Helping people with computers... one answer at a time.

Viruses seem to come at us from all directions, and lately that includes websites. We'll look at how this happens and what you need to do to stay safe.

Last night I was researching some information about Vista. I went to a legitimate help site I've used before. As soon as I clicked on the site my machine became infected with "Antivirus XP 2008". I have a current CA Antivirus 2008, Windows Defender, and my firewall is active. I immediately ran full system scans with CA and Defender in Safe Mode with Networking. Nothing was detected. I found removal instructions at bleepingcomputer.com using a free product called Malwarebytes' Anti-Malware and it worked like a charm. Then I had to fix a missing Desktop Tab in my display dialog box as well as edit the registry to make the display wallpaper functional again. All of this leads up to my questions....

I've been hearing a lot about "Antivirus XP 2008" recently, and it seems to be active out in the wild.

The questioner goes on to ask 4 very good questions about this particular attack, and web-site based attacks in general, and I want to address each one individually.

First, if you're dealing with "Antivirus XP 2008", here are a couple of resources to get you fixed up:

On to the specific questions.

Why didn't my CA AV and/or Windows Defender stop this attack? This rogue malware has been around for several months - enough time for CA and MS to update their definitions.

That's a very good question. As you can see, I included a link above to information on this specific threat on the CA website. Among other things, that site includes the specific version of the CA anti-virus database to which detection of "Antivirus XP 2008" was added: roughly a month prior to getting the question (and updated about a week or so ago).

What this leads me to wonder is whether or not you are, in fact, getting the latest database updates automatically. If not, this could be a classic case of why you should always make sure that all anti-malware software is updating its database regularly: new threats show up all the time. Regardless, it's the first thing I would check.

"... this could be a classic case of why you should always make sure that all anti-malware software is updating its database regularly ..."

Second, in some variations of this threat you must actually click on the bogus warning message presented by the malware in order to be infected. If you saw that message, and ran your scans prior to dismissing or clicking on the message, you might not yet have been infected.

But my money's on the issue somehow being the database updates.

How did the malware get onto a legitimate website? Hackers? The site webmaster?

You didn't indicate the site (I'll assume it wasn't mine Smile), so I can't comment on its legitimacy. Obviously, the webmaster can do pretty much anything. In some cases, the webmaster it not necessarily the site owner, but rather a employee or a contractor, so I suppose there's always some level of risk, but I don't consider it to be all that high - again, if this is a truly legitimate site.

More commonly, the culprit is a hacker.

In the past, we've associated hackers with destructive behavior; things like defacing a site, deleting the site contents, or putting up offensive material in its place. Lately, the tactics have shifted so that a hacked site isn't quite as obvious to the owner as it once was. Hackers now do it with a purpose: to spread malware, or to game the search engines. Depending on the underlying technologies used to implement the web site, there may be security vulnerabilities that would allow a knowledgeable hacker access in such a way that they could quietly manipulate the site contents to include things like malware downloads.

This is the reason that contacting the site owner is exactly what you should have done. It's on them to listen to you, and I hope they do, since I consider this the most likely vector for this particular problem to have happened.

Another newly emerging class of attack vector is advertising. Occasionally, malicious folks will actually purchase ads into which they place the first step of their attacking code. Most ad networks will immediately reject these types of ads, and actual successful use of this approach has so far been very rare.

Do websites use any kind of anti-malware programs to keep from becoming infected?

Not really, since the threat is ... different. There are certainly things that could be scanned for, and as this threat is on the rise this type of scanning is happening more and more. However, the web isn't quite like your PC. A "hack" could be a simple link or single line of Javascript innocuously placed in a comment or a hacked home page. The real "virus" is then referenced from a different website completely, when your browser references that link.

The real solution for web sites, which will sound very familiar to PC owners, is to stay aware of vulnerabilities discovered in the software used to implement the web site, and to keep that software up to date. In addition, website designers have the additional burden of coding and configuring their websites properly to avoid common exploits like SQL-injection, and malicious HTML posted in comments.

Is there any program or tool available to scan websites before clicking on them to make sure they haven't been hacked or infected? And I'm not talking about IE7 or Firefox 3 phishing filters that detect bogus sites. I'm talking about a way to make sure legitimate sites are still safe to enter.

No and yes.

No, in the sense that I'm not aware of a reliable service that does this. There have been attempts, but they've typically caused more problems then they've avoided. They unfortunately have a record of "false positives", flagging totally safe and legitimate sites as somehow bogus, and raising so many false alerts that users ignore them totally if they actually want to get anything done. (Yes, one did for a while flag Ask Leo! as a malicious site, and nothing could be further from the truth. No, I'm not bitter. Much.)

