Yes, it’s that time of year again. A friendly reminder to NEVER open attachments or click on links in emails if you don’t know who or where it’s coming from. Curiosity killed the cat, your curiosity might kill your computer.
This virus is probably most commonly known as W32.Ackantta@mm, at least to those familar with Symantec/Norton. What happens is you get an email like the one above and get sucked into clicking on the link which then downloads a file to your computer. I’m not quite certain whether clicking the link automatically executes the virus, just downloads the file, or if the virus is a file attached to the email. So far I’ve seen it where a file called postcard.zip is attached to the email and then where you click on a link to download a file called postcard.pdf.exe. Either way, a file eventually ends up on your computer that installs the virus if you execute it.
This virus is a variant of the Trojan.Vundo virus we saw an outbreak on campus of a little over 4 years ago. It’s such a pain to remove because, like before, we got it when it was fairly new so none of the anti-virus programs out there could do anything to prevent or remove it. I heard from one of the other Tech departments on campus that we were the first to report it to Symantec. I had someone forward me the virus so I could upload to VirusTotal.com to see which programs are able to detect it and hopefully remove it. Here’s the list as of 3 hrs ago:
- Once the file mentioned above is opened and the virus installs itself in numerous places in the computer. What a user will notice is tons of pop-up ads showing up all of a sudden saying that you need to download a fake program to remove the spyware on your computer. Don’t fall for that, it’s just more spyware/viruses to bog down your computer.
- It creates copies of itself in the system folder as javale.exe, javawx.exe, and a random .dll file.
- It also creates and edits registry keys in order to imbed itself in the startup processes so it’s running at all times. To see the specific registry keys and file names see the links at the end of the post.
- The virus finds your address book on your computer and sends out mass-emails to everybody in it.
- It blocks access to some security related websites.
- Spreads through any USB drives you plug into the computer and also has the potential to spread through network drives, this can create an evil loop of cleaning and re-infecting.
How do I get rid of it?
- Disable system restore.
- Update your anti-virus & anti-spyware programs and definitions. You want to make sure you have the most up-to-date client as well as the definitions. AVG Free and Malwarebytes are known to detect and remove the virus when used in conjunction with each other.
- a) If you don’t have the programs on your computer or are unable to update them, burn the programs and their most recent definition files to a CD and install them that way. This virus jumps onto USB drives so you do not want use them on an infected computer.
- Restart your computer into safe mode.
- Scan with both your anti-virus and anti-spyware programs. You may need to do this a few times in order to make sure it found everything.
Malwarebytes and either Symantec/Norton or AVG was used to clean computers on campus. AVG was used on student computers since we couldn’t install Symantec Endpoint Protection on there for licensing reasons. But I can confirm that both Malwarebytes and AVG work together to get rid of it. Be sure to disable system restore and boot into safe mode though, as stated above.
There are far too many different files this virus creates and registry keys it creates and edits, so I avoided putting that specific information in the post. All of the specifics can be seen at the links below.