Computer Virus Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Wed, 03 Jul 2024 06:55:22 +0000 en-US hourly 1 https://wordpress.org/?v=80478 200474804 Shortcut Virus https://gridinsoft.com/blogs/usb-shortcut-virus/ https://gridinsoft.com/blogs/usb-shortcut-virus/#respond Wed, 03 Jul 2024 05:51:37 +0000 https://gridinsoft.com/blogs/?p=21696 Shortcut Virus, is a malicious program that messes up with files on the disks. It is a rather old type of threat, that targets to mischief the user, rather than get any profit. There could be several ways to solve the issue – manual as well as with the use of specialized software. What is… Continue reading Shortcut Virus

The post Shortcut Virus appeared first on Gridinsoft Blog.

]]>
Shortcut Virus, is a malicious program that messes up with files on the disks. It is a rather old type of threat, that targets to mischief the user, rather than get any profit. There could be several ways to solve the issue – manual as well as with the use of specialized software.

What is Shortcut Virus?

Shortcut Virus is a type of malware that makes the data look as lost, turning all the files into shortcuts. The virus modifies the file structure on a USB drive, replacing real files and folders with shortcuts with the same icons and names. This tricks the user and causes the virus to launch when they try to open the file. However, the original files are usually hidden or moved to a hidden partition.

Shortcut Virus Infection Chain

The virus spreads primarily through USB devices and automatically copies its executable file to the device. This file is usually saved in the root directory of the USB drive and disguised as a safe, familiar file using common icons and names such as “My Documents” or “Recycle Bin”. It also actively uses the autorun functionality via the Windows registry. This allows it to run malicious code as soon as the device is connected to the computer. The “.lnk” files are a key element of this process, as they can be executed automatically and mask the launch of the malicious executable.

Some users want to re-use old drives, that potentially contain this malware. But for many, it is a risk to plug it into their current computer and infect it. And that leaves the question: how to safely recover files or format a hard drive?

Question about Shortcut Virus
Question from a user on a Reddit forum.

How Is Shortcut Virus Dangerous?

Shortcut Virus poses a serious threat to users who regularly use removable media. The main dangers associated with this virus include:

  • The worst part is that the virus can also hide or delete the original files on the USB drive. This often results in the loss of important information that may be difficult or impossible to recover.
  • Shortcut Virus easily and stealthily spreads from one device to another, infecting all USB devices connected to the infected computer.
  • Shortcut Virus can function as a Trojan by collecting user’s personal data such as passwords, financial information and other sensitive data.
  • Once on system disks, the virus can disable or compromise a computer’s security, making the system more vulnerable to other malicious attacks.

How to remove Shortcut Virus?

Shortcut Virus removal requires a careful approach to not only get rid of the virus but also to restore access to the original files.

Step 1: Disable USB device autorun

To prevent the virus from automatically starting when USB devices are connected, disable USB device autorun:

  1. Open “Registry Editor” (press Win + R, type regedit and press Enter).
    run regedit
  2. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer path.
    Registry Editor
  3. Create or modify a DWORD value named NoDriveTypeAutoRun and set the value to 0xFF to disable autorun for all disk types.
    DWORD value
  4. Step 2: Cleanup the registry

    Since the virus can create registry entries to run automatically, you need to clean the registry:

    1. Open “Registry Editor” (press Win + R, type regedit and press Enter).
      run regedit
    2. Navigate to:
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      Registry Editor
    3. Remove any suspicious values that may run malicious files on system startup.
      Suspicious value related to Shortcut Virus

    Step 3: Manually Removal

    Several commands can be used to manually remove Shortcut Virus via Command Prompt, including cleaning malicious files:

    1. Open “Command Prompt” (Type cmd in the search box and click “Run as administrator” to open elevated Command Prompt.).
      cmd in the search box
    2. The virus often hides the original files and replaces them with shortcuts. To display them:
      attrib -h -r -s /s /d G:\*.*
      “G:\” – the drive letter of your USB device.
    3. First, remove any shortcuts that the virus has created. These shortcuts may be the source of the infection:
      del G:\*.lnk
    4. Next, remove malicious executable files that are usually hidden in the USB root or system folders:
      del G:\*.exe
    5. Check the C:\Windows\, C:\Windows\System32\, and C:\Users\[username]\AppData folders for malicious files and delete them.

    Be very careful when using the command line, especially when working with uninstall commands and registry editing. Incorrect actions may cause damage to the system.

    Shortcut Virus Remover

    To remove Shortcut Virus, one of the most effective approaches is to use specialized antivirus software that can detect and remove complex malware. One of the recommended tools for this task is Gridinsoft Anti-Malware.

