scareware : Java Glossary

*0-9ABCDEFGHIJKLMNOPQRSTUVWXYZ (all)

scareware

On 2013-01-14 I got hit by a virus, the first time ever. It was what the RCMP (Royal Canadian Mounted Police) call scareware. It suddenly popped up, locked my screen, claiming I had broken some law and must wire them $100 to unlock my computer. If I failed to do so within 24 hours they would erase my hard drives. They would also erase them if it detected any attempts to remove it.

I follow all the usual rules to avoid infection. I figure I must have picked it up via running an unsigned Java applet or some JavaScript code.

How I Got Rid Of the Damn Thing

Any way I got rid of it by booting to safe mode, (by hitting F8 repeatedly during the boot process or hitting F8 to select the BareMetal partition). I did not run the Security Essentials virus scan right away, concerned it may be booby trapped. Instead I ran the Ace Utilities and had a look at code configured to run at startup in the startup manager. I noticed a suspicious runcff.lnk from Microsoft, disabled it, booted normally and all seemed to be ok.

I thought I was running Microsoft Security Essentials on a regular schedule, but I was not. When I ran a full scan after I defanged the Trojan, it found three copies of the Trojan and identified it as Reveton.N Microsoft’s mug shot on it was bang on, including a slightly out of date screen shot. Unfortunately, Microsoft had nothing to say about how the Trojan infects computers. I am impressed, though I think it is time to make it impossible for any virus or Trojan to attack rather than relying on identifying culprits after the fact. One variant is known as W32/Urausy.B, another W32/Tobfy.G

On 2013-05-06 I got hit by it again. I was quite surprised. I thought the Java vulnerability it used had been fixed. Getting rid of it this time was a little harder. I had to delete a C:\Users\user\AppData\Low\build.exe file as well as remove the startup link. Security Essentials refused to run in Safe Mode. The virus upped the ante threatening to frame me for possession of child or animal pornography if I did not pay up. This a very disagreeable way to earn a living. I hope somebody tracks these buggers down and hurts them severely.

On 2013-05-20 it got me yet again. It caused no trouble. Security Essentials caught it before it triggered.

On 2013-05-27 it got me yet again. I was running Security Essentials in non-stop mode. I tried running Security Essentials booting from a different partition. It was unable to get rid of it or even see it. There was no visible autoload to disable.

I tried free Bit Defender. No joy. It refused to even look at the drive where I suspected it was hiding. I eventually got rid of it with a special purpose tool from Bit Defender they refer to as the FBI Ransomware virus removal tool. You have to run it in safe mode, since the virus blocks you from running any software. The virus creators are at large polishing the virus to be ever more difficult to get rid of. One stupid variant of it was very easy to get rid of. It put itself in a temp directory, which made it easy to notice and easy to remove. It has been around for at least 5 months. It is high time they were stopped.

Protect Yourself

In the meantime, I advise turning Security Essentials real-time protection on and doing a nightly full scan to kill it before it locks your machine. Or use one of the other commercial virus scanners in list or Microsoft’s.

Police Reaction

The police were very ho hum, saying there were a rash of such attacks and they wanted to treat them like ordinary virus attacks. I guess they figured nobody would be stupid enough to fall for the extortion. Apparently some variants claim to have found kiddie porn or accuse of the computer owner of various random crimes. Anyone who read this carefully would realise it had to be scam. The English was weak. There were no phone numbers or websites to check for more information. The supposed author was simply the police without even mentioning the country, though this did have some touristy photos of red-coated RCMP officers. The police said all I could to was to take the machine to a repair shop. They had no interest in tracking down the address that was accepting the funds. You can however, report your attack at the CAFC (Canadian Antifraud Centre). They said they are being inundated by reports of this virus and variants. I think its success is that the usual means to avoid infection do not work. It is sort of like an HIV (Human Immuno-deficiency Virus) virus that can burrow through condoms. This virus is being constantly improved. It is hassling thousands of people all over the world. The police ought to get off their butts. The gang responsible is causing far more harm than a gang of bank robbers.

Inadvertent Scareware

Years ago my landlord was computer naïve. He got a message, Illegal computer operation. He had no idea what law he had broken, but he panicked and quickly shut off the computer and waited the police to come to arrest him. Computer people should not use the word illegal when they mean invalid. They do it all the time, e.g. illegal character, illegal escape, illegal forward reference, illegal nonvirtual, illegal reference to static, illegal start of expression, IllegalAccessError, IllegalAccessException, IllegalArgumentException, IllegalBlockSizeException, IllegalComponentStateException, IllegalMonitorStateException, IllegalPathStateException, IllegalStateException, IllegalThreadStateException, MonitorStateException…


This page is posted
on the web at:

http://mindprod.com/jgloss/scareware.html

Optional Replicator mirror
of mindprod.com
on local hard disk J:

J:\mindprod\jgloss\scareware.html
logo
Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

IP:[65.110.21.43]
Your face IP:[54.159.231.135]
You are visitor number