fine.
Please note that, for step 4 above to work, you might have to restart Windows in safe mode. A description of how to do that can be found here.
Please also note that the above 4 steps (including restarting in safe mode) might not actually work. The version of Antivirus 2009 which got onto my grandmother's computer let me run the antivirus setup program, but blocked the antivirus program itself. My next step after step 4 would have been to create a rescue CD and use that to boot from. However, my brother who also happened to be visiting that weekend had different advice: since my grandmother's computer was brand new, why not reformat the hard drive and just reinstall everything my grandmother wanted? In the end, that's what happened, since I would have been required to go back to my house (across town) to get a rescue CD, while my brother could reformat the hard drive immediately. It's an extreme measure, but I can testify that it certainly worked for my grandmother.
Update: As a potential alternative, I sent a message to Malwarebytes and asked them if they had a link that wouldn't be blocked by Antivirus 2009. They sent me a link, and I added it in this post.
1) Don't expect to download a tool to fix the problem. The nastiest feature of Antivirus 2009 is that blocks downloads from the major antivirus websites. In particular, Malwarebytes, which is recommended in a number of places to deal with Antivirus 2009, is blocked.
2) Get to a clean system. Just because you can't download the proper tools on a compromised system doesn't mean you can't download them at all. Go to another computer and download the tools you need. Malwarebytes Anti-Malware, mentioned above, can be downloaded here.
3) Send the tools from the clean system to the compromised system. The most obvious way to do this is via a flash drive. However, the version of Antivirus 2009 I dealt with (surprisingly) allowed me to send the mbam-setup.exe program though email.
4) Once the tool (whatever it is) is downloaded, rename it to
Please note that, for step 4 above to work, you might have to restart Windows in safe mode. A description of how to do that can be found here.
Please also note that the above 4 steps (including restarting in safe mode) might not actually work. The version of Antivirus 2009 which got onto my grandmother's computer let me run the antivirus setup program, but blocked the antivirus program itself. My next step after step 4 would have been to create a rescue CD and use that to boot from. However, my brother who also happened to be visiting that weekend had different advice: since my grandmother's computer was brand new, why not reformat the hard drive and just reinstall everything my grandmother wanted? In the end, that's what happened, since I would have been required to go back to my house (across town) to get a rescue CD, while my brother could reformat the hard drive immediately. It's an extreme measure, but I can testify that it certainly worked for my grandmother.
Update: As a potential alternative, I sent a message to Malwarebytes and asked them if they had a link that wouldn't be blocked by Antivirus 2009. They sent me a link, and I added it in this post.
Sunday, January 4, 2009
Antivirus 2009
Over the holidays I had the intriguing experience of watching a computer get hijacked by a nasty piece of malware: Antivirus 2009. According to this article from Bleeping Computer
What that article doesn't make clear is the fact that Antivirus 2009 (or at least the variant I was dealing with) will also cause a substantial slowdown in your computer's performance, and will cause your browser to display all manner of annoying pop-ups. The other point about Antivirus 2009 that that article doesn't make clear is that Antivirus 2009 includes some relatively sophisticated countermeasures to prevent people from removing it from their system. For example, the variant I was dealing with stopped by grandmother's computer (where it was installed) from accessing websites of antivirus vendors (e.g., AVG) and technical web sites which had instructions on how to remove it (e.g., Bleeping Computer). Additionally, it also detected and prevented execution of removal tools that I was able to download on another system and install on the infected computer. I have to admit, I was impressed by the countermeasures the creators of Antivirus 2009 had included, as they made it MUCH harder to remove than the last virus I had to deal with (slammer).