    Gridinsoft Anti-Malware features fast scanning speeds and the ability to detect various types of malware, including Shortcut Virus. It also provides in-depth system and USB device scanning. This allows you to detect and remove hidden and standalone viruses that may not be noticed by standard antiviruses.

    GridinSoft Anti-Malware main screen

    Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

    After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

    Scan results screen

    Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

    Removal finished

    The post Shortcut Virus appeared first on Gridinsoft Blog.

    ]]> https://gridinsoft.com/blogs/usb-shortcut-virus/feed/ 0 21696 Polymorphic vs Metamorphic Virus https://gridinsoft.com/blogs/polymorphic-metamorphic-viruses/ https://gridinsoft.com/blogs/polymorphic-metamorphic-viruses/#respond Wed, 03 Jul 2024 03:01:06 +0000 https://gridinsoft.com/blogs/?p=8565 Polymorphic and Metamorphic Malware: the Comparison In this article, we consider two types of pests: polymorphic and metamorphic viruses, which were designed to destroy the integrity of the operating system and harm the user. Before we find out what is the difference between polymorphic and metamorphic viruses, let’s figure out what is virus in general… Continue reading Polymorphic vs Metamorphic Virus

    The post Polymorphic vs Metamorphic Virus appeared first on Gridinsoft Blog.

    ]]>
    Polymorphic and Metamorphic Malware: the Comparison

    In this article, we consider two types of pests: polymorphic and metamorphic viruses, which were designed to destroy the integrity of the operating system and harm the user. Before we find out what is the difference between polymorphic and metamorphic viruses, let’s figure out what is virus in general and where it originates.

    Virus is a type of malware that aims to infect the victim’s device, break its integrity and distribute its copies for further infection. Malware is malicious software, any program that is designed to do harm to its victim via stealing money or data, extortion, digital vandalism, work disruption, identity theft, etc.

    What is a Polymorphic Virus?

    To understand a polymorphic virus, let’s consider a persistent threat that constantly evades anti-malware. This threat creates similar viruses, seemingly regenerating itself. Its main target is the user’s device and data, adapting as much as needed to achieve its goal. In summary:

    A polymorphic virus is a complex virus encrypted with a variable key, making each copy of the virus different from the others. The virus aims to evade anti-malware or scanners. While typical malware can be detected by anti-malware software, a polymorphic virus is designed to change its encryption keys. For example, if one user downloads a file from a website and another user downloads the same file, the two files will appear different to security programs.

    Normally, a scanner or anti-malware could detect a virus through identical keys in different files. However, a polymorphic virus complicates this by using different encryption keys for different files. To detect polymorphic viruses, there are two primary methods: general description technology and an algorithm at the entry point. The general description technology runs the file on a protected virtual computer, while the entry point algorithm verifies machine code at each file’s entry point, employing software virus detection.

    What is a Metamorphic Virus?

    Let’s explore a metamorphic virus. This type of virus reprograms itself to evade detection. What does this mean? The virus transmits its own code and creates a temporary representation to outmaneuver antivirus software. Once it bypasses security, it rewrites itself into the normal code. Each copy of this virus is always different, making it difficult for anti-malware to detect.

    A metamorphic virus transforms by editing, rewriting, and translating its own code. Its goal is to damage the computer while remaining unnoticed by anti-malware. Unlike polymorphic viruses, metamorphic viruses do not use encryption keys to alter their copies. Instead, the virus converts its existing instructions into functionally equivalent instructions when creating a copy. This transformation prevents the virus from returning to its original form, complicating the work of anti-malware programs. Two methods to detect metamorphic viruses are: using emulators to track them and geometric detection.

    Difference Between Polymorphic and Metamorphic Viruses
    Table of comparison on polymorhic and metamorphic viruses

    Difference Between Polymorphic and Metamorphic Virus

    While these viruses are generally similar in that they attempt to circumvent the security system by altering their own codes, there is still a difference between them.

    1. Polymorphic virus involves changing each copy of its code to bypass anti-malware protection, while Metamorphic Virus with each iteration rewrites its own code.
    2. The polymorphic virus uses the encryption key to change its code, while Metamorphic Virus itself rewrites its code.
    3. Writing Metamorphic Virus is much more difficult for a programmer than creating a Polymorphic one, because you need to use several methods of conversion.
    4. Methods for detecting these two viruses are different. In the case of polymorphic viruses, we need such methods: general description technology and input point algorithms. And in the case of Metamorphic Virus, you need to use the following methods: the use of emulators for tracking and geometric detection.

