• Home
  • About 404TS
  • Contact

404 Tech Support

Where IT Help is Found

  • Articles
    • Code
    • Entertainment
    • Going Green
    • Hardware, Gadgets, and Products
    • Management
    • Network
    • News
    • Operating Systems
    • Security and Privacy
    • Software
    • System Administration
    • Talking Points
    • Tech Solutions
    • Web
    • Webmaster
  • Reviews
  • Media
    • Infographics
    • Videos
  • Tech Events
  • Tools
    • How do I find my IP address?
    • Browser and plugin tests
  • Get a Technical Consultation
You are here: Home / Articles / Security and Privacy / XP Internet Security 2010 – An Ongoing Current Attack

XP Internet Security 2010 – An Ongoing Current Attack

2010-03-02 by Jason

It appears there is a malvertisement (malware being delivered through website ads) attack campaign in full force and after today I’d guess it’s on the up-swing. After having a number of people in separate physical locations report the exact same malware installed on their machine, things start looking bad. I’m never one for jumping to trends and hopping to conclusions, but I know what makes for a bad day. XP Internet Security 2010 is a Fake AntiVirus that will get installed on your machine and start reporting infections and trying to get you to buy it. (It’s a scam! Don’t give them any money!) The worst thing, however, is that the malware tools currently aren’t detecting it or able to remove the infection.

After analyzing an infected machine and having MalwareBytes turn up empty, I used Process Monitor to get a handle of what was going on behind the scenes. It led me to a suspicious executable that was only a couple hundred kilobytes, but was the culprit for the XP Internet Security 2010 process. The executable was named MSASCui.exe and has this profile at VirusTotal. The .exe along with a related file named with random characters was found in the C:Documents and Settings[username]Local SettingsApplication Data directory and was only visible by unchecking the Hide protected operating system files (Recommended) setting in Tools, Folder Options.

If you kill the MSASCui.exe process through the Task Manager, you’ll be able to delete the file and its related gibberish-named log. That will stop the Fake AV from popping up and getting in the way of further clean up. There is likely something that is starting this process up again if it were to be closed, so Registry keys and services would need to be analyzed as well. There’s also the possibility of a rootkit running in the background.

For those interested, read this news article on how malware might get on your computer while you’re just browsing around. There’s also this more technical blog article discussing PDF obfuscation. Based on my analysis, this is how you get infected:

The above picture shows the malicious executable, MSASCui.exe and its random-named counterpart in the above noted directory, the properties of the file, and the user’s browsing history. The malicious file was created at 3:18 PM, almost as soon as the user stopped doing work and went on to find more “interesting” things with Celebuzz. Interesting…

You may have to use the previously mentioned .exe fix after this infection if you are getting a message asking what do you want to use to open the .exe file.

That’s all I’ve got for now and am open to suggestions. I’m waiting for the anti-malware tools to catch up so they’ll blow these infections away and I’m hoping I’ll get to do something besides clean up infections tomorrow at work.

Filed Under: Security and Privacy, System Administration, Tech Solutions

Trending

  • Busy Day In Google Land: Announces Nexus S/Android 2.3 and eBooks
    In Entertainment, Hardware, Gadgets, and Products, Operating Systems
  • Wideboy 3D printers from Makism 3D
    In Hardware, Gadgets, and Products
  • CAPTCHAs Become Ads, Block Spam, Make Site Owners Money, Infuriate Site Visitors
    In Media, Security and Privacy, Webmaster

Latest Media Posts

Find Out Where To Download SNES ROMs

Find Out Where To Download SNES ROMs

Multifunctional Video Conversion Tools – Wondershare Video Converter

Multifunctional Video Conversion Tools – Wondershare Video Converter

  • Popular
  • Latest
  • Today Week Month All
  • SOLVED: “This modification is not allowed because the selection is locked.” SOLVED: "This modification is not allowed because the selection is locked."
  • What is the AllJoyn Router Service on Windows 10? What is the AllJoyn Router Service on Windows 10?
  • Increase IIS Private Memory Limit to improve WSUS availability Increase IIS Private Memory Limit to improve WSUS availability
  • How to ‘Unblock’ multiple files at a time with PowerShell How to 'Unblock' multiple files at a time with PowerShell
  • Troubleshooting time synchronization for domain-joined computers Troubleshooting time synchronization for domain-joined computers
  • 3d rendering circuit cloud for cloud computing technology What Is An Ellucian Migration And Is It Important?
  • Remote monitoring of text messages on a mobile device Remote monitoring of text messages on a mobile device
  • ​Great Tech Tips For Remote Workers ​Great Tech Tips For Remote Workers
  • Ideas That Will Free up MacBook Hard Drive Ideas That Will Free up MacBook Hard Drive
  • Advantages Of Video Conferencing For Small Businesses Advantages Of Video Conferencing For Small Businesses
Ajax spinner

Elevator Pitch

404 Tech Support documents solutions to IT problems, shares worthwhile software and websites, and reviews hardware, consumer electronics, and technology-related books.

Subscribe to 404TS articles by email.

Recent Posts

  • What Is An Ellucian Migration And Is It Important?
  • Remote monitoring of text messages on a mobile device
  • ​Great Tech Tips For Remote Workers

Search

FTC Disclaimer

404TechSupport is an Amazon.com affiliate; when you click on an Amazon link from 404TS, the site gets a cut of the proceeds from whatever you buy. This site also uses Skimlinks for smart monetization of other affiliate links.
Use of this site requires displaying and viewing ads as they are presented.

Copyright © 2021 · Magazine Pro Theme on Genesis Framework · WordPress · Log in