Ok this may come as a surprise to anyone who knows me, but this weekend I was afflicted with the dirtiest of dirty tricks. I was attacked by a stinking ‘orrible Trojan, now before you start jumping up and down saying “you should have had a firewall on” or recommending me your favourite AV software I must make you aware of a few things. My router uses a Nod32 firewall which for all intents and purposes is pretty bullet proof. My was also running a fully patched, legal and up to date version of Nod 32 Firewall, Antivirus and Anti Spy-ware. I haven’t been downloading illegal files and have not been on any dodgy websites recently. The payload was delivered to my PC in a very stealthy manner and I’m guessing it was through an email from one of my friends or via a remote session with another computer.
The Trojan works in a very clever way, once you power up your computer it displays a very genuine looking Microsoft Anti Piracy notice saying that someone has activated your copy of Windows and you must enter your details to validate yourself. You have two choices either do it now over the Internet or do it later, if you choose to do it later it shuts down your machine. You can get round this by starting your PC in safe mode but I wanted to have a play around first. I knew this anti piracy window was bogus because it said my OS was xp and my laptop is running Vista and uses the genuine advantage tool rather than the outdated anti piracy pop ups.
So I clicked the option to re-validate myself and entered a load of random numbers for my card details and some fake information about myself and it apparently scanned the MS database and verified my information as being correct. However the Trojan does make some system changes when it shuts your computer down. It firstly de-activates your task manager, hides itself from the start up menu (msconfig) de-activates your antivirus and tries to launch a key-logger which attempts to connect to the following IP: 220.127.116.11
Symantec have reported this Trojan last year and has stated that it only attacks MS machines but I can now confirm that this Trojan is back out in the wild and has been modified somewhat to attack Vista machines. I have been in contact with the technical team at symantec who did a quick scan of my laptop and took a snapshot of my system including my registry. They will be in touch with me if there are any traces of the Trojan left on my system.
I used Vipre to search for and destroy the Trojan successfully and also advised Eset that it got by its security without being noticed.
Below are the two images to keep an eye out for, if you do happen to get attacked by this Trojan you can either follow Symantec’s removal instructions which can be found in the link dump, or just stick in a load of bollocks and remove using your own antivirus.
Microsoft will NEVER ask you to provide any card details when validating a version of Windows (xp or vista).
Links to various sites mentioned in this blog