3

I was taking a look at someone's computer who had a virus. It called itself "Visa Antivirus Security 2012". It turned out to be ltd.exe. It would seemingly randomly block programs, it turns out it had infected the "open with" option for exe files. Renaming the exe then restoring the open-with references that contained ltd.exe did fix the problem.

I checked the (Firefox) browser's download logs to see if there was an exe in there. But no exes in the log except the other antivirus (Avira) that he was intentionally installed a good while ago.

This ltd.exe modify date is the date of the first boot of this computer today, being the first day of the year. Is there information on other occurrences of this ltd.exe, what its official title is, how is it distributed?

Considering what the user has installed, and that this is a careful user, somewhat computer savvy, I think the most likely cause is a recent vulnerability in Java, bringing some virus scheduled for 2012. But I would like to know.

The user will wipe the hard drive clean.

schroeder
  • 123,438
  • 55
  • 284
  • 319
700 Software
  • 13,807
  • 3
  • 52
  • 82

2 Answers2

3

It's impossible to say with certainty how this infection was distributed. The rogue-AV landscape is a complex marketplace of affiliate groups; the infection process is likely to have been undertaken by a different party to the team behind Vista Antrivirus Security itself. Each pay-per-install affiliate may use different tactics.

But yes, plugin exploits (against Java and Acrobat in particular) have been the most popular drive-by-download vector in the last few years, so Java is a good guess. The other common infection methods are the simple trojan play (“to view this page, install this codec...” et al) and P2P poisoning but if you have a cautious user that would be less likely.

Going through the about:cache logs might reveal something.

bobince
  • 12,494
  • 1
  • 26
  • 42
3

Vista Antivirus Security 2012 is just another name for a common name-changing rogue security program that alters its name and GUI depending on the OS it's running on. For example, XP Security 2012, Vista Security 2012, and Win 7 Security 2012 are used on Windows XP, Windows Vista, and Windows 7 respectively (this is not an complete list.)

All of the names used by this rogue mention "2012" even though (obviously) the majority of infections to-date have been in 2011.

The two main infection vectors are: via fake online "scanner" pages which claim to have found serious issues on the victim's computer and them prompts them to download and install a fix; and, via compromised legitimate websites exploiting vulnerabilities in browser plugins or the browser itself to silently download and install the rogue.

Andrew Lambert
  • 588
  • 4
  • 12