Identifying and Removing AntiVirus 2009 and Rootkit

I originally published this blog at http://community.ca.com/blogs/securityadvisor

December 12 2008, 03:19 PM         by         Benjamin Googins

On November 10 of this year in a blog titled “Emerging Threat: AntiVirus 2009” I explained that our Support and Research teams were seeing a jump in the number of AV 2009 infections (we first saw copies of AV 2009 in June of this year).  Well, this threat is well beyond ‘emerging’.  Over the last 4 weeks we have seen a jump in the use of rootkits to hide, protect, and keep the AV2009 infection resident.  Of course, the use of rootkits is nothing new and the rogue software AntiVirus 2009 is nothing new, but over the last 4 weeks our Support team has seen an explosion of the two working in tandem.  To learn more about rootkits, read here.

The Silent Infection Indicators (quite difficult to identify)  This infection is comprised of two very different components that work toward one cause, getting your money.  Your money is the bottom line!  First, you have the trojan element.  It consists of a variety of files, some include rootkit elements.  This component of the infection is not easily visible and is intent on staying hidden, running silently in the back ground, protecting itself and related files and downloading the rogue product.  The rootkit consists of a system driver located in the driver folder at C:\windows\system 32\drivers\TDSS****.sys (not viewable without special tools).  The file name appears to be semi-random.  The first half of the driver name is fairly consistently “TDSS”.  The second half, represented here with an asterisk (*) varies from install to install.  For example, across three installs, I had three different filenames: TDSSmxst.sys, TDSSliqp.sys, and TDSSosvn.sys – same file, different names.  This rootkit recently has been accompanied by the file brastk.exe which shows up in two locations: C:\WINDOWS\system32\ and C:\WINDOWS.  This file is not randomly named and stays generally static (for now).  In some instances, this infection prevents common anti-rootkit tools from running.  The infection makes a lot of registry changes, like: “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata”.

The Noisy Infection Indicators (the easily visible aspects) Second, the other component of this infection relates to the rogue security product.  This component is in your face and repeatedly pops up and nags at you.  You will often find links to it on your desktop and in you Program Files.  It is generally very easy to remove.  The infection opens a warning from the system tray on regular intervals (see the box numbered B, in the image below).  The sample I tested opened this warning every three minutes and would leave the window open for 16 seconds before closing.  If you click on the window, it will automatically begin downloading a rogue security product.  The rogue product can vary (and most assuredly will change in the future), but can include AntiSpywareXP 2009, AV2009, AntiVirus 2009, AV 2008, AntiVirus 2008 and other related variants (see the box lettered A below).  If you close the installation window, it will open the window again and continue downloading – this process will repeat indefinitely (and cause you big headache).  There is a white “X” that stays resident in the system tray (see icon labeled C).

This infection makes changes to your system like adding new Program Files directories, registry changes and shortcuts on the desktop.  Directories include: %PROGRAM_FILES%\Antivirus 2009, %PROGRAM_FILES%\Antivirus2009, %STARTMENU%\Antivirus 2009, and %STARTMENU%\Antivirus2009 to name just a few.  These directories generally are similar or the same as the name of the rogue security product.  These directories contain related files.  Registry entries are vast, and can include: “HKEY_CURRENT_USER\ \software\microsoft\windows\currentversion\run\ xp antivirus 2008”.

The infection also redirects browser requests and often blocks your anti-malware product from updating.  The IPs change rapidly, so I will hold off posting anything specific here because they will probably be out of date by the time you read this, but if you try connecting to a site you regularly go to and are redirected to a strange page, you are probably infected.

Removing AntiVirus 2009 The easiest way: use an antimalware (anti-virus and/or anti-spyware) product.  If one product doesn’t work, try another.  Always run a full system scan, scanning every nook and cranny of the system.

Removing this infection by hand can be very difficult and not for the timid.  This threat tends to change very rapidly, changing IP addresses, changing filenames, altering registry keys, and downloading evolving rogue security products.  The infection varies across systems.  That said, if you want to attempt to remove this by hand, here are the basic steps.

FIRST, you need to remove the rootkit. To remove the rootkit, you will need to use some sort of tool.  Because this infection often blocks your Internet connection, it is good to have a second computer handy to download removal tools.  There are a variety of anti-removal tools available.  This is no endorsement of any specific tool or guarantee they will work, but a few include: GMER (http://www.gmer.net/index.php), Iceword http://www.antirootkit.com/software/IceSword.htm), Rootkit Revealer (http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx).  There are others.  Refer to each anti-rootkit’s documentation on how to use properly.  In general, it is a hit and miss and will require you to try and fail before you get it right and remove the rootkit.  If this interests you, jump in and have fun.  Beware, deleting the wrong files can permanently damage your computer and could result in losing data or having to reinstall the operating system and applications.  If you attempt to remove other infection components first, they will be quickly replaced.  It is like catching lizards; if you grab the tail, it will pull off and the lizard will grow a new one.  So focus your energy on finding and removing the rootkit.  For the sample analyzed for this write up, I needed to delete %WINDOWS%\system 32\drivers\TDSS****.sys.

SECOND, after this, I was able to delete a variety of files in the %WINDOWS%\system32 directory.  Most of the files had file extensions like dll, dat and log.  For example, TDSSncur.dll, TDSScubs.log, and TDSSmtve.dat.  Expect these filenames to vary.

