• Home
  • About 404TS
  • Contact

404 Tech Support

Where IT Help is Found

  • Articles
    • Code
    • Entertainment
    • Going Green
    • Hardware, Gadgets, and Products
    • Management
    • Network
    • News
    • Operating Systems
    • Security and Privacy
    • Software
    • System Administration
    • Talking Points
    • Tech Solutions
    • Web
    • Webmaster
  • Reviews
  • Media
    • Infographics
    • Videos
  • Tech Events
  • Tools
    • How do I find my IP address?
    • Browser and plugin tests
  • Get a Technical Consultation
You are here: Home / Articles / Security and Privacy / XP Internet Security 2010 – An Ongoing Current Attack

XP Internet Security 2010 – An Ongoing Current Attack

2010-03-02 by Jason

It appears there is a malvertisement (malware being delivered through website ads) attack campaign in full force and after today I’d guess it’s on the up-swing. After having a number of people in separate physical locations report the exact same malware installed on their machine, things start looking bad. I’m never one for jumping to trends and hopping to conclusions, but I know what makes for a bad day. XP Internet Security 2010 is a Fake AntiVirus that will get installed on your machine and start reporting infections and trying to get you to buy it. (It’s a scam! Don’t give them any money!) The worst thing, however, is that the malware tools currently aren’t detecting it or able to remove the infection.

After analyzing an infected machine and having MalwareBytes turn up empty, I used Process Monitor to get a handle of what was going on behind the scenes. It led me to a suspicious executable that was only a couple hundred kilobytes, but was the culprit for the XP Internet Security 2010 process. The executable was named MSASCui.exe and has this profile at VirusTotal. The .exe along with a related file named with random characters was found in the C:Documents and Settings[username]Local SettingsApplication Data directory and was only visible by unchecking the Hide protected operating system files (Recommended) setting in Tools, Folder Options.

If you kill the MSASCui.exe process through the Task Manager, you’ll be able to delete the file and its related gibberish-named log. That will stop the Fake AV from popping up and getting in the way of further clean up. There is likely something that is starting this process up again if it were to be closed, so Registry keys and services would need to be analyzed as well. There’s also the possibility of a rootkit running in the background.

For those interested, read this news article on how malware might get on your computer while you’re just browsing around. There’s also this more technical blog article discussing PDF obfuscation. Based on my analysis, this is how you get infected:

The above picture shows the malicious executable, MSASCui.exe and its random-named counterpart in the above noted directory, the properties of the file, and the user’s browsing history. The malicious file was created at 3:18 PM, almost as soon as the user stopped doing work and went on to find more “interesting” things with Celebuzz. Interesting…

You may have to use the previously mentioned .exe fix after this infection if you are getting a message asking what do you want to use to open the .exe file.

That’s all I’ve got for now and am open to suggestions. I’m waiting for the anti-malware tools to catch up so they’ll blow these infections away and I’m hoping I’ll get to do something besides clean up infections tomorrow at work.

Filed Under: Security and Privacy, System Administration, Tech Solutions

Trending

  • Internet Explorer will block out-of-date Java and other ActiveX controls
    In Security and Privacy, Software
  • Windows Credential Administration Sins
    In Security and Privacy
  • How to File a CAN-SPAM Complaint with the FTC
    In Media, Security and Privacy, Tech Solutions

Latest Media Posts

Find Out Where To Download SNES ROMs

Find Out Where To Download SNES ROMs

Multifunctional Video Conversion Tools – Wondershare Video Converter

Multifunctional Video Conversion Tools – Wondershare Video Converter

  • Popular
  • Latest
  • Today Week Month All
  • How to ‘Unblock’ multiple files at a time with PowerShell How to 'Unblock' multiple files at a time with PowerShell
  • Increase IIS Private Memory Limit to improve WSUS availability Increase IIS Private Memory Limit to improve WSUS availability
  • Command line to take ownership and change permissions Command line to take ownership and change permissions
  • Creating and editing views in phpMyAdmin Creating and editing views in phpMyAdmin
  • Configure Outlook to recurring appointments for the last weekday of the month Configure Outlook to recurring appointments for the last weekday of the month
  • How to Purchase Cryptocurrencies? How to Purchase Cryptocurrencies?
  • Top 6 necessary aspects to consider when hiring Angular developers Top 6 necessary aspects to consider when hiring Angular developers
  • Full guide on drawbacks and benefits of Node.js for making the perfect choice for your business Full guide on drawbacks and benefits of Node.js for making the perfect choice for your business
  • Benefits of End-To-End Testing That Will Match Company Expectations Benefits of End-To-End Testing That Will Match Company Expectations
  • 3 Key Features of Pets Health Monitoring Systems 3 Key Features of Pets Health Monitoring Systems
Ajax spinner

Elevator Pitch

404 Tech Support documents solutions to IT problems, shares worthwhile software and websites, and reviews hardware, consumer electronics, and technology-related books.

Subscribe to 404TS articles by email.

Recent Posts

  • How to Purchase Cryptocurrencies?
  • Top 6 necessary aspects to consider when hiring Angular developers
  • Full guide on drawbacks and benefits of Node.js for making the perfect choice for your business

Search

FTC Disclaimer

404TechSupport is an Amazon.com affiliate; when you click on an Amazon link from 404TS, the site gets a cut of the proceeds from whatever you buy. This site also uses Skimlinks for smart monetization of other affiliate links.
Use of this site requires displaying and viewing ads as they are presented.

Copyright © 2023 · Magazine Pro Theme on Genesis Framework · WordPress · Log in