    How to remove Polymorphic or Metamorphic Virus?

    In order to reduce the risks of infection and prevent threats, install an effective antivirus tool on your PC. Our Anti-malware is a great choice. Do not neglect your safety. Gridinsoft Anti-Malware is proper and reliable protection that will be your best line of defense.

    GridinSoft Anti-Malware main screen

    Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

    After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

    Scan results screen

    Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

    Removal finished

    The post Polymorphic vs Metamorphic Virus appeared first on Gridinsoft Blog.

    ]]>
    https://gridinsoft.com/blogs/polymorphic-metamorphic-viruses/feed/ 0 8565
    Virus:Win32/Floxif.H https://gridinsoft.com/blogs/virus-win32-floxif-h/ https://gridinsoft.com/blogs/virus-win32-floxif-h/#respond Thu, 27 Jun 2024 13:05:05 +0000 https://gridinsoft.com/blogs/?p=21371 Virus:Win32/Floxif.H is a detection of a malicious program, though not a virus as you may suppose by its name. Malware like Floxif aims at delivering and install additional malicious payloads onto compromised systems. This malware uses different tactics to evade detection, such as compression and file replacement, also employing anti-analysis tricks. It is spread through… Continue reading Virus:Win32/Floxif.H

    The post Virus:Win32/Floxif.H appeared first on Gridinsoft Blog.

    ]]>
    Virus:Win32/Floxif.H is a detection of a malicious program, though not a virus as you may suppose by its name. Malware like Floxif aims at delivering and install additional malicious payloads onto compromised systems.

    This malware uses different tactics to evade detection, such as compression and file replacement, also employing anti-analysis tricks. It is spread through software hacking tools and malicious adverts.

    Virus:Win32/Floxif.H Overview

    Virus:Win32/Floxif.H is a detection by Microsoft Defender that points to malware active in the system. In this case, we are talking about a dropper—malware designed to install another malware (such as stealers and ransomware) onto a computer. While the dropper may seem harmless at first glance, the payload it can bring is not.

    Floxif detection window screenshot
    Floxif detection

    One common infection vector is pirated software, files, and programs from P2P networks, third-party downloaders, shady pages, etc. This method is ideal for spreading malware because it often involves disabling security software during installation. However, in addition to the security risk, pirated software is illegal. In other cases, users infect computers via malicious advertisements and fake software updates. Due to the weak moderation of search ads, this method is quite popular among scammers.

    Among the most troubling aspects of Virus:Win32/Floxif.H is its adeptness at evading detection mechanisms. It systematically eliminates original files and replaces them with encrypted and compressed versions. This trick effectively obscures its presence, making it challenging for traditional antivirus software to identify and neutralize.

    Technical Analysis

    Let’s examine how Virus:Win32/Floxif.H behaves using a single instance. Once inside, the malware leverages commands and scripting interpreters, such as accepting command line arguments. Additionally, it might utilize shared modules to link functions at runtime on Windows. Upon execution, the thing performs a couple of checks, primarily to determine the system location.

    HKEY_CURRENT_USER\Software\Microsoft\RAS Phonebook\AreaCodes

    Persistence

    The malware establishes persistence mechanisms to ensure it remains active across system reboots. This involves creating undocumented autostart registry keys or other methods to maintain their presence in the system. Attackers can use these AppInit_DLLs keys to load their DLL files into every process on the system.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\RequireSignedAppInit_DLLs

    Virus:Win32/Floxif.H Privilege Escalation

    Floxif increases the permissions of its own process through the command to the SubInACL utility. The command below specifically contains the ”=f” ending, which is an argument for the “full control” permissions.

    (open) C:\subinacl.exe/subdirectories %SAMPLEPATH%" /grant=s-1-1-0=f" [(null)]

    After that, the malware requests permissions that allow it to have a comprehensive control over the system. The last privilege from the list is the most worrying, as it effectively allows the threat to manipulate the drivers. Such manipulation is commonly used to introduce highly-persistent malware.

    SE_DEBUG_PRIVILEGE – gets the ability to debug any process in the system
    SE_INC_BASE_PRIORITY_PRIVILEGE – allows for changing the process’ execution priority
    SE_LOAD_DRIVER_PRIVILEGE – the ability to control (load and unload) the drivers

    Virus:Win32/Floxif.H Payload Delivery

    Following gaining the privileges, Floxif drops the payload into the target system. It connects to a remote server (one from the list built into each sample), pulls the payload and saves it to one of the legitimate folders. Usually, it opts for a folder in the C:\Program Files\ or C:\Program Files (x86):

    C:\Program Files (x86)\Google\Update\1.3.33.17\goopdate.dll.tmp
    C:\Program Files\Common Files\System\symsrv.dll
    C:\Program Files\Common Files\System\symsrv.dll.000
    C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk

    The said files are further launched and granted with higher privileges. Original malware does the same trick to the threats it loads as it did for itself.