THIRD, I was able to remove the rogue security product.  This should be easy, if you have properly removed the rootkit and related files.

Preventing Antivirus 2009 (and other infections) from infecting your system

  1. Install a stand-alone firewall or activate the basic firewall included in Windows XP SP2 and Windows Vista.
  2. Practice safe browsing techniques.
  3. Exercise caution when opening email attachments.
  4. Set up “automatic updates” for your operating system.
  5. Keep your anti-malware product up to date.
  6. Be sure the “active protection” feature is enabled on anti-malware product.

Tips related to Antivirus 2009

  1. Do not pay any money to Antivirus 2009 to “activate” the product.  If you pay the $40.00 requested, the threat will not go away, but they will happily take your money and the cycle of extortion will continue.
  2. It is possible you can use System Restore to restore your computer to a previous, uninfected state.  To learn more about System Restore, go here.

By: Benjamin Googins

avatar

Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breaches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat… Read More..

Original Comments:

I was infected with the Antivirus 2009.  I have done a number of extensive sytem scans using CA antivirus/ca antispyware/and ca firewall.  Is this all I need to do or do I have to do more to make sure the Antivirus 2009 is gone? Posted by: Theresa, January 3, 2009 1:01 PM

Great article. I’ve just seen exactly these symtoms whilst investigating a friends PC. Unfortunatly I struggled to remove the rootkit part of this horror and eventually ended up buying a new PC instead. They wanted to go Vista anyway and as the infected one was low spec and quite old it seemed like a good time to upgrade. One bit of info I could do with concerns their old files from the infected PC and I can’t seem to find an answer so thought i’d try asking here. I wanted to rescue their word docs and photos from the old PC along with e-mail archive from Outlook express. Is there anyway for AV 2009 and the rootkit to transfer via those types of files. I’d hate to infect the new machine. Thanks. Posted by: Richard, January 5, 2009 9:18 AM

after running lateest version of updated Malware Bytes no traces of any root kits are found. Posted by: Alex, January 8, 2009 3:59 PM

Finally a GREAT informative article on this threat!  I was infected with Antivirus 360 (another variant not mentioned in this article) on an XP machine just before Christmas, and it totally disabled the system so that I had to get a new one, and purchase different security software (CA).

Several days ago, on the new system with CA, while browsing for something on the Internet, it appeared again, this time as Antivirus 2009.  It appeared to commence downloading or performing some kind of operations immediately, in that there was a progress bar on my taskbar, and there were file names popping on very fast.  I earlier read that choosing ‘yes’ or ‘no’ to the fake Windows dialog would start the invasion, so I closed it with the upper right ‘x’.  Another window or page popped up with similar activity, and I closed it as well.  Now I’m scared that I’m infected, and have taken considerable time to research this and determine how to proceed.  The first step was to spend a lot of frustrating time in a CA technical chat session which was not very helpful.

I would be interested in the answers to the previous questions, but I don’t see any.  Are you there, Benjamin?

I still need to attempt to restore my data from my previous drives, so the question about reinfection is very relevant.  My plan is to hook them up via USB in an enclosure.  I definitely want to make sure any threats are detected and refused before transferring them. Posted by: Greg, January 15, 2009 3:10 PM

I have a problem similar to the above (gateway7330 running winXP.)  When the attack began I quickly disabled the laptop’s the network adapter.  I was puzzled at first as I hadn’t been a browsing any of the content traditionally associated with such problems.  I later read that some hackers have been watching google and other search sites for popular searches.  Fake websites with feigned content descriptions meant to put said site among the top 10 search results are then put up.  ie a site claims to have video for a recent mma fight or other popular content but has nothing but this malware garbage just itching to invade.  The bogus site has a goofy URL but before back button or x button, “security center” malware sets up a beach head and after a trigger, Anti Virus 2009 is off and running.  I went through the motions with the microsoft phone talkers of India.  Their canned procedures consisted mainly of rebooting the system in normal and then safe mode.  After running “iexplorer.exe” at the command prompt things went from bad to worse and ultimately the laptop would not even boot up.  They told me to buy a full version of XP and call them back.  On my own, I attempted to do a system restore using the discs that came with the machine.  Everything installs and after a reboot, a progress bar for configuring hardware pops up, moves a ways and then the computer freezes… every time.  A total reformat didn’t help either.  I removed the hard drive, and used a USB adapter to run a DOD grade drive wiping program on a desktop to ensure that every bit on the hard drive had been reset.  It still freezes at the system settings stage.  All I can think of now that I haven’t tried is a reset/reflash of the bios (freezing at system settings leads me to believe its a hardware issue-firmware or bios-) Some way of reflashing what ever hardware it is that causes the freeze is another idea. Its in a corner now (may patience ran out but I still refuse to admit defeat) PS–never surf the net w/o an active 2way firewall.  antivirus/antispyware by itself is insufficient protection. Posted by: Matt, July 24, 2009 6:20 PM

I have been noticing various noisy infection indicators throughout my computer and believe my computer is infected. One specific indication was a misspelling of the pop-up window at the bottom right corner of the screen that told me to download tools to “pervent data loss.” The misspelling of “prevent” made me suspicious and when I called my friend, he told me there was a chance that this error was really a piece of spyware.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s