Yes, in the sense that ultimately these types of infections happen like any other: a program gets downloaded and run on your machine. That means that an up-to-date and properly configured anti-virus program should catch it as it attempts to happen.

Article C3483 - August 28, 2008 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

19 Comments
novice
August 28, 2008 12:39 PM

Avast Home edition (free) has a web scanner that checks content in real time as the webpage loads. It doesn't try to judge the website itself as good or bad but it tries to make sure that nothing bad gets executed as a result of viewing the website.

But any anti-virus can only be as good as its virus definition. I have put mine on automatic update. Avast updates several times a day.

Steve Myers
August 29, 2008 9:28 AM

It is not enough to have a good up to date anti-virus but one must also have an anti spyware program. I prefer spybot search & destroy because of its ability to block known spyware/adware and it user friendliness.

Mary
August 30, 2008 9:08 AM

I'm the person who asked this question. Without trying to start a flame war over which antivirus, or antispyware, or firewall is the best, let me just say that my combination of Computer Associates Antivirus, Microsoft Windows Defender, and ZoneAlarm Firewall have served me well. I've used this combination ever since Defender was still being called Microsoft AntiSpyware and CA Antivirus was called eTrust EZ Antivirus back in 2005. In fact, if you check a previous Ask-Leo article (Article 12056 | posted December 1, 2007 | How do I pick the right tools to protect my system?), he validated my use of CA AV and Defender as the same products he uses.

Be that as it may, Leo's response (for which I thank him) raises another question: "...always make sure that all anti-malware software is updating its database regularly..." In the case of CA AV, it updates at least once every 8 hours and I always get a pop-up when "latest updates have successfully installed". If I open the CA AV it always says, "Your Anti-Virus is up to date and fully functional. Your computer is protected from the latest virus threats." If I do a manual update I'll get the message "Your security software is up to date."

Windows Defender updates on average twice a day and I always have the latest updates when I visit that update site. So this still leaves the question of "Why didn't my CA AV and/or Windows Defender stop this attack?" I would have expected either product to automatically quarantine the threat until I decided what action to take. The fact that neither product did so and allowed my machine to become infected is troubling.

If anyone has any thoughts please share.

Leo... any additional comments about the lack of quarantine?

Mary
August 30, 2008 9:17 AM

And as a follow-up reminder, neither product detected the infection when I ran full scans in Safe Mode. These scans were after the damage had been done; ie: my desktop wallpaper had been changed to the Antivirus XP 2008 "warning", the Desktop Tab had been deleted from the Display dialog box, etc.

Aaron
August 31, 2008 1:57 PM

Don't feel alone in this scenario.

I run the IT side of things for a restaurant company and we also run Defender, Windows Firewall as well as the corporate version of Trend Micro on every workstation. We have seen this virus slip through all those layers as well as our Exchange AV solution and still infect machines that are locked down with no program install rights to the users on the machines at the time of infection. Looking at our exchange logs I see nothing to indicate that was the source of infection.

We are still not 100% sure how it infected, but I would suspect from a scripted website that was hacked or malicious to begin with. Our definitions on Defender and AV are automatically updated, and daily with respect to our AV so I would beg to differ with Leo's assumption that it was a result of your AV being out of date if you say it was current.

Thankfully it was removed fairly easily and it appears no harm was done, but as Leo has said before, you can never be 100% sure unless you reformat. We will likely do just that with any machine hit that is used for sensitive data and/or networked to the corporate office. But for the few road warriors that never connect to the network, the priority isn't as high for a total wipe and load.

I hope that allays your misgivings a bit.

Jason
September 2, 2008 7:34 AM

In my experience, Spybot Search and Destroy does a good job of removing Antivirus 2008 and Antivirus 2009. I do think, however, that I had to boot in Safe Mode to completely remove the 2009 version.

Sue
September 2, 2008 9:24 AM

5 of my company's computers became infected with AntiVirus 2008 on August 12th. We use CA also and it passed through without being detected. I went to the CA site and it only noted that it was a trojan but didn't offer any updates or fixes to remove it.

Adam Dunlop
September 2, 2008 9:27 AM

Thankyou for this interesting article Leo. I have come across this particular infection several times over the last few months, and I could not see anobvious way that it got into the systems. Antivirus programs were up to date in all cases. There is an interesting article that was published recently (UK magazine) "http://www.pcpro.co.uk/features/218199/is-the-virus-threat-real.html?searchString=is+the+virus+threat+real" Which explorers the current threats.

Fred
September 2, 2008 12:18 PM

Use Firefox with the "no script" add in. Prevents all scripts from running unless you give them permission to do so.

Therese G
September 2, 2008 2:59 PM

A couple of weeks back now I had the same thing happen to me also. Fortunately I knew something was wrong and never downloaded the file. At the time I had up to date definitions for Kaspersky AV. I check Manually on the hour and every hour. My other Bells & Whistles never alerted me to it either.

