I don't get the opportunity to do much virus, spyware or malware fighting here at SmallNetBuilder HQ. There are no kids downloading and "exploring" the Internet, my wife and I seldom (if ever) copy in files from off-network computers and both of us are well-versed in safe Internet practices (and follow them).
But my neighbors and family members are not so fortunate. My holiday-time trips home usually involve a half-day session with one of my sister's computers to make it stop "running slow", although that has ceased to be a regular thing now that all of her kids have moved to places (and computers) of their own.
Her problems usually haven't been bad, however. Removing some adware that came along with Party Poker and a general cleanout of temp and unused applications were enough to get her back to a nicely responsive system.
This weekend, however, one of my neighbors was not so lucky when they got hit with a variant of the Zlob trojan. Fortunately, they didn't complicate the problem and fall prey to Zlob's multiple exhortations to download and install fake malware fix tools that would have further complicated the problem. As it was, Zlob was perfectly capable of installing enough malware on its own.
In the end, I took the safe route of doing a clean reinstall of XP after spending an afternoon making several unsuccessful attempts at removal. But I learned a few things along the way that I thought might be useful to pass along.
Lesson #1: Know Your Anti-Virus Program
The most important thing in preventing a malware, virus or adware infection, besides observing good Internet hygiene, is to know the state of your anti-virus program. If you are running an Internet-connected system without good, automatically-updated anti-virus protection at a minimum, you're not just exposing yourself to risk, but you're also potentially part of the world-wide epidemic of infected computers.
AVG continues to provide its free Anti-Virus edition for "private" use, i.e. individuals, not businesses. So there is no excuse for not having effective anti-virus on every system that you own. Of course, AVG would also appreciate it if you would buy either the Pro or Internet Security versions, which add rootkit and additional protection features.
In my neighbors' case, they had a different anti-virus program installed. But they didn't know that it wasn't providing any protection, because it had expired months ago. The problem was that the program looked like it was running because it was spinning its little logo continuously down in the System Tray. But what my neighbor thought was the program's way of showing that it was working, turned out to be its way of saying it needed attention!
The fault here is shared between the program's designers and my neighbors' complacency and lack of curiousity. The program designers should have provided continuous non-ambiguous indications that the program was not doing its intended job.
With AVG, the tray icon changes to superimpose an international alert symbol on top of its normal icon when it is not running or hasn't been able to perform its daily update (Figure 1). It would be even better, however, if it also provided a pop-up or other obvious indication of what the problem is that is causing the alert.
Figure 1: AVG problem indication
But my neighbors are also at fault. Just as you must know what your car's dashboard trouble lights mean (if you want to avoid expensive repairs...or worse!), so must you know the status of your anti-virus. If they had known what their previous anti-virus program was trying to tell them, they would have saved themselves (and me) a lot of time.
Lesson #2: Know When You're Being Scammed
The most important thing in surviving a malware infection is knowing that you have one. Fortunately, zlob isn't shy about announcing itself. But the way it announces its presence can panic unknowledgeable users into doing things that they shouldn't
Zlob changes your desktop wallpaper to display a warning similar to that in Figure 1 and pops up a warning balloon in your Windows System Tray / Notification Area similar to those in Figure 2.
Figure 2: Zlob desktop wallpaper warning
The wallpaper change is a good tipoff, since there is no normal Windows behavior that I know of that causes Windows to change your desktop wallpaper and prevents you from changing it back. But the tray popup is much more subtle and easier to fall prey to. Windows frequently uses Tray popups to provide warnings and alerts and allows you to take action by clicking on the alert balloon.
Figure 2: Zlob tray popups
Fortunately, the desktop wallpaper change was enough to raise suspicion that something was wrong and caused him to call for help.