    C:\Windows\System32\wuapihost.exe -Embedding
    (open) C:\subinacl.exe/subdirectories C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk" /grant=s-1-1-0=f" [(null)]

    Defense Evasion

    The malware employs tactics to avoid detection and analysis. This includes sample packing, encryption and obfuscation, which are rather typical for modern malware. What is less typical is the continuous cleanups Floxif does after the first stage of its activity.

    cmd.exe /c del /F /Q "C:\Documents and Settings\Administrator\Local Settings\Temp\EB93A6\996E.exe.dat"
    cmd.exe /c del /F /Q "C:\Program Files (x86)\Google\Update\1.3.33.17\goopdate.dll.dat"
    cmd.exe /c rd /S /Q "C:\Documents and Settings\Administrator\Local Settings\Temp\EB93A6\996E.exe.dat"
    cmd.exe /c rd /S /Q "C:\Program Files (x86)\Google\Update\1.3.33.17\goopdate.dll.dat"

    The commands from above serve for deleting the files the malware has dropped earlier in the execution process. Without them, it will be much harder for anti-malware software to trace the infection.

    How To Remove Virus:Win32/Floxif.H?

    To remove the Virus:Win32/Floxif.H malware from your system, I highly recommend using GridinSoft Anti-Malware.

    GridinSoft Anti-Malware main screen

    Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

    After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

    Scan results screen

    Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

    Removal finished

    The post Virus:Win32/Floxif.H appeared first on Gridinsoft Blog.

    ]]>
    https://gridinsoft.com/blogs/virus-win32-floxif-h/feed/ 0 21371
    Heuristic Virus https://gridinsoft.com/blogs/heuristic-virus/ https://gridinsoft.com/blogs/heuristic-virus/#respond Thu, 20 Jun 2024 14:08:01 +0000 https://gridinsoft.com/blogs/?p=8372 A heuristic virus is a term for malicious programs detected by heuristic analysis. This method flags potential threats by looking for abnormal activities, such as unusual network connections, file modifications, and process behavior. While heuristic detection can identify previously unknown malware, it is prone to false positives. What is Heuristic Virus? A heuristic virus is… Continue reading Heuristic Virus

    The post Heuristic Virus appeared first on Gridinsoft Blog.

    ]]>
    A heuristic virus is a term for malicious programs detected by heuristic analysis. This method flags potential threats by looking for abnormal activities, such as unusual network connections, file modifications, and process behavior. While heuristic detection can identify previously unknown malware, it is prone to false positives.

    What is Heuristic Virus?

    A heuristic virus is a term that users commonly apply to malicious programs detected by heuristic detection systems. Antivirus software uses heuristic analysis to detect new, previously unknown viruses or variants of known viruses that have not yet been added to virus definition databases.

    Heuristic threat detection screenshot
    Heuristic threat detection

    The heuristic analysis tracks the following factors: abnormal network activity, unusual connections to external servers, unusual modifications, or file creation. It also includes suspicious process behavior, startup, shutdown, interaction, such as attempts to hide activity or disable security software and requests for privilege escalation.

    What is Heuristic Detection?

    Heuristic detection is an adaptive antivirus protection system that detects malicious activity using educated guesses. Typically, heuristics are used in antivirus software along with scanning solutions to find malicious code on a computer. However, unlike the traditional method, which uses databases of known malware, heuristic analysis can detect potential viruses without explicitly identifying them. In other words, heuristic analysis is guessing, unlike signature analysis, which is based on knowledge.

    The main goal of such engines is to detect next-generation malware that is not yet known by grouping and evaluating threats/risks in individual code fragments according to predefined criteria. This is similar to when trying to determine if someone is a criminal. They either match the image of a known criminal (signature) or exhibit characteristics of criminals (heuristics).

    This process is flexible and is constantly being refined as threats are detected. The longer it runs, the more effective it becomes. Unfortunately, heuristic analysis is labor intensive, often resulting in false positives that must be manually verified. Since the need for “manual” intervention dramatically slows down the analysis process, antivirus companies have started using automation and machine learning. This has significantly optimized the processes of detecting malware that previously could not be detected using traditional methods, but it is still imperfect.

    Heuristic analysis is based on several methods. These methods examine the source code of files and match it with previously detected threats. Depending on the proportion of the match, the system determines the likelihood of the threat.

