Could New Facebook Virus Be Unstoppable?

One of the most sophisticated viruses ever has hit Facebook – called Trojan.FakeAV.LVT it uses multiple social engineering techniques to spread. It hijacks a victim’s Facebook session and sends credible messages to their friends (via the chat function) leading them to a fake YouTube video page – supposedly containing a video of the victim.

The page is convincing because it contains their friends’ names in the title and even includes fake comments from their own Facebook friends. The fake YouTube page informs the user that they need to download/install an update to Flash Player to see the video (a common virus scam) and the ‘update’ installs the Trojan onto their computer.

Once installed, the Trojan blocks notifications from the Firewall, Windows update and the user’s own legitimate antivirus software. So far, a clever and well engineered approach to spreading infection but not that unusual. The next part is where it gets awfully scary…

The Trojan displays a pop-up message warning you of virus infection and asks you to confirm restart of your computer. Crucially, this pop-up warning is an exact copy of a real virus alert you would receive from your own legitimate antivirus program.

The Trojan detects which antivirus program you have on your computer and picks out the correct warning message from its own database of 20+ most popular antivirus programs (covering the vast majority of users). So what you see is a warning from ‘your’ antivirus software – identical to what you may have seen before if you have ever encountered a virus.

After you choose to restart, the Trojan schedules your own antivirus program for uninstallation, reboots the computer into Safe Mode (but with a black screen only) and quickly uninstalls your antivirus program behind the scenes. Less than a minute later it restarts the computer normally.

When the computer restarts (now with several running viruses) the Trojan puts a fake antivirus icon in your system tray (bottom right of screen) – again, this icon is an exact copy of the genuine article, even to the extent of simulating the virus definitions/update release date if you hover the mouse over it. Most people would be fooled into thinking that everything is ok and their own antivirus program is still protecting them – but their computer is now totally compromised…

You no longer have any antivirus protection and your computer has been taken over by malware including the following:

Trojan downloader – to download more viruses
Modified Hosts file – to block certain websites and redirect others
Dynamic list of other infected computers – to let them distribute more malware to each other
Rootkit – a type of virus file that can hide itself from Windows and future antivirus scanning

This collection of malware would allow your computer to be freely used by the virus creators and other cyber-criminals for things like sending out spam, hijacking email, logging/stealing passwords and logon details etc. It even throws in a peer to peer network of infected computers that can be used to distribute further malware to each other.

The only clue that everything is not kosher and your antivirus program is not really running is that if you try to actually open your antivirus program you will see a non-standard message telling you it is in ‘Enhanced Protection Mode’ as a temporary measure…

Could This Type Of Virus Become Unstoppable?

At the moment it is really clever but there are a few weaknesses:

  • If you try to open your supposed antivirus program you get the ‘Enhanced Protection Mode’ message instead of the real program – this gives the game away. However, we suspect the next step for the virus creators will be to create a fake full copy of each popular antivirus program so that, when opened, it looks the same as the genuine one – possibly to the extent of being able to download ‘updates’ (from the virus creators) and ‘scan’ your computer (just a pretend scan of course).
  • The reboot into Safe Mode with only a black screen is less of a giveaway (only tech aware people would realize it was not part of a standard virus removal) but could also be improved. If the Trojan just deleted the important files/services of your genuine antivirus program in normal Windows mode it would not have to boot to Safe Mode at all.
  • Currently the Trojan spreads via Facebook which limits its spread – but not by much as Facebook has over half a billion users… It would spread even more quickly if it was published by other typical malware vehicles like Torrents, file sharing sites, infected websites, email attachments etc – this is surely the next step.

Conclusion

If the above weaknesses were resolved then malware like Trojan.FakeAV.LVT could become devastating – and you can guarantee that other virus writers are even now copying its ‘best’ features. Invisibly replacing genuine antivirus software with full fake copies that look real would be the coup de grace – leaving computers not just badly infected but (even worse) appearing to still look secure.

If the user remains blissfully unaware they have been massively infected they will continue to use their computer as normal for online banking and shopping etc – the potential for ongoing security breaches and data or financial loss could be much greater than anything we have seen before.

Hopefully antivirus companies are working on a defense to this type of threat as we think it might not be long before the current weaknesses are fixed, copied by others and moved outside of Facebook to the wider internet – then we might really have problems.

In the meantime, you should ensure that you have a top antivirus program (see our recent guide on the best antivirus software) and also check out our guide on avoiding virus infections in the first place.

[A highly detailed technical investigation of this Trojan is on Xylibox here]

11 thoughts on “Could New Facebook Virus Be Unstoppable?”

  1. Hi Michael, if you want to try yourself you will have to be able to download programs from the internet (or have another computer and a flash drive to do it then copy programs across) – follow our guide https://techlogon.com/how-to-remove-viruses-part-1

    Please take heed of the warning at the beginning of the guide – the safest bet is to get a good IT Technician to remove the viruses for you – they should be able to backup your docs (just in case), remove the infections and repair any damage to Windows components.

