{"id":2094,"date":"2010-01-25T17:16:40","date_gmt":"2010-01-26T00:16:40","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=2094"},"modified":"2018-01-30T12:36:48","modified_gmt":"2018-01-30T19:36:48","slug":"rogue-av-payload-blocks-popular-websites","status":"publish","type":"post","link":"https://www.webroot.com/blog/2010\/01\/25\/rogue-av-payload-blocks-popular-websites\/","title":{"rendered":"Rogue AV Payload Blocks Popular Websites"},"content":{"rendered":"

\"\"\"Add<\/a>\"Add<\/a>\"Add<\/a>\"Add<\/a>\"Add<\/a>\"Add<\/a>\"Add<\/a>\"Add<\/a>\"Add<\/a>\"Add<\/a>\"\"<\/p>\n

\"\"<\/a>A payload file installed along with some variants of the rogue Internet Security 2010<\/strong> “antivirus” program modifies victims’ networking settings within Windows, inserting itself into the network stack and preventing victims from visiting some of the Web’s most popular Web sites. More than 40\u00a0sites have been targeted, including: Microsoft’s live.com<\/strong> and Bing <\/strong>search engine; social networking giants Facebook<\/strong>, Twitter<\/strong>, MySpace<\/strong>, Bebo<\/strong>, LinkedIn<\/strong>, and YouTube<\/strong>; news organizations including Fox News, The New York Times, the Washington Post<\/strong>, and the UK’s Guardian<\/strong> and BBC <\/strong>news sites; and blogs hosted by blogger.com, livejournal.com<\/strong>, and wordpress.com<\/strong>.<\/p>\n

The payload modifies the Layered Service Provider (LSP<\/strong>) so that calls to those Web sites pass through the malicious file, which displays a warning message in the browser instead of the blocked Web site. The message says:<\/p>\n

This web site is restricted based on your security preferences<\/strong><\/p><\/blockquote>\n

and<\/p>\n

Your system is infected. Please activate your antivirus software.<\/strong><\/p><\/blockquote>\n

We’ve seen an increase in the number of spies that bollix the LSP chain lately. In cases where this happens, if you simply remove the malicious file that is referenced in the LSP, the computer remains unable to connect to the Internet afterwards. To fully repair the PC, you’ll need to fix that broken chain<\/a>.<\/p>\n

Fortunately, the fix for this spy — which we’re calling Trojan-Annoyinator<\/strong> — is fairly easy. Users of Webroot’s products can simply sweep, and the spy along with its LSP modifications will be removed upon reboot. If you don’t have one of Webroot’s antimalware product installed, you can go through the process manually, which isn’t difficult for someone familiar with Windows tools such as Regedit. The only problem might be getting to Microsoft’s Web site (where the instructions<\/a> are posted) from an infected computer.
\n
\nThe spy only injects itself into a short list of Internet-capable applications; unfortunately, that list includes every popular browser for Windows: Internet Explorer, Firefox, Opera, Chrome, Safari<\/strong>, and the Flock <\/strong>browser<\/a> (which runs Firefox as its core engine). In addition to the sites listed above, it also blocks some file-sharing sites (The Pirate Bay, RapidShare<\/strong>), shopping sites (Amazon.com, Craigslist<\/strong>), some porn sites, and a few oddballs, like MapQuest, Monster.com<\/strong> and Wikipedia<\/strong>.<\/p>\n

\"\"<\/a><\/p>\n

Notably, the spy doesn’t block access to the Web sites of legitimate antivirus companies or other businesses in the computer security industry. Malicious hosts files and IFEO registry keys<\/a> that disable legitimate security applications become almost a de-facto<\/em> part of the infection package (especially with Chinese phishing Trojans). But not with this one.<\/p>\n

Fixing the LSP chain manually on a Windows XP computer is a relatively straightforward process. If you don’t want to use a freeware tool such as LSP-fix<\/a>, you have to delete a few registry traces, then reinstall Windows’ TCP\/IP protocol over the top of itself; this forces Windows to rebuild the LSP chain from scratch. After a reboot you should be up and running again, as long as the malicious files have been removed from the computer.<\/p>\n

Manual LSP repair instructions<\/h3>\n