Windows Secrets Newsletter: How Malware Paralyzes PCs

PC Pitstop is proud to welcome our friends at Windows Secrets as guest contributors. The weekly Windows Secrets Newsletter brings you essential tips for Windows, applications, and computing on the Internet.

windows secrets

By Fred Langa/Windows Secrets

A nasty piece of malware known as LizaMoon has hijacked links on millions of websites in the past weeks, including some normally safe iTunes and Google links. Fortunately, LizaMoon is easy to avoid if you know what to look for.

Using rogue-AV scare tactics, LizaMoon tries to trick you into running bogus security-scan and virus-cleanup tools on your PC — but it’s pure malware.

If allowed onto your PC, this particular ploy is especially troublesome because it can partially disable the Windows Security Center and change the Registry so that the full WSC can’t be restarted. It also interferes with Microsoft Security Essentials, if MSE is running. (You’ll find lots more LizaMoon news coverage via Google.)

My encounter with LizaMoon started unexpectedly one evening when a suspicious warning popped up on my screen. As discussed in a previous Top Story, I use Microsoft Security Essentials and the Windows 7 firewall to protect all of my PCs. In over a year of constant use, I’d never had any malware trouble. But that abruptly changed.

That evening, I was searching for something through Google — I don’t recall what. When I clicked a link, a blank page overlaid with the dialog in Figure 1 popped up instead of the site I was expecting.

W20110407 TS FirstMessage LizaMoon infection: a blow by blow account
Figure 1. A real LizaMoon initial dialog, captured in the wild.

My mental alarm bells immediately started ringing — the dialog was identified as a Message from webpage. But why was a random, external webpage displaying what looked like a local security message?

Also, how could a random webpage know what was installed on my system (suspicious programs or not)? The warning made no sense.

There was plenty more to suggest that the dialog was bogus. For example, the third sentence is in fractured English — Microsoft dialogs aren’t like that. And the kicker: I keep my system very clean, so the odds that it would suddenly contain “a variety of suspicious programs” are virtually nil.

Then it struck me. I’d encountered a for-real LizaMoon page hijack, in the wild!

Typically, when you encounter any suspicious webpage dialog, the correct procedure is to immediately dismiss it via the red-X close box in the upper-right corner of the dialog box or to simply close the browser. (If needed, you also can use Windows’ Task Manager to kill offending software or its processes.)

Next, if you think you might have a security problem, you should manually launch known-good security tools directly from reliable sources. In no case should you ever launch unknown software triggered by visits to random websites.

In my case, however, this was exactly the kind of malware I’d been looking for to test. In the past few months, readers reported encountering new malware that masquerades as a security tool — malware that disables or bypasses Microsoft Security Essentials. I’d been trying to track it down for weeks. And suddenly, there it was.

Living dangerously: taking the malware’s bait

Given this unexpected opportunity, I took a deep breath and clicked OK, knowing full well that I was voluntarily giving the webpage permission to interact with my PC.

A new webpage opened, showed a flurry of fake “scanning” activity (most likely, just an animated .gif), and then reported a huge number of discovered viruses and security problems.

I knew my system was clean, so this report of widespread infection was clearly fake. But because the page layout and icons closely mimic those of familiar Windows tools, it could easily fool casual users into thinking that the alert was real.

After a minute of fake scanning activity, a new dialog opened — offering to “Remove all” the threats (see Figure 2).

W20110407 TS RemoveAll LizaMoon infection: a blow by blow account
Figure 2. Clicking “Remove all” on this fake security dialog starts the malware download. Find a way to close the dialog, as discussed in the text.

The new dialog set off more of my internal alarm bells. Windows normally identifies the software or subsystem involved in security alerts — such as the Action Center, the Security Center, Security Essentials, or whatnot. A dialog simply labeled “Windows Security Alert” is suspiciously generic.

And what’s this about “Windows Defender”? That’s Microsoft’s standalone anti-malware tool that ships with Vista and Win7 and is available as a free download (page) for XP. The forerunner of the more complete Microsoft Security Essentials, it’s deactivated when you install MSE. Since I have MSE active on my system, I shouldn’t be hearing from Windows Defender.

At that point, you’d normally try to dismiss the warning by clicking on the red X. To see what would happen next, I clicked “Remove all,” knowing I was inviting trouble.

(If you’re keeping count — and I did — you’ll know this was my second entirely voluntary action leading to infection.)

A real and quite legitimate Windows file-download security warning opened, as shown in Figure 3. But while the previous dialog discussed “Windows Defender,” this dialog box asked permission to download an installer for “Internet Defender.” What’s more, the dialog clearly showed that the file was from a site called update65.saceck.co.cc — not Microsoft!

Clearly, the LizaMoon authors are confident that people do not pay attention to these details.

W20110407 TS SaveFile LizaMoon infection: a blow by blow account
Figure 3. This dialog box has several naming inconsistencies: the previous dialog mentioned Windows Defender, but this one offers something called Internet Defender. It also isn’t coming from a known address, such as Microsoft.com.

Ignoring yet another opportunity to bail out before being infected, I clicked the Save button and entering the location where the file should be saved (the third voluntary action on the path to infection).

My hard-drive light flickered briefly and I swallowed hard, knowing that a malicious payload had just been delivered to my personal PC. (Yes, my system was fully backed up and my sensitive data encrypted.)