  2. I was just hit with this virus and did not know it until several attemps to clear my computer issues. Then researched facebook viruses and came across this site and wamm it hit me what the problem is.

    Now, how do I fix the problem. I can’t seem to wipe out the viruses or install another security software.

    • @Michael, I think the best thing for you to do is just reformat the disk , since this virus is violent and very hard to clear it completely.
      But – remember that since this virus is being written also to boot record, you MUST do a fixmbr to write a new Master Boot Record. After that, you should remove the parttion and create new partition(s) – that will be different in size! That will promise that the virus won’t stay there in the background and will show up in the minute after you finish a new system installation…

  3. i was hit by this virus and now my comp doesnt even work. I am screwed and now i have to get a new computer.

    • Shame you got hit that badly. If your computer is just virus infested (i.e. still works) it might be worth you getting a tech to backup your docs if required then format it (deletes everything), rebuild a new boot & MBR record then reinstall Windows – should be a lot cheaper than a new computer. Of course if you fancy a new computer soon anyway then this might be the right time to change.

      We’ve published an article today linking to a new free eBook on Facebook Privacy & Security that you can download – well worth a read to try and help avoid infection in future.

  4. Unlikely to be a BIOS rootkit – rare and must usually be installed, either by someone with physical access to the system or remotely by a person with root-level access. You could update the BIOS just to make sure I guess.

    Does look like 1 or more rootkits though – have seen them stopping Malwarebytes running before. The 32 (xyz32.exe etc) issues may be a symptom of the Tracur trojan.

    An offline scan of the hard drive on another computer could be a way forward but, for a business PC, at this stage we would wipe and reinstall to be 100% sure as you can’t easily predict how many Windows/programs have already been corrupted e.g. windows updates, security center/notifications, system restore, firewall etc unless you test every single option…

  5. It just happened today to one of my customers. She had exactly this faked YT link and a lot of faked messages from friends,
    Then, the virus also put a bios password and pc did not even boot. I had first to reset the bios with closing/opening the clear bios jumper.
    Than a lot of executable malicious files were found in the c:\windows and at startup, also as you mentions, the AV was removed.

    After I removed all this executable files from the drive, and removed them from calling in the startup process, I had also to re-register some system dll’s (using regsvr32) , but the pc is still not clean. I tried to install another AV software, it has been installed but its service could not be started.
    I now think that formatting that PC would be the best way, but I love to fight those scam viruses and find their roots and kill them, so I still try.
    Is there any suggestions what can be more done to fight this virus?

    (p.s – how can I register to new comments via mail to this post?)

    • Sounds bad – a BIOS password is a nasty new addition. Have you already tried the ‘easier’ ways of removing infections like the free versions of Malwarebytes and SuperAntiSpyware?

      If so, you may have a rootkit which would hide itself from your Windows security software – try TDSSKiller from Kaspersky to remove or use GMER to look for one. Also check if you have a MBR (master boot record) virus – try Aswmbr.exe from Avast to check. Also check your hosts file (we posted an article 3 days ago about this) for suspicious entries.

      However, based on what you have encountered so far (especially the BIOS password and having to re-register DLLs) it appears your computer was very badly infected by multiple malware – if you are not an expert (or if you do find a rootkit) the safest (and probably quickest) way to fix is to backup data, reformat and reinstall…

      If you decide to reformat, you still need to check for MBR virus or rewrite the MBR (recovery console – fixmbr or bootrec /fixmbr) as the MBR is stored outside of the Windows partition – reformatting will not delete an MBR virus and you would be reinfected again as soon as you reinstalled Windows…

      • Thanks for your quick reply and suggestions.
        I am an expert and dealing with all these stuff for 20 years (yea, yea, from the pre Windows times with DOS 3.2 … :) )
        I tried earlier today to install Malwarebytes, but as soon I’ve installed it, the virus just disabled it and blocked it just a second after I tried to do a scan, then an error message appeared that I don’t have permissions to run it…
        Maybe a better idea will be taking that HDD out and try to scan it from another clean PC.
        I’m @home now and the PC is @client’s office, so I can’t do more checks right now, I’ll be there again next week, meanwhile I told them not to use this certain PC and to be safe disconnected the LAN cable.
        When I’ll be there again, I’ll try to use other things you suggested here, in case the the customer will want that this time will be invested.
        btw: I already deleted all the hidden update-x folders and faked svchost,exe hidden files that were there, also the services32.exe and some more exe files.
        If I will format it, I will remove the partition before and re-create the partition again, but I will take your advise to rewrite the MBR also, since I know that even removing the partition and re-creating it, may not be enough in case that the new partition is the exact same size as the removed partition.
        My fear is, since the BIOS password issue came, is that somehow it has a rootkit or so in the BIOS itself, and nothing will be possible to do in that case, maybe only a BIOS update first…

Comments are closed.