Dan
September 2, 2008 8:09 PM

I got rid of Antivirus XP 2008 by System Restore. An easy way to get of any virus, and a good reason to keep System Restore enabled.

Geek Choice
September 5, 2008 1:20 PM

First off I am a field technician for a "Geek" pc service company. I have been dealing with the Antivirus XP 2008 and it's many variants for the last several months. About 50% of our clients fall for it and purchase the fake product and most clients wait several weeks before calling for help. This leads to additional infections getting on the pc. I can say for sure that it gets by Mcafee completely. Even if fully updated it doesn't even see the infection. It also gets by Norton and Trend Micro PC-Cillin. They see it but can't remove it. Each of these products include firewalls. I use Malwarebytes to remove it . But if it has been running on the system for a day or longer it may have pulled down more malware. So I also run Spyware Terminator, Combofix, Smitfraudfix, Hijack This. Also I clean out all temporary files before and after the cleanup with Ccleaner. All are free programs. I leave Spyware Terminator installed as it provides excellent real time malware protection for the system and doesn't interfere with anti virus programs. I recommend AVG for Antivirus protection. Windows defender I find to be almost useless and Spybot has become slow, bloated and tends to miss alot of malware. The same is true of Adaware. I no longer waste my time with these apps. I would not depend on them to keep your system safe.

M. Malekzadeh
September 7, 2008 2:54 PM

How can an infection like Antivirus XP 2008 happen?

First of all, I must emphasize that Antivirus XP 2008 keeps coming back in various innovative forms and as a FAMILY OF VIRUSES, each member supporting the others. Isn't this a marvelous idea?

Leo's assertion in this article that the main reason you get such a virus is your failure to update regularly the virus definition file of your antivirus program used to be true but no longer at all (see "e" below.)

Newer versions of Antivirus XP 2008 do the following to your computer, among other things, and unfortunately all these keep us wondering about what people at Microsoft have been doing to increase our computer security.

Specifically the new Antivirus XP 2008 virus:

a) Would reboot my computer any time my real antivirus program tried to remove some members of its family pack (Joke.Blusod and Trojan.Blusod)

b) Had disabled the Windows "Safe Mode" so I could no longer use the "Safe Mode" to do any debugging!!

c) Had infected Windows core and critical files in a Windows subdirectory called "System32." (Aren't all these files supposed to be protected by Windows itself?!!! ) For example:

c1) "Wscript.exe" was a big culprit. Microsoft Windows protects and prevents deletion of this critical program by regenerating it immediately. I think few users, however, know how to monitor, stop, debug, or control any malicious "Host Script" the virus directs this program to carry out. I tried to copy and rename my Notepad.exe to Wscript.exe in the hope of preventing the malicious scripts getting carried out but could not do that -- A Windows wrong sense of self protecting critical files. Remember the Safe Mode was also rendered unavailable to me by the virus.

c2) Yet Windows did not properly protect another file called "SVCHOST.EXE" in this subdirectory and the virus had infected it!! I cannot overemphasize how important this file is in providing or not providing malicious services to your computer!!!

c3) The same was true for Windows Installer 3.1 (Not protected properly and infected).

d)Had disabled Microsoft's "System File Check" (SFC) program so it could not check on the validity and version of Windows critical files any more. For example, the command "SFC /SANNOW" would not work at all!

e) Had disabled my Symantec/Norton Internet Anti Virus and its LiveUpdate programs; so I could not update the virus definition files anymore.

f) Had disabled all my Internet communication lines with Microsoft!

g) Had inserted and opened several communication ports on the "Exceptions" tab of the Windows "Firewall" and was taking over my computer remotely. Isn't it peculiar that once these ports are opened, Windows does not provide you a way to delete them from the "Exceptions" list of your computer Firewall?

h) Had removed the icon of "Network Connection Notification" from my System Tray to hide away the fact that my computer was being remotely accessed.

i) Had turned off and deleted all my "Windows Restore Points" so I could not revert to an earlier Windows configuration before the virus had attacked.

j) Had Done all the damage through Internet Explorer 7, which is supposed to have excellent security features (Microsoft people think so!!)

The Symantec/Norton Antivirus representative acknowledged the difficulties with "Antivirus XP 2008" virus and said the only thing to do was for me to use their special program by paying them $99 so their specialist in India would connect to my computer live and peruse it to remove the virus. The sales pitch was accompanied by many scary things that how dangerous this virus was, how I might lose my entire data and programs permanently, and how I might still have the virus even after reformatting my hard disk and starting with a fresh install of Windows, if I did it myself.

