New Kind of Google Worm?

[Pawel Kowalski]

I had the strangest thing happen. Last night I was looking around for piano chords and put that keyword in to google. The very first result looked like a site I used to frequent for chords so I clicked it (DO NOT TRY THIS. I JUST VERFIEID ITS A VIRUS). As soon as I did that the acrobat process started and IE crashed. From there my computer stopped responding and in task manager I could see the acrobat process growing in memory up to 700MB. I killed it. Took me a few hours to remove the virus from my computer and after that I went to sleep thinking it was just some random stupidity on my part.

Fast forward to this morning and one of my clients, who's infected computer I had fixed 2 weeks ago, calls me and tells me her computer is infected again. When I get there the first thing I do is check the history to see how it got on there. Turns out she was searching around for guitar tabs. Sure enough if you search "guitar tabs" in google you come to the site guitaretab[.com] as the 3rd result. This is the site that infected her. (AGAIN DO NOT TRY THIS. ITS A VIRUS) The virus was Anti-virus 2008 and luckily malwarebytes was able to remove it.

I don't know if there was a bulletin put out for this, but because of the fact that this happened to me last night and to a client this morning would suggest to me this is a new worm. Anyone have any more information on this? I haven't had time to check if this affects other search engines. The worm doesn't seem to affect users running windows limited accounts as my lap top was unaffected. I was able to view the files and it just seems like a bunch of random javascript thrown at the bottom of the page.

[wuurp]

Are you sure it's a virus? I had something sort of similar happen on a couple sites recently, but in my case I got a msg box saying acrobat had failed to start. My virus software didn't pick up anything, and I installed malwarebytes, and it doesn't find anything. Perhaps it's because I use firefox?

[Pawel Kowalski]

I'm not sure if it affects firefox, both computers I saw it on were IE 7. But I'm 100% sure this is a virus, I was able to confirm it using my lap top.

[Ron]

I had the same (or similar) problem:

Fake antivirus 2009 virus attack

[Pawel Kowalski]

Interesting but I don't think this is the same one I ran in to which seems to install itself automatically. I am actually getting firefox ready on one of my computers at work to see if it will get infected that way.

[Frank Broughton]

That is not a virus - it is called "Rogue Antispyware" and it is getting to be very popular. The last three systems I cleaned for friends had this on it. Indeed malware bytes is the tool to use to remove it.

This is also not new. Idiots have been doing this for a while now. Nice money maker for the scumbuckets.

I talk about it some on my spyware removal page. I still think step one is the best step: http://av1611.us/spyware.html

Also read about it here: http://malwarebytes.besttechie.net/

and here: http://www.spywarewarrior.com/rogue_anti-spyware.htm (an older listing no longer maintained)

or here: http://malwarebytes.org/forums/index.php?showforum=30


The scum buckets who make these aps would make for good practice for the military as TARGETS! haha

[Pawel Kowalski]

Well I was able to confirm that the chord house exploit uses Acrobat and seems to only affect IE; however, I did find that it will also affect limited accounts (although using a limited account will make it easy to clean off). I opened it up on firefox and the web site loaded fine. I think I'm going to bite the bullet and switch to firefox as well as advise everyone at work to do the same.

Frank, I have seen this antivirus 2008/2009 virus plenty of times before. I just had no idea it was spreading this way.