Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New System Tool infection campaign under way


  • Please log in to reply
14 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:10 PM

Posted 01 March 2011 - 04:29 PM

Here at BleepingComputer.com there has been a massive explosion of visitors to the System Tool Removal Guide since the 25th of February. Starting on the 25th, it appears that a System Tool affiliate, or numerous ones, have started a campaign to infect visitors with the System Tool rogue anti-spyware infection. The chart below shows the percentage increase that our removal guide has been receiving since the 25th:

Date % Increase
2/25/1150%
2/26/11150%
2/27/11450%
2/28/1175%

This data is corroborated by looking at the trends for the keywords "System Tool" and "SystemTool" through Google Trends as shown in the chart below.



Though Trends is only showing the beginning of the increase, the sharp ascent is obvious. From the table above you can see that there is a sharp drop between the 27th and the 28th, but it is to soon to tell if this is the actual end of the malware campaign. What we do know is that there has been a substantial increase in users searching for the keywords System Tool or SystemTool, which are most likely infected users trying to figure out how to remove this program from their computer.

This new campaign appears to be utilizing the old tactics of fake online scanners, hacked sites, and exploit kits to push or install this program onto a computer without the user's knowledge. If installed via an exploit pack then there is also a high likely hood that other malware will be installed along with the rogue. These malware may include rootkits, down loaders, and other adware.



BC AdBot (Login to Remove)

 


#2 qbie

qbie

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:02:10 AM

Posted 01 March 2011 - 04:34 PM

I can definitely say this is the case.. I work for a large PC Store here in the UK, in one of the in-store technical departments. Since Sunday we have had an enormous amount of customers come in with System Tool infections, and have spoken to my colleagues in other stores who have had the same thing.

It's been a fun couple of days!

q

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:10 PM

Posted 01 March 2011 - 04:37 PM

I can attest to this increase just from working our "Am I Infected" forum this week. Many more infections.
Thanks for the post.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Eyesee

Eyesee

    Bleepin Teck Shop


  • BC Advisor
  • 3,541 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In the middle of Kansas
  • Local time:09:10 PM

Posted 01 March 2011 - 05:36 PM

I can also attest that this is the case.
I deal with System Tool several times a week and I live in a small town.
In the beginning there was the command line.

#5 rezme

rezme

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 01 March 2011 - 05:36 PM

I work for an antivirus company in malware removal. I can attest to this. We've seen a huge explosion in tickets this week with system tool

#6 vexation

vexation

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 02 March 2011 - 04:20 AM

So how is this actually infecting systems? I'm finding Windows XP and Vista machines infected that are fully patched, up-to-date Java, Adobe Reader, Adobe Flash and standard user permissions. A variety of Anti-Virus Software (Symantec Endpoint, Mcafee Antivirus, MSE).. and they're still being infected. Now in these cases it's normally pretty simple to remove but it still shouldn't be happening (yeah, I'm tired of dealing with this)

So what's the attack vector? Or are their multiple? I'm assuming this is a new IE zero day exploit or something? I'm getting tired of seeing this thing, there must be a way of stopping it.

I'd love to move everyone to Chrome or Firefox (assuming it's IE that's at fault) but it's not that easy for a lot of companies.

#7 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:10 PM

Posted 02 March 2011 - 08:46 AM

They are either being manually installed because someone ran something (trojan downloader or the installer itself) or through an exploit kit.

#8 William Dorr

William Dorr

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 02 March 2011 - 09:07 AM

I was one of those hits checking on how to clean this thing off a computer at work, though I think it was on the 24th that it struck. I also found the Google search redirect rootkit on there as well, TDSSv4, I think it was called. Incidentally, that was the 2nd time that week that I had to deal with that rootkit.

#9 lightworker1111

lightworker1111

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 02 March 2011 - 09:41 AM

First of all, did you know Hotmail is infected? I think its one of the banners, I wondered how could microsoft allow advertisements unchecked from hackers, the truth is the hackers hacked the adtertising company lol, who then unknowingly sent those adverts to microsoft, So funny...

this is how we removed it for our staff at our company, running new apps is blocked, i hear you can rename your apps to iexplorer.exe to make them load, but we use RunAs, it seems that running as a diff user prevents the virus from seeing them. We first runas task manager, c:\windows\system32\taskman.exe. Then we use a free tool called autoruns, its basically msconfig but much more useful.

#10 therock247uk

therock247uk

    Malware Killer


  • Malware Response Team
  • 154 posts
  • OFFLINE
  •  
  • Location:Newark, Nottingham, UK
  • Local time:03:10 AM

Posted 02 March 2011 - 02:20 PM

Ive fixed 3 relative/friends pc's of this since last friday. its spreading like whild fire i posted on my fb about this.

#11 William Dorr

William Dorr

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 02 March 2011 - 10:35 PM

this is how we removed it for our staff at our company, running new apps is blocked, i hear you can rename your apps to iexplorer.exe to make them load, but we use RunAs, it seems that running as a diff user prevents the virus from seeing them. We first runas task manager, c:\windows\system32\taskman.exe. Then we use a free tool called autoruns, its basically msconfig but much more useful.


Yeah, I renamed the SysInternals Process Explorer to explorer.exe and used that to kill the process. I know the removal guide says to boot into Safe Mode and run MBAM, but this particular computer that was infected would not boot into Safe Mode at all (not virus related, just an issue it's always had), so I had to improvise.

#12 TriggerJinxed

TriggerJinxed

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Longk Islandt, Noo Yawk
  • Local time:09:10 PM

Posted 03 March 2011 - 10:47 AM

Anyone here remember the CNN virus explosion? A trojan was infecting PCs, sending out mail with links claiming insane videos, to false CNN sites. Embedded in these sites were "videos" that made you update flash to view them. When one would update their flash, they'd infect themselves with Trojan Zlob, which would breed itself out thru the unfortunate's mailbox. It would then proceed to replace the user's background with a blue screen of death, a screensaver that would mimic a perpetual reboot with a blue screen and finally, would install a fake AV that would ask the user for money to fix it. With the addition of social networking to the masses, stuff like this was bound to become common. And speaking of common, the best thing to fix said problem is to prevent it by installing some common sense. If a user goes to a site that asks him to update flash, inform them DON'T DO IT. Tell them to go to adobe.com and check their flash player there. I'm sure that there are people out there whom regardless of whatever you tell them, they will still get infected. But tell yo wife, tell yo kids, tell yo husbands, they's infectin everyone out here.
I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We've created life in our own image. ~Stephen Hawking

#13 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:10 PM

Posted 03 March 2011 - 10:55 AM

IMHO the best method is to have everyone install Secunia PSI and update any old programs that are found.

http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/

#14 Winterland

Winterland

  • Members
  • 995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:08:10 PM

Posted 03 March 2011 - 06:18 PM

Grinler, Thanks for the heads up and the link.

I've downloaded the Secunia app and will update my old trusty eMachine as well as my wife's (much nicer) laptop.

This site is great, and I really do appreciate all the info and tutorials.

Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


#15 herg62123

herg62123

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:09:10 PM

Posted 19 June 2011 - 07:48 PM

IMHO the best method is to have everyone install Secunia PSI and update any old programs that are found.

http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/



best app on updating old apps.


i found this site trying to find out on how to remove "WINDOWS 7 RECOVERY TOOL" ransomware/rogue app.

Edited by herg62123, 19 June 2011 - 07:51 PM.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users