The Microsoft Technical Support MVP (Most Valued Professional) gave me the link to a program called "The Spyware Doctor" to remove the virus. So I downloaded the Spyware Doctor and run it to test my computer. It reported yes, my computer was infected with Antivirus XP 2008 but I had to buy their registered version in order to remove it (Does this ring a bell? Yeah... the "Antivirus XP 2008" virus itself!!) - Did I mention when I run the Spy Doctor under my Norton Antivirus, it reported that Spyware Doctor was trying to install a Trojan Horse on my computer?)

I feel most disappointed with Microsoft because my computer has been constantly updated for security by "Automatic Updates" through them. If someone is able to create "Antivirus XP 2008" to completely take over my computer through simple means I have described above and despite years of Microsoft's Windows updates for security, Microsoft must take a closer look at its aptitude or intentions.

Another trend unfortunately fermenting is the proliferation of so many companies and websites claiming their Antivirus programs are the ultimate answer to our virus problems. They offer FREE TESTS and Web Site HOUSE CALLS only to scare us further into buying their products and if we did not, infecting our computers with their own brand of viruses. We badly need special standards for naming and categorizing viruses so a claim of one company can be verified by an antivirus program from another.

Warmest regards,
M. Malekzadeh

Patty
September 8, 2008 7:09 PM

I read the articles and I had a simular problem but mine was antivirus 2009 and I didnt open it my virus protector didnt catch so I uninstalled it in control pannel as it was there and then it kept moving around and poping up in different files on my computer. Every time I deleted it it changed the name finally my spyeraser caught it and removed it. I know how you feel. Cant trust anything

Packrat1947
September 12, 2008 6:07 AM

The free Malwarebytes removes it. The download webpage mentions $24.00, but that is for the fulltime protection. Also, ComboFix at wwww.bleeping computers removes it too.

I use these two progs. to cleanup customer's computers. Before running Combofix there is a tutorial that should be read.

Packrat1947

Tim
September 16, 2008 12:22 AM

Well let me tell you what this friggin virus did to me. First off I accidentally agreed to the contract. DOH! Not realizing what I had done immediately I went about my business around the house and I come back and there is a "scan" going on by this xp 2008 virus saying I have several hundred trojans, cookies, and viruses. It then prompts me to purchase their product... LOL... I didn't w00t But I did want to update my mcafee because I knew it was outdated... Well they wanted money too so I decided not to go that route either. So I let the virus sit there for about 24 hours, hooked up to the internet, not giving it a second thought. When I came back to the computer, I found something very strange. All restore points had been erased, My ability to defrag was gone, my ability to customize my desktop settings was gone, and there were about 9 corrupt files in my c:\ drive and registry files and system32 files. Then I noticed if I left the mouse alone for about 3 minutes the system reboot would occur claiming I had just recovered from a serious threat. And this would happen every 3 minutes, making the virus even worse.... So I said ok time to deal with this little booger... So I went to google, searched antivirus xp 2008 and came up with mr. leo's recommended site and I clicked on it... with no success, so I tried again and it wouldn't connect... So I tried another and all I would get is a no connection page, or a redirect to a spam site. So I tried 3 different browsers... aol, mozilla, and internet explorer... all the same results... so I disassembled my computer took it to a friend of mine and said fix it. We tried to defrag.. nothing, system restore points.. all gone, and I allow MAXIMUM space for restore points creating one every other day, and with every install and un-install. ALL GONE! So we tried something else, I grabbed my old xp boot discs and using nero I backed up all the files I needed from my computer and got ready for a re-format... That little booger (me thinks) would not let me... No matter what we tried, the system would not boot up to a new system... Finally I bring the computer home, after 8 days of this. I open up a browser thats been sitting on the shelf collecting dust for 3 years w/out update... MSN Explorer that came with xp... lmao It was unaffected by the browser re-directs and I was able to get to trend-micro housecall and quarantine most of the malicous software associated with this worm, and then I used malwarebytes to get the rest. And now I have AVG Security protecting my @$$ bye bye mcafee.

much guest
October 29, 2008 11:58 AM

Dude... You DON'T need to reinstall your (old) browser because of the redirects! :)

Easy trick. Go to Google, lookup whatever it is you want. Click on the 'cached' link. Doesn't seem to be affected by the redirects. ;)

Leo, I came to your site to find out WHAT IS THE SOURCE of these infections?

Thanks Big Guy! :)

rohit dhir
January 3, 2009 12:05 AM

What is a virus which attacks or infects specific anti-virus software’s’ is known as?

rodi
June 25, 2009 7:09 AM

MalwareBytes is a good choice, however, I've found that Spyware Doctor does a better job when removing malware. As for Antivirus XP 2008 there are many many manual removal guide on the net. For example:
Antivirus XP 2008 removal at bleepingcomputer.com
Antivirus XP 2008 removal at 2-spyware.com

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.