Beware the Zeus virus (No, you’re not infected)

I’ve written about scams that get you to call a phone number and help bad guys access your computer before. Here’s another variety you need to be aware of.

My wife’s computer has had this happen twice in the last few weeks (click the image for a larger view):

zeus-virus-scam

Chrome is locked up – you can’t close the tab, click away, or do anything else except kill the browser in Task Manager. A computerized voice repeatedly intones, “Your computer is infected. Your data is being stolen. Call this number for support…” You can imagine that this would be very frightening to someone who is not computer-savvy, and a lot of people will fall for it.

Just to see how the scam works, I called the number (855-335-8826 – don’t call this number) and got an agent with a foreign accent (sounded Indian or Pakistani to me) asking how he could help. Putting on my “geezer voice,” I told him that my computer was talking to me and telling me that my data was being stolen.

  • Agent: “Have you downloaded anything lately?”
  • Me: “No.”
  • Agent: “I will direct you through a couple of steps so I can access your computer and help you fix this problem. Look at your keyboard in the lower left – do you see the Window key? I want you to press that key, together with the letter ‘r’. [Note: he wants me to run a program.]
  • Agent: “Type the letters ‘hh’, then a space, then the letter ‘t’ in the ‘open’ box. Then press the “OK” button.

hht.jpg

  • Me: “Ok, I did that.” [This is what I get]

page-display

  • Agent: “Do you see the little question mark in the upper left hand corner? I want you to click that and select the option that says “Jump to URL.”

url

  • Agent: “Now type this in the box: ‘www.support.me’

jumptourl

  • Me: “OK, I’ve done that.” [This is what I get]:

support

  • Agent: “I will now give you a 6-digit code to enter into the box. Your number is 925837. Please type that into the box and click ‘Start Download’.”
  • Me: Do you really think I’m going to allow access to my computer by a bunch of scammers? Get a life. *click*

What’s going on here is that if I had entered the number, I would have given complete control of my machine to a random scammer, and from that point he could have

  1. Stolen sensitive data like passwords, contact lists, or financial information.
  2. Infected my computer with malware
  3. Taken control of my machine and woven it into a spamming botnet.
  4. Other things more horrible that I wish to contemplate.

There are websites out there that tell you how to remove the “infection” that causes this popup; most of them exist to shill programs like Zemana, Malwarebytes, and HitMan Pro. Free versions of these are legitimate, but don’t be conned into buying “Pro” versions unless you really need their features. Others may ask you to download their own proprietary removal tool. Be wary of such sites.

The key here is that if you get the “Zeus” malware popup, NEVER CALL THE NUMBER. You’ll just be opening yourself up to fraudsters who want to do very bad things to you and your computer.

Be careful out there.

The Old Wolf has spoken.

A dozen Crypto attempts today

crypto

All of these arrived in my inbox today; many are duplicated versions of the same message with minor changes.

Dear info,
Cathleen Holcomb asked me to send you the attached Word document, which contains the final version of the report.
Please let me know if you have any trouble with the file, and please let Cathleen know if you have any questions about the contents of the report.
Kind regards
Alisa Harper
Managing Director
Notice that all of these emails begin with “Dear Info,” since the relevant address is “info@devnull.com.” This in itself should be a red flag.
Dear info:
Thank you for your email regarding your order of 21 June, and sorry for the delay in replying. I am writing to confirm receipt of your order, and to inform you that the item you requested will be delivered by 25 June at the latest. If you require more information regarding this order, please do not hesitate to contact me.
Also, our records show that we have not yet received payment for the previous order of 11 June, so I would be grateful if you could send payment as soon as possible. Please find attached the corresponding invoice.
If there is anything else you require, our company would be pleased to help. Looking forward to hearing from you soon.
Yours sincerely
Benjamin Martin
Chief Executive Officer
Information. A report. An invoice with request for payment. A spreadsheet. All looking innocuous and legitimate.
Dear info,
The reference you requested is attached.
Let me know if you have any questions.
Best regards
Erma Frederick
CEO
No matter how official emails like this look, you should verify every detail before proceeding.
Dear info,
Our records show that we have not yet received payment for the previous order #A-393685
Could you please send payment as soon as possible?
Please find attached file for details.
Yours sincerely
Jami Garrett
Mexico Key Account Director
Don’t open those attachments! They are almost certainly javascript files which will download an encryption virus or something equally vicious.
Be careful out there.
The Old Wolf has spoken.

go0dvinez: Malware Central

With uBlock Origin attached to Chrome and a host of other malware protections on my computer, I almost never see ads, spam, malware, popups, popunders, or any such things.

