Diary of a computer geek

Yet another email is floating around out there trying to get you to download a file that’s really a virus. It’s sent from “The Facebook Team” and says something like “for security reasons your password had to be reset” and it tells you to download the .zip or .exe file that is attached (Facebook_Password_4cf91.zip or Facebook_Password_4cf91.exe).

If you look at the email closely enough, it probably isn’t even addressed to you. My Aunt got this email and the name they used referring to her, in the body of the email, was just a bunch of random letters. That, the random letters at the end of the file name and the fact that there is even an attachment at all should throw up red flags. But there will always be people who fall for this kind of thing or just don’t pay attention and download it anyway, which is why there are geeks like me around to fix things when this happens. Unless you reset your password yourself and triggered a confirmation email, you will not get these kind of emails, period.

My Aunt flipped out because she thought she may have saved the file on her computer so this prompted me to do a bit of research on what this virus is. I found the virus total report that shows which scanners are able to locate and eliminate the virus. Only 14 out of the 41 scanners are able to detect it – my Aunt happens to have Symantec, which if you notice is not one of those 14. I’m currently running F-Secure’s online scan and will run Microsoft’s Security Essentials since both of those are listed as being able to detect it.

Here’s the page on F-Secure’s website about the virus. There isn’t a whole lot of information on it. But it does list a registry key that is installed.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\”RunGrpConv” = “1″

If you’re comfortable working with computers you can check the registry yourself for that key. If not then I suggest running the F-Secure online scan on complete mode, if you have time to let it sit for awhile, and also running Microsoft Security Essentials. They are both user-friendly and free. Just be sure to remove security essentials once you’re done if you do have another anti-virus currently installed. Having more than one can really slow the computer down.

The good news is, from what I’ve read it looks like it’s just another virus that causes messages to pop up telling you that you need to pay to download a fake anti-virus in order to fix your computer.  So it doesn’t appear to be something that is terribly difficult to get rid of.

• F-Secure’s online scan
• Microsoft Security Essentials

You would think that you would be able to Google the title of this post and easily find a link that would make this possible. I’ve spent a lot of time the last few days doing that exact same thing and not finding much in the way of things that actually work. I wanted a bootable usb drive so I could throw ghost and ghostwalk on it and whatever image we wanted to use. It would save me from having to burn a new CD every time I wanted to use a different image, this way I just delete and copy/paste.

What you will need:

• Boot disk files – you can Google boot disk and get what you need. If you still have a floppy drive in your computer and happen to have a disk laying around you can pop it in, go to my computer -> right-click on the floppy -> format -> and check the box that says create an MS-DOS startup disk.
• HP USB Disk Storage Format Tool – The weird thing is that I couldn’t even find that on their website. But once again Google comes to the rescue, there are plenty of links to it out there.

What to do:

1. Open the HP format tool.
2. Make sure you select the correct drive.
3. Choose either of the FAT file system options.
4. Under volume label give the USB drive a name.
5. Check the box for creating a DOS startup disk and select using dos system files located at:. This is where you either point to your floppy drive if you created a boot disk or to the folder where you downloaded the files to. Tell it to start.
6. You aren’t quite done yet. Go to my computer and open the location of the startup files that you either downloaded or had windows put on the floppy – copy those and paste them onto the flash drive. DO NOT overwrite any files when prompted.
7. Done. Now you can use it as is or add more files to it like I did with ghost and ghostwalk.

Yes, it’s that time of year again.  A friendly reminder to NEVER open attachments or click on links in emails if you don’t know who or where it’s coming from.  Curiosity killed the cat, your curiosity might kill your computer.

This virus is probably most commonly known as W32.Ackantta@mm, at least to those familar with Symantec/Norton.  What happens is you get an email like the one above and get sucked into clicking on the link which then downloads a file to your computer.  I’m not quite certain whether clicking the link automatically executes the virus, just downloads the file, or if the virus is a file attached to the email.  So far I’ve seen it where a file called postcard.zip is attached to the email and then where you click on a link to download a file called postcard.pdf.exe.  Either way, a file eventually ends up on your computer that installs the virus if you execute it.

This virus is a variant of the Trojan.Vundo virus we saw an outbreak on campus of a little over 4 years ago.  It’s such a pain to remove because, like before, we got it when it was fairly new so none of the anti-virus programs out there could do anything to prevent or remove it.  I heard from one of the other Tech departments on campus that we were the first to report it to Symantec.  I had someone forward me the virus so I could upload to VirusTotal.com to see which programs are able to detect it and hopefully remove it.  Here’s the list as of 3 hrs ago:

What happens?

1. Once the file mentioned above is opened and the virus installs itself in numerous places in the computer.  What a user will notice is tons of pop-up ads showing up all of a sudden saying that you need to download a fake program to remove the spyware on your computer.  Don’t fall for that, it’s just more spyware/viruses to bog down your computer.
2. It creates copies of itself in the system folder as javale.exe, javawx.exe, and a random .dll file.
3. It also creates and edits registry keys in order to imbed itself in the startup processes so it’s running at all times.  To see the specific registry keys and file names see the links at the end of the post.
4. The virus finds your address book on your computer and sends out mass-emails to everybody in it.
5. It blocks access to some security related websites.
6. Spreads through any USB drives you plug into the computer and also has the potential to spread through network drives, this can create an evil loop of cleaning and re-infecting.

How do I get rid of it?

1. Disable system restore.
2. Update your anti-virus & anti-spyware programs and definitions.  You want to make sure you have the most up-to-date client as well as the definitions. AVG Free and Malwarebytes are known to detect and remove the virus when used in conjunction with each other.
   a) If you don’t have the programs on your computer or are unable to update them, burn the programs and their most recent definition files to a CD and install them that way. This virus jumps onto USB drives so you do not want use them on an infected computer.
3. Restart your computer into safe mode.
4. Scan with both your anti-virus and anti-spyware programs.  You may need to do this a few times in order to make sure it found everything.

