Tuesday, April 26, 2011

Technoviking ? I am not amused

So yesterday I was looking on Google Images for the 'Technoviking'. I'm sure most of you know the guy/meme but just to be sure:


In case you're wondering, I do not remember why he flashed in my mind all of a sudden, but I was listening to some music on Youtube and I suppose there was a Suggested Video wink .

Either way, some of the Google Images were in fact redirecting to a scareware page, urging you to download a file to "clean" your computer. Some of the images that were infected:

Some infected Google Image results

If you click on any of them, you would get the following message:

"Windows Security" will perform a fast scan of system files

... and when clicking on "OK" you'll get the well-known fake scanning page:

Fake Scanning page finding numerous infections

The following file was downloaded:

Result: 18/41 (43.9%)
MD5: e705b657f5830eb2a43eee3a32f549c3
VirusTotal Report
ThreatExpert Report
Anubis Report

Today I checked again and the scareware/rogueware campaign is still active. I was now presented with another file that has a very low detection rate on VirusTotal:

Result: 2/41 (4.9%)
MD5: 56ce5479183913f2082bf0fd790dbaea
VirusTotal Report

The payload is a rogueware called 'MS Removal Tool'.

When executing the dropped file (BestAntivirus2011.exe) :

MS Removal Tool fake scanning screen

It is interesting to note that you would only get redirected when using Internet Explorer or Google Chrome. Neither on Firefox 3.6 or Firefox 4.0 the redirect would commence.


- Be careful when visiting any webpage. A useful trick is to check the real URL behind the image. Most of the times you can verify this by checking in the left corner of your browser:

Clicked on a picture and started loading this website instead of the original one

- Use browser extentions to verify the integrity of an image or URL. Useful add-ons for Google Chrome are for example VTchromizer, NotScripts and WOT .

- Keep your Antivirus and browser, as well as your browser add-ons up-to-date.

- If it is too late and a 'scan' is already starting, immediately close your browser by bringing up Task Manager (CTRL + ALT + DEL) and killing your browser's process:
  • a) For Google Chrome: chrome.exe or chrome.exe *32
  • b) For Mozilla Firefox: firefox.exe or firefox.exe *32
  • c) For Microsoft's Internet Explorer: iexplore or iexplore.exe *32


If the harm is already done and you are getting warnings, messages or pop-ups stating you are infected and you need to take 'immediate action' to clean your computer, follow the guide below at BleepingComputer's to rid yourself of this malware:

Remove MS Removal Tool


Don't be fooled by Google's preview of images, you can still get infected even though the site appears to be safe.

Follow the above prevention tips to decrease the chance of your computer becoming infected.