Malware News

Watch out for fake virus alerts

Rogue security software, also known as "scareware," is software that appears to be beneficial from a security perspective but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure users into participating in fraudulent transactions.

How does rogue security software get on my computer?

Rogue security software designers create legitimate looking pop-up windows that advertise security update software. These windows might appear on your screen while you surf the web.

The "updates" or "alerts" in the pop-up windows call for you to take some sort of action, such as clicking to install the software, accept recommended updates, or remove unwanted viruses or spyware. When you click, the rogue security software downloads to your computer.

Rogue security software might also appear in the list of search results when you are searching for trustworthy antispyware software, so it is important to protect your computer.

What does rogue security software do?

Rogue security software might report a virus, even though your computer is actually clean. The software might also fail to report viruses when your computer is infected. Inversely, sometimes, when you download rogue security software, it will install a virus or other malicious software on your computer so that the software has something to detect.

Some rogue security software might also:

  • Lure you into a fraudulent transaction (for example, upgrading to a non-existent paid version of a program).
  • Use social engineering to steal your personal information.
  • Install malware that can go undetected as it steals your data.
  • Launch pop-up windows with false or misleading alerts.
  • Slow your computer or corrupt files.
  • Disable Windows updates or disable updates to legitimate antivirus software.
  • Prevent you from visiting antivirus vendor websites.

Rogue security software might also attempt to spoof the Microsoft security update process. Here's an example of rogue security software that's disguised as a Microsoft alert but that doesn't come from Microsoft.

Example of a warning from a rogue security program known as AntivirusXP

Example of a warning from a rogue security program known as AntivirusXP. For more information about this threat, including analysis, prevention and recovery, see the Trojan:Win32/Antivirusxp entry in the Microsoft Malware Protection Center encyclopedia.

Here is the legitimate Microsoft Windows Security Center:

Screenshot of legitimate Microsoft Windows Security Center

To help protect yourself from rogue security software:

  • Install a firewall and keep it turned on.
  • Use automatic updating to keep your operating system and software up to date.
  • Install antivirus and antispyware software such as Microsoft Security Essentials and keep it updated. For links to other antivirus programs that work with Microsoft, see Microsoft Help and Support List of Antivirus Vendors.
  • If your antivirus software does not include antispyware software, you should install a separate antispyware program such as Windows Defender and keep it updated. (Windows Defender is available as a free download for Windows XP and is included in Windows Vista.)
  • Use caution when you click links in email or on social networking websites.
  • Use a standard user account instead of an administrator account.
  • Familiarize yourself with common phishing scams.

If you think you might have rogue security software on your computer:

Scan your computer. Use your antivirus software or do a free scan with the Microsoft Safety Scanner. The safety scanner checks for and removes viruses, eliminates junk on your hard drive, and improves your PC's performance.

Get help from a Microsoft partner. If you have trouble removing the software yourself, you can enter your zip code to find experts in your area.

Check your accounts. If you think you might have entered sensitive information, such as credit card numbers or passwords into a pop-up window or at a rogue security software site, you should monitor your associated accounts. For additional information, see Email and web scams: How to help protect yourself.

If you suspect that your computer is infected with rogue security software that is currently not detected with Microsoft security solutions, you can submit samples using the Microsoft Malware Protection Center submission form.

W32/Winemmem Malware

Print PDF

W32/Winemmem infects packages, installers and self-extracting archives (files with extra data, so called "overlay"). It rewrites the code section of the original application and relocates a random size block of code from the beginning of code section and OEP to the end of the file, increasing the size of extra data. This Virus does not create new sections, it does not modify the PE header.

Overview -

W32/Winemmem is a file infecting virus with backdoor functionality.

Aliases

  • W32.Winemmem!Inf (Symantec)

 

Characteristics

Characteristics -

W32/Winemmem infects packages, installers and self-extracting archives (files with extra data, so called "overlay"). It rewrites the code section of the original application and relocates a random size block of code from the beginning of code section and OEP to the end of the file, increasing the size of extra data. This Virus does not create new sections, it does not modify the PE header. In order to gain control when an infected file is run the Virus rewrites the original code located at entry point.

On execution, the virus hooks the following APIs of the current process:

CreateFileA
ExitProcess
ExitWindowsEx

----Update on April 7, 2009---

Once infected, the virus hooks the CreateFileA() API.  W32/Winemmem gains control and searches for Windows PE executables in the Program Files folder.  It then parses the Import Table and searches for system dynamic link libraries (DLL) associated with executables (EXE).  Next, the virus copies the found DLL to the same folder that contains the found EXE file and infects the copied DLL by modifying code at the Entry-Point and appending the virus body to the end of last section, so that malicious code is executed every time any of the infected EXE files are run. 

Upon execution, virus hooks the WS2_32.dll Send() API and performs malicious activity the first time an infected application calls it.  It may infect files on removable drives by searching the entire drive for suitable executables, or download and execute remote files from [REMOVED].c0m.st. 

We also detect the infected versions of modified system libraries as W32/Winemmem.

 

Symptoms

Symptoms -

Modified executable files (increase in the size of exe files).

 

Method of Infection

Method of Infection -

W32/Winemmem is a file infecting virus. Infection starts with manual execution of the binary. Executables in network shares may also get infected if accessed by the compromised machine.

* Geeks Houston ®, Geeks Mobile ®, and geeksquadonline.com have no affiliation to Geek Squad or Best Buy

W32.Koobface Malware

Risk Level 2: Low

Discovered:
August 3, 2008
Updated:
April 22, 2010 6:59:12 AM
Read more...
PCWorld
PCWorld.com
  • Windows 8 Security: What's New
    Windows 8 is a major OS overhaul, but some of the most important additions might be the ones you can't see. Here's a look at Windows 8's new security tools and features.

    Add to digg Add to Reddit Add to Slashdot Email this Article Add to StumbleUpon