Tuesday, August 26, 2008

Security Tip - XP Antivirus 2008 - BAD!!

XP Antivirus 2008 is NOT the latest antivirus tool we should all be using. It is malware. It’s starting to get a fair bit of traction too. If you get infected, you will find extremely annoying fear-mongering popups urging you to purchase the product. Here is a description from an infected user:
"Last week a pop-up appeared that landed on my icon line.... xpantivirus2008. Thinking that it was another security alert from windows, I clicked on it. It proceeded to "scan" my hard drive and inform me that I had 90+ security "issues" that needed to be addressed..... while the scan was underway, a windows msg appeared saying that it did not recognize the program source. I found that odd... but, as a result, did not buy the xpantivirus2008 program. Now, one week later, I am constamtly being asssaulted by never-ending pop-ups, regisdtry scans, bubbles, etc. I followed a suggested uninstall (though I never installed the program) plus all of the usual ateps in detecting and removal of unwanted programs... but, although I removed everything that I was able to find via search commands, and using the process recommended by TomT (using regedit, hkey current user, msconfig, and unchecking "xpa" at the startup file, the program continues to reappear, pop-up every 2 minutes and at every start up.... Although I finally succeeded, attempting to delete xpantivirus.exe would not allow me to delete saying that it was being used by another user or runniong in another program which, obviously, it was not.... Even with all of it apparently gone, it still reappears and performs its maddening process. Even a file search at this point does not detect xpantivirus.... HELP!!!!!"

One of my library clients recently found this on one of their staff PCs. The popup window cannot be moved, minimized, or closed, and you can't see anything behind it of course. Luckily, Spybot 1.52 (http://www.safer-networking.org/en/download/) found and removed it. More recent versions of Spybot would probably also remove it. Trend Micro antivirus did not find it. This PC had a couple other infections on it as well. That PC was setup a few years ago and we have had no trouble with it until this. What had changed? Not the antivirus on it. Not the applications on it. Not the firewall for the library. The only thing that changed is one user’s lack of restraint. User restraint is one of your best protections.

My spam filter blocked a message that is probably the infecting source. The message is shown below. I have removed all the hyperlinks from the text. The first line is linked to an IP address in Moldova (That’s a country in eastern Europe) with an executable called Install.exe. It looks like this: http://555.555.555.555/install.exe. I have changed the actual numbers in the IP address. That line then is asking you to install software from a site that it will not even identify in English (or any other human language). There are also three links at the bottom: Unsubscribe, More Newsletters, and Privacy. They all link to msn.com which would seem to lend an air of authenticity. This email is a good example of what you should never ever do, should you run across something like this.
Free Update Windows XP,Vista
About this mailing: You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice.©2008 Microsoft Unsubscribe More Newsletters PrivacyMicrosoft Corporation, One Microsoft Way, Redmond, WA 98052

Moral: Use spam filters. Use Spybot. Keep it updated. Exercise restraint. Be paranoid about links presented to you in email. Have a nice day.

1 comment:

Anonymous said...

Just a simple note of agreement and this BAD email and others like it are a constant hassle.