My phone is not so fortunate.

Recently I’ve checked out a couple of things on my Android that had shown up on my Facebook wall, and it’s been a long time since I’ve seen such a blatant effort to redirect, scam, browser-hijack, deceive, and annoy visitors as I experienced today with go0dvines.com (don’t go there.)

When you get a link like [http://go0dvinez.com/bakla-m3t-gayam-t-loko-ka-barok-xyter-iexsa-sonnn-off/], you know something is going to be off in the first place – but that didn’t show up until I did some researching on my desktop. On the phone, as soon as you hit the site, you’re immediately taken on like a six-level-deep redirect, and this is what you see:

This slideshow requires JavaScript.

I don’t even want to think about what kind of insidious garbage you wuld be downloading to your handheld device if you followed those links or clicked on the install buttons. One of them completely locks your browser; the only way out is to restart.

This is internet evil in its most distilled form, topped only by ransomware viruses and the unspeakable horrors of the deep web where few of us ever wander.

Stay away from this website, and if you see strange things happening to your phone when you follow a link, get out of there as fast as you can. Legitimate websites will never give you virus popup warnings like this.

Be careful out there.

The Old Wolf has spoken.

Nine more Crypto Emails

Today in the mail, another gush of spam emails, each one with a .zip attachment labelled “invoice” or “statement” or “employees” or some other innocuous title. Each one containing a .js (javascript) file which would download encryption software, corrupt my files, and demand a ransom. Please do not be victimized by these criminals.

From: Carole Middleton <MiddletonCarole95@bol.net.in>
Subject: [SPAM] Re: Chart of Accounts
hello info,
You may refer to the attached document for details.
Regards,
Norma Palmer

From: Beatrice Salinas <SalinasBeatrice75015@slotcarsdirect.co.uk> Subject: [SPAM] FW: vendors

Hi info
The attached spreadsheet contains bills. Please review
Regards,
Beatrice Salinas

From: Devon Garcia <GarciaDevon55@uid.uk.com>
Subject: [SPAM] Re:

Hi info,
As promised, the document you requested is attached\
Regards,
Devon Garcia

Subject: [SPAM] Emailing: Photo 05-11-2016, 98 43 44

Your message is ready to be sent with the following file or link attachments:
Photo 05-11-2016, 98 43 44
Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments.  Check your e-mail security settings to determine how attachments are handled.

Note: How kind of them to warn me against viruses.

Subject: [SPAM] Emailing: Photo 05-12-2016, 64 94 68

Your message is ready to be sent with the following file or link attachments:
Photo 05-12-2016, 64 94 68
Note: To protect against computer viruses, e-mail programs may prevent ending or receiving certain types of file attachments.  Check your e-mail security settings to determine how attachments are handled.

From: Kareem Sweeney <SweeneyKareem2103@residenceferrucci.it>
Subject: [SPAM] Re:

hi info,
As promised, the document you requested is attached
Regards,
Kareem Sweeney

From: Kristine Brennan <BrennanKristine0377@lemmertzturismo.com.br>
Subject: [SPAM] build assemblies

hello info
Attached please find the build assemblies report for your review
Thank you.
Regards,
Kristine Brennan

From: Mable Ward <WardMable44090@cmsadv.com.br>
Subject: [SPAM] FW: invoices

Hi info
The attached spreadsheet contains employees. Please review
Regards,
Mable Ward

From: Milagros Wiley <WileyMilagros41@telefonica.de>
Subject: [SPAM] receive payments

hello info
Attached please find the receive payments report for your review
Thank you.
Regards,
Milagros Wiley

From: Norma Palmer <PalmerNorma3969@jpowerassembly.org>
Subject: [SPAM] Re: Chart of Accounts

hello info,
You may refer to the attached document for details.
Regards,
Norma Palmer

I post these only in case people out there are searching the web for similar messages.

Be clear: THESE MESSAGES CARRY ENCRYPTION VIRUSES. Do NOT open the attachments!

Be careful out there

The Old Wolf has spoken.

