“The Facebook Team” has sent you a virus!

Yet another email is floating around out there trying to get you to download a file that’s really a virus. It’s sent from “The Facebook Team” and says something like “for security reasons your password had to be reset” and it tells you to download the .zip or .exe file that is attached (Facebook_Password_4cf91.zip or Facebook_Password_4cf91.exe).

If you look at the email closely enough, it probably isn’t even addressed to you. My Aunt got this email and the name they used referring to her, in the body of the email, was just a bunch of random letters. That, the random letters at the end of the file name and the fact that there is even an attachment at all should throw up red flags. But there will always be people who fall for this kind of thing or just don’t pay attention and download it anyway, which is why there are geeks like me around to fix things when this happens. Unless you reset your password yourself and triggered a confirmation email, you will not get these kind of emails, period.

My Aunt flipped out because she thought she may have saved the file on her computer so this prompted me to do a bit of research on what this virus is. I found the virus total report that shows which scanners are able to locate and eliminate the virus. Only 14 out of the 41 scanners are able to detect it – my Aunt happens to have Symantec, which if you notice is not one of those 14. I’m currently running F-Secure’s online scan and will run Microsoft’s Security Essentials since both of those are listed as being able to detect it.

Here’s the page on F-Secure’s website about the virus. There isn’t a whole lot of information on it. But it does list a registry key that is installed.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\”RunGrpConv” = “1”

If you’re comfortable working with computers you can check the registry yourself for that key. If not then I suggest running the F-Secure online scan on complete mode, if you have time to let it sit for awhile, and also running Microsoft Security Essentials. They are both user-friendly and free. Just be sure to remove security essentials once you’re done if you do have another anti-virus currently installed. Having more than one can really slow the computer down.

The good news is, from what I’ve read it looks like it’s just another virus that causes messages to pop up telling you that you need to pay to download a fake anti-virus in order to fix your computer.  So it doesn’t appear to be something that is terribly difficult to get rid of.

• F-Secure’s online scan
• Microsoft Security Essentials

The conficker virus – 9 million PCs and counting

What is conficker and what does it do?

It’s a worm/virus that will infect computers via a vulnerability (MS08-067) in any Windows XP or Vista machines if the computer hasn’t been patched with the patch Microsoft released back in October/November.  Once infected, the virus:

• Embeds itself into the system services and makes some changes to the registry in order to run constantly, including after reboots.
• Disables antivirus and other security services, as well as blocks websites related to those services.
• Disables system restore and deletes all restore points making the recovery process that much more difficult.
• Opens the infected machine to more infections.
• Scans the subnet the infected computer is on for vulnerable machines and passes the infection on by creating an HTTP server for the new victim to download it from.
• Also copies itself to any usb drives, making the potential for spreading on networks much higher.
• Can crack weak passwords to accounts and lock you out of your own files and folders.
• It also schedules tasks and edits the autorun.inf file enabling it to re-activate after a computer is “cleaned.”

How do I know if my computer is infected?

I mentioned a few noticeable things above but here are the things an average computer user would notice:

• The computer will feel much more sluggish than normal.
• Your internet connection might become much slower as well.
• You may not be able to log into your computer.  If the password is weak it could crack it and lock you out.
• Automatic Windows updates will not work.
• You may not be able to get to any websites related to virus scanner updates or Windows updates.
• This virus is known to disable any security software you have – firewalls or virus scanners.

What can I do to protect myself?

1. Run a Windows update to make sure your computer has the patch installed.

Windows XP
Open Internet Explorer  -> go to the tools menu -> click on windows update -> choose express and download all suggested updates.

Windows Vista
Click on your start menu -> in the search box type windows update -> click check for updates in the left column and download any important updates.

2. Update your virus scanner and run a scan to be safe.  If you do not have a scanner I personally like AVG free.  Symantec has a new thing called Norton Security Scan which is also free.  I’ve never tried it so I don’t have an opinion about it.

What if my computer is infected?

Run a virus scan in safe mode (hold F8 down when restarting the computer).  Safe mode is used in times like this because nearly every service and program that typically runs whenever you turn your computer on will be turned off, making it easier for the scanner to remove any infections.  Microsoft suggests downloading their Windows Malicious Software Removal Tool.  If you have a Norton product you can go here for information on how to remove it.  McAfee also has information, although not very helpful in my opinion.  In some instances the virus scanner may not be able to remove the infection so a more technical solution is needed.

F-Secure is the only company I’ve found so far that has an actual removal tool specifically for this virus/worm, but it is in the beta stage so be careful using it if you choose to do so.  I just ran it on my laptop without any issues.  If I come across someone at work who has this I’ll have no problem using it if a normal virus scan is unable to help.  Especially since it sounds like unless your scanner can remove it, all you can do is reformat so you don’t have much to lose.

More information can be found at pcworld.com and BBC News.  If you’re a geek like me F-Secure is keeping track of the number of infections and also has a list of domains network admins can block to help prevent this from spreading.

3/31/09: With yet another explosion in news coverage I’m adding a couple more removal tool links from F-Secure.  The one linked to above is no longer a beta version.  They are all for different variants of this same virus.

Everything in the article is still accurate, the basic behavior hasn’t changed at all.  I heard that the security professionals haven’t been able to reverse engineer the virus so they don’t even know what is supposed to happen on April 1st.  That leads me to a question, if they haven’t reversed engineered it to figure out exactly what it does, where did the doomsday date of April 1st come from?

Removal tool #2

Removal tool #3