Wednesday, January 14, 2009

Rapid Antivirus, Vundo, and others

It was so sudden, it took me by surprise. I was only trying to play some songs online when it hit my system and paralyzed it and me, alike, for one whole day. The name of the rogue is Rapid Antivirus. It all started when the site tried to play the music using my local software that tried to downloaded a video codec and, also, downloaded some trojans along with. All of a sudden windows starting popping up all over, reporting system infection and asking to run a virus scan. The rogue almost took over the windows system. It turned off the security features of windows automatically, namely the firewall and my antivirus system, leaving the system in a totally vulnerable state. At the same time, it installed itself as an application without me even knowing and showed itself in the system tray with exactly the same icon that the windows secrity systedm has making it look really authentic. The icon kept popping up very authentic looking messages that the system is infected, excessive email traffic detected, blah, blah, blah, all looking very authetic. After all you trust an antivirus software like your big brother or may be even more. Now, typically, I am very quick with everything on my computer, but during all this action, I was able to keep my patience and didn't follow the instructions issued by the malware. Suddenly, the dreadful blue screen showed up, kind of what you see when there is system crash because of memory issues. The screen reported that my sytem was infected with certain spyware. Following the blue screen, an exact imitation of the windows XP startup screen appeared reporting at the bottom that an unregistered version of Rapid Antivirud 2.7 is detected and that the windows recommends activating the virus system. I disabled the internet connection, and then googled on Rapid Antivirus. Bingo! there it was. An antivirus program that fakes threatning messages forcing you to use Rapid antivirus to scan uyour system, reporting fake spyware/viruses and then making you buy a registered version to remove the worms found. Eventually several scans later, using my antivirus software, I was able to remove the culprit albeit not without wasting a couple of hours.

As soon as I relaxed and turned back on my internet connection, however, I noticed somebody disabling my antivirus system again, and I realized that I may have relaxed a little bit too early. Antivirus continued reporting, 'cleaned', all the trojans
found but as soon as I rebooted and rescanned they came back on board. One of the stickiest trojans was the trojan Vundo also known as Virtumonde. According to http://www.wikihow.com/Delete-Virtumonde,

"Virtumonde is a high risk adware infection. It has a huge impact on system performance and can corrupt data. It can be found on all Windows systems down to Windows 95. Adware. VirtuMonde is an adware program that downloads and displays popup advertisements for companies commercial gains. It blocks access to the Windows Update, changes the structure of Windows Explorer and modifies registry. It can be executed on your machine by means of installing software with a secret adware."

After continuous attempts, my antivirus just couldnt get rid of vundo. Finally, I decided to download Malwarebytes' Anti-Malware software. Lots of people on various forums talked about it and said good things. When I ran a scan using this guy on the this time, vundo was totally exposed. Where antivirus only reported 1 item infected, Malwarebytes reported 35 including files, folder, and registry entries, etc. It asked for one last reboot, and the computer came out clear as a person possessed with spirits comes out of Ganges after a sacred dip. Malwarebytes got rid of Vundo through and through.

The vundo was now gone, but my system wasn't trojan free yet. Malwarebytes kept reporting one more trojan seneka and even after repeated removals, it kept reporting the same one. svchost kept failing with the following message - general host process for win32 process has encountered a problem ....... To reboot the system, I had to hard shut it down, and then wait for a few minutes before restarting it. On top of that, I was not able to turn on my wireless internet. Clearly, the system was still in a hijacked state.

Eventually, I updated Malwarebytes to the latest version, and ran the scan again, and lo Vundo was back. It actually never left. Only thing was Malwarebytes' older version was unable to detect it. I deleted the dirty entries again and there it was my system was out of the hands of the band of terrorists. It restarted like a champ, and all the errors were gone.

The lesson that I learnt from this is that it's very important to create a restore point, periodically, on your system. This way if you find yourself in a infectious state (I mean your machine), you can roll back to the last known point of integrity of your system. One good point about system restore is that it doesnot touch your personal files like word docs, emails, and photos. It only target system files and installed software. So if you run a system restore, your current changes of personal types won't be affected. Also, it's very important not to visit websites you don't trust and that are little known, esp if it's on a system you can't risk getting hijacked. On top of these, it's very important to run antivirus and antimalware software periodically otherwise you might expose your personal information to the rogues. Happy surfing!!

3 comments:

Drawat said...

Hi,

Was away at KL( Kuala Lampur) for a training and than took weekend off at Genting highlands.

Could not get to read this article fully.

Now we'll start blogging again with above board memories of KL .

mayank sharma said...

my outlook gets hanged every once in a while ..our IT is not able to resolve it till now.. Any idea..?

Alok J said...

Hard to say without looking into it.