Malware Payloads

Chapa NO MALWARE

I’ve noticed a lot of malicious emails coming through to one of my addresses lately – interestingly enough not at Gmail, which may even filter these things out before they are even sent to Spam – but to one of my private email addresses. Here are two examples:

Dear info,

Many thanks for your card payment. Please find payment confirmation attached below. Should you have any queries, please do not hesitate to contact Credit Control Team.

Best regards

Dena Carpenter
Director Audit Services
Attachment: 851E2_info_43A8AE.rar
And this one:
Dear info,
Please check the bill in attachment.
In order to avoid fine you have to pay in 48 hours.
Best regards
Antonia Snider
Executive Director Sales Account Management Training Performance Support
Attachment: info_e-bill_669770.zip
Both of these emails came with compressed attachments, one a .zip file and one a .rar file. Inside each was a document with the extension “.js,” meaning it’s a javascript file which would automatically run once the file was clicked on to see the “invoice”or “bill.”

DO NOT DO THIS.

From Microsoft’s Malware Protection Center:

Payload: Downloads malware or unwanted software

This threat can download other malware and unwanted software onto your PC. We have seen it download the following threats:

  • PWS:Win32/Fareit
  • Ransom:Win32/Crowti.A

Connects to a remote host

We have seen this threat connect to a remote host, including:
  • davis1.ru using port 80
Malware can connect to a remote host to do any of the following:

  • Check for an Internet connection
  • Download and run files (including updates or other malware)
  • Report a new infection to its author
  • Receive configuration or other data
  • Receive instructions from a malicious hacker
  • Search for your PC location
  • Upload information taken from your PC
  • Validate a digital certificate

We have seen this threat access online content, including:

  • two.jpg
  • one.jpg

Another similar threat is 097M/Donoff. This Microsoft Article shows many types of emails that are being sent out to try to get people to run this malware. One of my emails contained Win32/Penzievs, which is so new that Microsoft has no technical details on it yet.

Working at Carbonite™, we have seen many customers who have been infected by the Cryptolocker virus and similar encryption programs. Almost all of these vicious payloads come as email attachments that are opened by the unwary. While having good anti-virus protection and a rcloud-based backup system that protects multiple versions of your files is good insurance, the best procedure is never to open attachments from unknown sources, no matter how legitimate they look. Especially always avoid “.exe,” “.com,” “.zip,” and “.rar” files.

Be careful out there. Protect yourself and your loved ones.

The Old Wolf has spoken.

 

Here’s why you do external backups

ransomware

The BotNet distributing the original Cryptolocker was taken down (I’ve mentioned this malware multiple times), and many people were able to get their data back – but there are still many malicious clones of this supremely evil malware floating around out there.

Per this article (in Norwegian, but you can use Google Translate to get a good gist of its meaning in English), if your files have been encrypted, you’re pretty well screwed. Your only options are to pay the ransom (which does not guarantee that you will get a decryption key) or bring your files back from a non-connected, external backup – this because the encrypting malware can affect cloud storage as well either directly or indirectly.

To protect yourself from this sort of data horror:

  1. Back up your files to an unconnected external drive regularly
  2. Never open email attachments from unknown people, no matter how legitimate they may look

Hell is going to be a busy place. Be careful out there.

The Old Wolf has spoken.

Scam: The Blue Screen of Death

Yesterday while visiting her mother, my wife did a search at YouTube. For some inexplicable reason (I wasn’t there to observe what exactly went down,) this website was accessed:

BlueScreen2

Overlaid on this screen was a scary-looking popup:

BlueScreen1

The page is especially nasty: it disables the back button, the close button, and any other Chrome windows you happen to have open. The only way out is to kill Chrome via the task manager, or by doing that hard reset that the message tells you should not be done.

This would be very unsettling for someone like my mother-in-law who is not terribly computer-savvy (although she’s quite good with email and Facebook) and the deal here is that if you call the number – definitely not Microsoft – you get some agent in an Indian or Pakistani boiler-room who will convince you that they are from Microsoft, fling all sorts of nonsense technobabble at you, talk you through the process of installing TeamViewer or some other such remote-control software, and then upload malware to your machine.

The scam is very similar to what I described in Don’t Help the Scammers (item no. 4); a good comprehensive writeup of this type of scam is also found at MalwareBytes Unpacked.

Please be careful out there, and if you have friends or relations, particularly the elderly, who could be taken in by this jiggery-pokery, please help them to stay safe.

The Old Wolf has spoken.