Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fixing West Yorkshire Police Virus + Fake Antivirus 2012


  • Please log in to reply
2 replies to this topic

#1 richto

richto

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 27 May 2012 - 11:09 AM

Hi,

I had a virus / trojan infected Windows 7 SP1 laptop from a neighbour that is not technically competent and has asked me for help

When I received it, it had fake Smart Fortress 2012 virus scanner alerts poping up everywhere as well as a West Yorkshire Police warning notice in the background asking for £100 - I then booted into safe mode + networking and cleaned the laptop with Malware Bytes via Chameleon - which removed the 2012 virus popups.

When booted in normal mode - the fake West Yorkshire Police warning still popped up. Also when booted in both safe and normal mode, google searches were still redirected to various advert sites.

Luckily no documents or pictures were encrypted - as I understand is usual with this virus.

I booted to Safe mode and Ran TDSS Killer - this crashed every time i tried to scan

Then I ran ESET online scanner from Safe Mode + Networking which found Kryptik.AFTK Trojan, Kryptik.AFQZ Trojan, Injector.RUJ Trojan, Sirefef.W Trojan and Java Exploit CVE-2010-4452.B Trojan ! And PSW.Papras.CE in memory, and I cleaned them and rebooted.

Rebooting sees that the Police Warning Notice is gone, and the Search Redirect seems to be fixed :-)

TDSS Killer would now run, and it found nothing.


However the virus had left some mess:

Windows Update had been disabled - enabling the Windows Update service from Control Panel / Adminstrative Tools / Services and then starting it fixed that.

Microsoft Security Essentials was broken and the service had been deleted. Uninstalling it from Control Panel / Programs and Features and then reinstalling via Windows Update fixed that.

On rebooting, MSE detected yet more Trojans - Win32/Ramnit and Ldpinch.DB - and removed them.


As a final clean up I uninstalled Java (the likely exploit used) and updated Adobe Reader to the current version,,,


Hope this helps someone else get rid of this nasty combination...

Edited by richto, 27 May 2012 - 11:52 AM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:11:12 AM

Posted 27 May 2012 - 01:04 PM

On rebooting, MSE detected yet more Trojans - Win32/Ramnit and Ldpinch.DB - and removed them.


I'm afraid I have very bad news.

You're infected with Ramnit file infector virus.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).



Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 richto

richto
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 27 May 2012 - 04:21 PM

I double checked system file integrity via SFC /Scannow and all OS binaries are intact. I also checked open ports via Netstat -AN and there is nothing open that is unexpected. Therefore I think it likely the system is now clean.

Yes it is possible that something remains, but that is true of any multiple infection.

There was a known JRE exploit present so I am confident that this was the exploit method used, and Java has now been removed blocking any further attacks via that route.

There is a lot of software / data installed on the system so OS reinstallation would be a last resort, and something I will consider only if it gets a further unexplained infection.

It is now back with it's owner....

Edited by richto, 27 May 2012 - 04:29 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users