Ready or not, the malicious payload arrives

I intended to disconnect my PC from the network before the malware ran, assuming that going offline would keep any system damage local and no personal data could be exported.

But there must have been a script running somewhere, because the malware installer immediately attempted to self-start. Fortunately, Windows reported an NSIS error (see Figure 4). NSIS is SourceForge’s Nullsoft Scriptable Install System, and the error means that an installation script failed an integrity check.

W20110407 TS NSISError LizaMoon infection: a blow by blow account
Figure 4. The first sign of trouble after downloading the malware

Article continued here.

This post is excerpted with permission from Windows Secrets.

133 total views, 1 views today

(Visited 53 times, 1 visits today)

14 thoughts on “Windows Secrets Newsletter: How Malware Paralyzes PCs

  1. Every PC that I’ve repaired has had this problem..Hate to say it but it’s been a money maker to where now I just almost do it for free..I get alot of people that return with the same problem again and again..mostly the same ones!! I get the one’s that have the “Your Antivirus has reported….”..Click here logo..and off people go..then the dreaded carry the PC to the PC guy and then ching,ching!!Most people would rather wipe the hard drive clean and reinstall than try to get rid of this problem..only to let it happen again and again..I try to help but people are people..

  2. I’ve had worse malware that also acts as a fake virus scan, prompting payment to remove… etc. It took a while to clean my PC. I was later told by some people that clean PC’s for a living that, if it happens again, click NOTHING and simply power down

  3. I thought Microsoft Sec Essentials was the best thing to protect your computer. I would like more opinions on that before I uninstall and download something else. I used to have McAfee, but my grandaughter’s college prof told her to uninstall that and use Microsoft instead. Would appreciate more info. PS – I also encountered something similar to Lizamoon…had a hard time x’ing out of it..but finally succeeded.

  4. I got the Pitstop newsletter with your story about Win7 security. I by-passed your story and went to something else. Suddenly I was hit by Win 7 security alert. I went through its process and like You Isaw the $50 price.
    Tried to get rid of it; couldn’t access google. Ran ccleaner and my old favorite Spybot S&D. Then I was free. It was frightening for a while. Thanx

  5. Hi! I’ve gotten those malwares (internet defender,win dfender,XP 2011,etc)they even disable your ISP, when they dicover that you are trying to get rid of them,to click on the red-x to close the box is a bad idea,since some of them have that x configured to funtion as an “ok” I always close them with the task manager or with winpatrol and yes,they are a pain to dispose of

  6. i agree with other posters ditch any free or microsoft security products and get Bit Defender in my experience as an IT professional Engineer its the only product worth having

    chris payne thepccrew

  7. Is this what just happened to me? The other day, while reading an e-mail I got a quick flash that said “Microsoft…..” and went off the screen as fast as it came on. My screen flickered and then the computer shut down. I started it back up and saw that over 9000 emails were loading into my inbox. After hours of loading very slowly, it stopped and then restarted all over again reloading the emails from scratch (0,1,2,3 etc). After the third time it finally completed and I am now going through them and deleting or putting in folders each one at a time. This will take weeks. Why did this happen? What did I do? Will it happen again? WHAT SHOULD I DO NOW?

    • Hi Deanna

      No, you didn’t get one of these types of malware attacks, but what you’ve described seems like some other infection like a mass emailer or similar. You need help from the security experts in the HijackThis portion of the PC Pitstop forums, or any other qualified forum like MalwareBytes Antimalware, or Besttechie.net just to name a couple. All of these have qualified HJT analyzers who can help you identify & clean whatever got into your system. Follow all their instructions carefully & completely, they are very thorough and it may take some time but it’s worth it.
      Please be careful clicking email links you aren’t sure of or don’t know who it came from.
      Good luck!
      Dave

  8. This article would be infinitly more valuable if it described a method of getting rid of this virus when your computer does become infected.

  9. I have gotten this type of thing several times. Guess I must surf ‘on the edge’ a lot. Malwarebytes’ Anti-Malware always removes them completely. It is a free program. (No, I do not work for them!) You simply reboot to Safe Mode with Networking, download it if you don’t have it, update to their latest malware database and run it. It cleans my system every time. If you are feeling flush, for very little money, you can get their real time module that keeps you from getting malware in the future.

  10. As far as I’m concerned, anyone who trusts Windows Security Essentials and Windows 7 firewall gets what they deserve.

    How about throwing away your shoddy microsoft software and getting some decent programs. Or is that too much like hard work, in that, you actually have to think and know what you are talking about.

    • Hi Neil

      I kinda have to agree dude…
      Win Firewall tho can be configured decently by those who have Vista/7 Ultimate edition to access the firewall config, and know how to set proper rules, but it’s default config sux.

      Have you seen how well Comodo is doing with their CIS Security pack? They’re not just top f/w with an ok AV option anymore, CIS as a complete pack is now topping the respected labs testing & getting some of the highest ranks ever. I use Comodo f/w & Nod32 AV but may have to think about going all Comodo after the latest results (Matousec, VB..etc).
      Later

  11. 1. Do you keep the downloaded software or use it then remove it to save computer space?

    2. Did you run the above in safe mode?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.