Three New Malware Threats

As Calendar Year 2011 draws to a close, the malware creators are busier than ever. The number of new viruses, Trojans, and rogue security programs continues to increase at an exponential rate. The last two months of the year have seen more new malware samples than any previous two-month period in history.

Three of these recent entrants in the malware arena are particularly troubling, for two reasons: They are spreading quickly, and they are using sophisticated techniques to thwart attempts to detect and remove them.

One of these programs is a "traditional" virus, and the others are rogue security programs. All three became widespread threats in November, 2011 and continue to infect thousands of computers every day.

The oldest of these threats is the ZeroAccess Rootkit, a Trojan that first appeared in July, 2011. It has evolved through multiple versions since then, including the latest variant detected by McAfee as ZeroAccess.t, discovered on December 26, 2011.

Other names that are used for this malware include Sirefef and Max++. Some of its characteristics are similar to the TDSS / TDL4 rootkits that have been touted as "indestructible," but it is not clear whether they were produced by the same programmer or syndicate.

This malware is spread through infected web sites, frequently without any action by the user whose computer is infected. This is a classic "drive-by download" scenario, and does not necessarily come from a site that would be considered high-risk.

On the rogue security front, one of the most frequent offenders in recent months goes by a number of different names. It may be called XP Security 2012, XP Internet Security 2012, or Vista Internet Security 2012, depending on the version of Windows running on the infected computer.

This program is similar to many of its genre, running bogus scans and reporting various system errors. Its recommended solution, of course, is to pay for their program and give up your credit card number.

Where this one differs from other rogues is in some of the mechanisms it uses to do its damage and block the user's access to tools that would normally be used to remove this threat. One of the most significant enhancements in this regard is the use of new file types for executable code. Where the knowledgeable technician may ignore files with an extension of .pez or .sez, these become executable file types on computers infected by this malware.

The third member of this trio is known as System Fix. This rogue security program is similar to the Windows Recovery malware that first appeared in March, 2011. Both of these programs attempt to scare the user into buying their software by reporting that the hard drive of the infected computer is failing.

The realism of this warning is enhanced by the fact that most icons and the wallpaper are removed from the desktop, and no programs are visible from the Programs (or All Programs) menu. Task Manager is blocked from running, as are other system programs that would normally be used for diagnosing and repairing this problem.

System Fix goes farther in this regard than Windows Recovery, removing the Run command, the Search feature, and most options from the Start button. This reduced functionality effectively hinders the technician's removal efforts.

More details of System Fix were covered in Malware Newsletter #005. If you've misplaced that issue, you may download a fresh copy of it by clicking here.

The good news is that there are effective solutions for all of these threats, and the Virus Remediation Training has been updated to include them in the methodology and the removal tools provided with this class.

If you are a graduate of the Virus Remediation Training and would like these updates, please request them via an e-mail to