{"id":1591,"date":"2010-05-13T21:26:47","date_gmt":"2010-05-14T04:26:47","guid":{"rendered":"http:\/\/www.coolkarma.com\/dharma\/?p=1591"},"modified":"2010-08-09T21:38:15","modified_gmt":"2010-08-10T04:38:15","slug":"you-got-me-babe-%e2%80%a6-and-other-trojans-that-go-bump-in-the-night","status":"publish","type":"post","link":"https:\/\/www.karmabytes.net\/?p=1591","title":{"rendered":"You Got Me Babe \u2026 and other Trojans that go bump in the night"},"content":{"rendered":"<p><a href=\"http:\/\/www.coolkarma.com\/dharma\/wp-content\/uploads\/trojan-reflected.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignright size-medium wp-image-1592\" title=\"trojan reflected\" src=\"http:\/\/www.coolkarma.com\/dharma\/wp-content\/uploads\/trojan-reflected-174x300.jpg\" alt=\"\" width=\"174\" height=\"300\" srcset=\"https:\/\/www.karmabytes.net\/wp-content\/uploads\/trojan-reflected-174x300.jpg 174w, https:\/\/www.karmabytes.net\/wp-content\/uploads\/trojan-reflected-595x1024.jpg 595w, https:\/\/www.karmabytes.net\/wp-content\/uploads\/trojan-reflected.jpg 639w\" sizes=\"auto, (max-width: 174px) 100vw, 174px\" \/><\/a>As a seasoned IT professional (in a past life) I consider myself well versed in the ins and outs of <a href=\"http:\/\/en.wikipedia.org\/wiki\/Malware\" target=\"_blank\">malware<\/a>.\u00a0 I have up to date virus protection software on every computer in the house.\u00a0 My husband manages our home firewall and wireless routers with the same eye to detail that he did when he was the CIO at one of the top engineering campuses in the country (in a past life).\u00a0 And I teach my kids how to spot scam-spam in their email and social networking browsing.\u00a0 All in all, we are one computer lit syndicate.\u00a0 \u00a0Which makes it all the more surprising when I found myself in deep with a trojan tonight!<\/p>\n<p>I noticed for the last couple of days that Firefox was opening up <em>new tabs<\/em> from sites like FaceBook or SlickDeals.\u00a0 At first I convinced myself that I must have <em>moused over<\/em> an ad. \u00a0But last night I took it one step further and decided to look up some of the offending domains to see if they were on any virus alert websites.\u00a0 Sure enough \u2026 the popups and redirects were all listed as known offenders.<\/p>\n<p>I double checked my local anti-virus program with no luck, then opted to run one of the free webscans on the web.\u00a0 Last night I picked <a href=\"http:\/\/housecall.trendmicro.com\/\" target=\"_blank\">MicroTrend\u2019s HouseCalls<\/a>.\u00a0 It\u2019s a nice little package that I had experience with during my technical career.\u00a0 So when it came up saying I was clean, I let my suspicions subside.<\/p>\n<p>Until tonight.\u00a0 Without warning I found myself bombarded by virus detection alerts and warnings of gloom and doom.\u00a0 But these weren\u2019t coming from my local anti-virus program, they weren\u2019t even coming from HouseCalls that I installed the night before.\u00a0 These apocalypse forecasts were coming from a Trojan house that was mimicking an anti-virus software program.\u00a0 Pop-up alerts were coming faster than I could close the windows announcing that I was infected and insisting that I purchase the $69.99 removal tool immediately.<\/p>\n<p>My particular variant of the worm was called Data Protection.\u00a0 This malware edits your registry, disable\u2019s any other virus protection you have running and prohibits you from launching several security features in your own control panel.<\/p>\n<p>\u201cOn infiltrating a system, Data Protection will create a start-up registry entry and attempt to disable any legitimate security applications running on the infected system. Then Data Protection will generate fake scan reports, security alerts and pop-up warnings. Users should not believe any of the security notifications displayed by Data Protection because they are all part of a scam to scare users into purchasing its non-existent full version.\u201d<\/p>\n<p><a href=\"http:\/\/www.enigmasoftware.com\/dataprotection-removal\/\" target=\"_blank\">http:\/\/www.enigmasoftware.com\/dataprotection-removal\/<\/a><\/p>\n<p>What\u2019s tricky of course in removing any rogue system is that you can\u2019t quite know which removal tool to trust.\u00a0 The developers know how to seed Google with more scam tools that claim they can fix the problem.<\/p>\n<p>Checking out reviews on CNET and confirming with places like <a href=\"http:\/\/www.siteadvisor.com\/\" target=\"_blank\">McAfee\u2019s siteadvisor<\/a> that the domain claiming a cure is free from further spyware infection, I came across several sites that claimed <a href=\"http:\/\/malwarebytes.org\/\" target=\"_blank\">MalwareBytes<\/a> could help. \u00a0\u00a0It was a challenge to find a solution while the rogue application had control of my machine, so I also phoned my husband who was on his laptop downstairs in his office.\u00a0 As I was running the MalwareBytes scan he was reading me tidbits about how the application takes a strangle hold on your computer.<\/p>\n<p>\u201cIt says here it installs porn short cuts on your desktop.\u201d\u00a0 He said.<\/p>\n<p>I quickly minimized my open windows and sure enough he was right!\u00a0 I had a slew of new porn links on my desktop!\u00a0 In truth, I suspect these weren\u2019t actually porn links at all, but more bait to reel in the unsuspecting randy enduser.\u00a0 Aaah, the irony of trojans and porn.<\/p>\n<p>MalwareBytes did an excellent job of shutting down the applications even while my computer was under a live attack.\u00a0 It deleted the <em>porn<\/em> shortcuts on the desktop and most of the other files, except for three .exe\u2019s that were rendered harmless and that I deleted manually.<\/p>\n<p>So now at the end of the day, having defeated the dragon or at least curbed the worm, I can relax once again with my social networking peeps, reply to a few email tweets and decide for myself if I want to peruse any porn sites.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As a seasoned IT professional (in a past life) I consider myself well versed in<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":"","_links_to":"","_links_to_target":""},"categories":[5],"tags":[],"class_list":["post-1591","post","type-post","status-publish","format-standard","hentry","category-i-cant-see"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.karmabytes.net\/index.php?rest_route=\/wp\/v2\/posts\/1591","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.karmabytes.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.karmabytes.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.karmabytes.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.karmabytes.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1591"}],"version-history":[{"count":12,"href":"https:\/\/www.karmabytes.net\/index.php?rest_route=\/wp\/v2\/posts\/1591\/revisions"}],"predecessor-version":[{"id":1718,"href":"https:\/\/www.karmabytes.net\/index.php?rest_route=\/wp\/v2\/posts\/1591\/revisions\/1718"}],"wp:attachment":[{"href":"https:\/\/www.karmabytes.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1591"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.karmabytes.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1591"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.karmabytes.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1591"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}