Anyway, as impressed as I was by the measures Antivirus 2009 took to prevent me from disabling it, the more interesting aspect of the program is that it even exists at all. Antivirus 2009 isn't just a program that enrolls a computer in a botnet where it can be rented out for pump and dump schemes or to spew fake Viagra spam. Instead, it appears to be connected with a business selling subscriptions which could, in theory, be shut down (or at least taken off the web). Therefore, it should be possible to file suit against the business connected with Antivirus 2009 (i.e., the people selling the software using bogus virus notifications). My guess is that either the people behind the software don't know that what they're doing is illegal (highly unlikely) or they think that whatever profit they can make between the time they released their software and the time a court inevitably shuts them down will be enough to compensate them for their efforts in creating their malware. Either way, the fact that Antivirus 2009 exists raises serious questions about whether the law can function as a deterrent to even the most blatant cybercrime.
PostScript: One other point of interest on the Antivirus 2009 front: both the FTC and Microsoft have filed suit against fake antivirus companies (see here). My suspicion is that these suits will accomplish nothing, as the companies are probably set up with pseudonyms, and the people behind them will vanish into the woodwork long before any court can find them. However, I would very much like to be wrong, and I would be quite happy to see the FTC and/or Microsoft being awarded (and collecting) some sizeable judgments.
Update: As a potential alternative, I sent a message to Malwarebytes and asked them if they had a link that wouldn't be blocked by Antivirus 2009. They sent me a link, and I added it in this post.
Antivirus 2009 is a new rogue anti-spyware program from the same family as Antivirus 2008 and Doctor Antivirus. Antivirus 2009 is installed and advertised through the use of misleading web sites that attempt to make you think your computer is infected with a variety of malware. Once installed, Antivirus 2009 will scan your computer and list a variety of fake infections that can't be removed unless you first purchase the software. These infections are fake, though, and only being shown to scare you into purchasing the software.
What that article doesn't make clear is the fact that Antivirus 2009 (or at least the variant I was dealing with) will also cause a substantial slowdown in your computer's performance, and will cause your browser to display all manner of annoying pop-ups. The other point about Antivirus 2009 that that article doesn't make clear is that Antivirus 2009 includes some relatively sophisticated countermeasures to prevent people from removing it from their system. For example, the variant I was dealing with stopped by grandmother's computer (where it was installed) from accessing websites of antivirus vendors (e.g., AVG) and technical web sites which had instructions on how to remove it (e.g., Bleeping Computer). Additionally, it also detected and prevented execution of removal tools that I was able to download on another system and install on the infected computer. I have to admit, I was impressed by the countermeasures the creators of Antivirus 2009 had included, as they made it MUCH harder to remove than the last virus I had to deal with (slammer).
Anyway, as impressed as I was by the measures Antivirus 2009 took to prevent me from disabling it, the more interesting aspect of the program is that it even exists at all. Antivirus 2009 isn't just a program that enrolls a computer in a botnet where it can be rented out for pump and dump schemes or to spew fake Viagra spam. Instead, it appears to be connected with a business selling subscriptions which could, in theory, be shut down (or at least taken off the web). Therefore, it should be possible to file suit against the business connected with Antivirus 2009 (i.e., the people selling the software using bogus virus notifications). My guess is that either the people behind the software don't know that what they're doing is illegal (highly unlikely) or they think that whatever profit they can make between the time they released their software and the time a court inevitably shuts them down will be enough to compensate them for their efforts in creating their malware. Either way, the fact that Antivirus 2009 exists raises serious questions about whether the law can function as a deterrent to even the most blatant cybercrime.
PostScript: One other point of interest on the Antivirus 2009 front: both the FTC and Microsoft have filed suit against fake antivirus companies (see here). My suspicion is that these suits will accomplish nothing, as the companies are probably set up with pseudonyms, and the people behind them will vanish into the woodwork long before any court can find them. However, I would very much like to be wrong, and I would be quite happy to see the FTC and/or Microsoft being awarded (and collecting) some sizeable judgments.
Update: As a potential alternative, I sent a message to Malwarebytes and asked them if they had a link that wouldn't be blocked by Antivirus 2009. They sent me a link, and I added it in this post.
Subscribe to:
Posts (Atom)