Malwarebytes and either Symantec/Norton or AVG was used to clean computers on campus. AVG was used on student computers since we couldn’t install Symantec Endpoint Protection on there for licensing reasons. But I can confirm that both Malwarebytes and AVG work together to get rid of it. Be sure to disable system restore and boot into safe mode though, as stated above.

There are far too many different files this virus creates and registry keys it creates and edits, so I avoided putting that specific information in the post.  All of the specifics can be seen at the links below.

Information Sources:

• 2-spyware.com
• Symantec.com – W32.Ackantta@mm
  
• Symantec.com forums
• ThreatExpert.com

What is conficker and what does it do?

It’s a worm/virus that will infect computers via a vulnerability (MS08-067) in any Windows XP or Vista machines if the computer hasn’t been patched with the patch Microsoft released back in October/November.  Once infected, the virus:

• Embeds itself into the system services and makes some changes to the registry in order to run constantly, including after reboots.
• Disables antivirus and other security services, as well as blocks websites related to those services.
• Disables system restore and deletes all restore points making the recovery process that much more difficult.
• Opens the infected machine to more infections.
• Scans the subnet the infected computer is on for vulnerable machines and passes the infection on by creating an HTTP server for the new victim to download it from.
• Also copies itself to any usb drives, making the potential for spreading on networks much higher.
• Can crack weak passwords to accounts and lock you out of your own files and folders.
• It also schedules tasks and edits the autorun.inf file enabling it to re-activate after a computer is “cleaned.”

How do I know if my computer is infected?

I mentioned a few noticeable things above but here are the things an average computer user would notice:

• The computer will feel much more sluggish than normal.
• Your internet connection might become much slower as well.
• You may not be able to log into your computer.  If the password is weak it could crack it and lock you out.
• Automatic Windows updates will not work.
• You may not be able to get to any websites related to virus scanner updates or Windows updates.
• This virus is known to disable any security software you have – firewalls or virus scanners.

What can I do to protect myself?

1. Run a Windows update to make sure your computer has the patch installed.

Windows XP
Open Internet Explorer  -> go to the tools menu -> click on windows update -> choose express and download all suggested updates.

Windows Vista
Click on your start menu -> in the search box type windows update -> click check for updates in the left column and download any important updates.

2. Update your virus scanner and run a scan to be safe.  If you do not have a scanner I personally like AVG free.  Symantec has a new thing called Norton Security Scan which is also free.  I’ve never tried it so I don’t have an opinion about it.

What if my computer is infected?

Run a virus scan in safe mode (hold F8 down when restarting the computer).  Safe mode is used in times like this because nearly every service and program that typically runs whenever you turn your computer on will be turned off, making it easier for the scanner to remove any infections.  Microsoft suggests downloading their Windows Malicious Software Removal Tool.  If you have a Norton product you can go here for information on how to remove it.  McAfee also has information, although not very helpful in my opinion.  In some instances the virus scanner may not be able to remove the infection so a more technical solution is needed.

F-Secure is the only company I’ve found so far that has an actual removal tool specifically for this virus/worm, but it is in the beta stage so be careful using it if you choose to do so.  I just ran it on my laptop without any issues.  If I come across someone at work who has this I’ll have no problem using it if a normal virus scan is unable to help.  Especially since it sounds like unless your scanner can remove it, all you can do is reformat so you don’t have much to lose.

More information can be found at pcworld.com and BBC News.  If you’re a geek like me F-Secure is keeping track of the number of infections and also has a list of domains network admins can block to help prevent this from spreading.

3/31/09: With yet another explosion in news coverage I’m adding a couple more removal tool links from F-Secure.  The one linked to above is no longer a beta version.  They are all for different variants of this same virus.

Everything in the article is still accurate, the basic behavior hasn’t changed at all.  I heard that the security professionals haven’t been able to reverse engineer the virus so they don’t even know what is supposed to happen on April 1st.  That leads me to a question, if they haven’t reversed engineered it to figure out exactly what it does, where did the doomsday date of April 1st come from?

Removal tool #2

Removal tool #3

We’ve been having problems with this since Vista came out, luckily it’s not a terribly frequent occurrence.  A new year has started and we’re seeing it again.  We currently have 2 students who cannot connect to our network, they keep getting the unidentified network with a 169.254 IP.  We have tried everything we can think of:

1. release/renew just times out
2. disable/re-enable the nic
3. checked all the TCP/IP settings & checked the LAN settings
4. typed netsh interface ipv6 show neighbors into the cmd prompt to see if anybody on campus was broadcasting as a gateway
5. I’ve even gone into the registry to disable the broadcast flag.  NOTHING HAS WORKED.
6. Setting the network type to private instead of public if it’s even set wrong.

I’ve spent hours and hours researching this online but so far have only come up with a couple more things to try.  One of which is doing a TCP/IP stack repair and the other just deals with disabling firewalls (windows and otherwise).  Has anybody actually found a solution that works?  This is driving me insane.

Edit #1: It appears that Norton and possibly McAfee cause some sort of problem.  I’m not exactly sure what yet.  We’ve tried disabling both programs, but that didn’t work.  A student uninstalled Norton and was able to get online.  I like those programs less and less the more I work with them.

Edit #2: We came across another one of these and they had some weird panda anti-virus software, uninstalling it got them online.  So if you come across this problem try uninstalling the anti-virus/firewall and see if that fixes it – just disabling them hasn’t worked.  I really wish I knew what specifically about those programs caused the problems.