    How Does It Works?

    Heuristic analysis uses some techniques to analyze threat behavior and threat level, including dynamic scanning, file analysis, and multi-criteria analysis (MCA). Let’s examine them more closely.

    Dynamic Scanning

    Dynamic scanning is the process of analyzing the behavior of a file in a simulated environment, often referred to as a “sandbox”. A program is executed and observed in an isolated environment to understand how it behaves in this environment. However, this method has a second side of the coin. Most modern malware has anti-analysis and evasion features. As a result, when a virtual environment is detected, the malware stops its activity, which is also a red flag.

    Malware evades detection image
    Malware evades detection

    File Analysis

    File analysis is the process of examining the contents of a file to determine its purpose, direction and intent. This method may involve inspecting the file’s code structure, libraries, functions, and instructions. For example, a file may attempt to install hidden services, make changes to system settings, or create a new user. It also includes comparing how similar the file’s code is to known malware samples.

    Multicriteria analysis

    Multicriteria analysis (MCA) is a technique that uses different criteria to evaluate a potential threat. This helps to more accurately determine the threat level posed by a suspicious file or program. Data about the suspicious object is sampled in this case, including dynamic and file analysis results, network activity, interaction with other systems, and more. Each criterion (e.g., changes to system files, network connections, use of hidden processes) is evaluated and weighted. Based on the combined score of all requirements, a conclusion is made about how dangerous the file is. As a result, the file is marked as malicious if the total score exceeds a certain threshold.

    Detection Examples

    Let’s look at one of the examples to understand how it works. This is Trojan:Win32/Acll, a stealer that I recently reviewed. I will now show you how it was detected. This malware is written in Python, so traditional detection methods can be complex. The above techniques are used to determine whether it is a threat. For example, this malware performs the following actions, which are triggers:

    schtasks /create /f /RU "%USERNAME%" /tr "%ProgramData%\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
    C:\Windows\System32\wuapihost.exe -Embedding

    In brief, this command allows the instance to be started every hour with the highest privileges and to load third-party applications. The next red flag is that the instance collects data from the following folders:

    C:\Program Files\Common Files\SSL\cert.pem
    C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
    C:\Users\user\AppData\Roaming\Electrum\wallets
    C:\Users\user\AppData\Roaming\Ethereum\keystore
    C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
    C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
    C:\Users\user\AppData\Roaming\bytecoin
    C:\Users\\AppData\Local\Google\Chrome\User Data\
    C:\Users\user\AppData\Local\Microsoft\Edge\User Data\

    This is a typical behavior of info stealers that allows antivirus engines to identify the threat.

    Heuristic virus examples

    Usually, threats detected by heuristics are easily recognizable. They either contain a straightforward notification that it comes from the heuristic system, have hard-to-read names or the prefix “!ML” at the end. Usually, such detections look like:

    Trojan:Script/Wacatac.B!ml Wacatac.B!ml is most oftenly a type of spyware or stealer malware. The behavior pattern specific for this detection is extended persistence and networking, that potentially allows the malware to deploy other malicious programs.
    IDP:Generic This detection stands for “Identity Protection” and “Generic”, indicating non-specific detection. Antivirus software uses it to identify potentially harmful files or activities that don’t fit into a specific category of known malware.
    Malware.Win32.Heur.cc This is a perfect example of a truly generic detection name, that can stand for literally any malicious program.
    Trojan:Win32/Acll This detection is about the combination of behavior and the programming language of the program. More specifically, it flags Python-based spyware.
    VirTool:Win32/DefenderTamperingRestore Microsoft Defender uses this detection name to flag software or code that blocks the operations of Microsoft Defender.

    All these detections belong to different malware types, although are the result of heuristic systems of different antiviruses. They may also be assisted by the AI detection systems that operate in a manner similar to heuristics.

    AI And Heuristic Detection In Antimalware

    As I mentioned earlier, heuristic analysis is based on sets of rules and patterns. This wealth of information can improve the recognition of previously unknown patterns. However, advances in AI have allowed antivirus companies to improve threat detection significantly. Today, we are seeing more and more malware detections with the signature “ml”, which stands for machine learning.

    This is because AI filters notice things that humans could not before. Although “ml” detections still contain false positives, the percentage of false positives has significantly been reduced to date. So, most advanced antivirus companies try incorporating AI into their products, which is a pretty good trend.

    How to remove heuristic virus?

    To remove heuristic malware, you need to use an advanced anti-malware solution. I recommend GridinSoft Anti-Malware because it has a heuristic module and uses AI to detect malware. In addition, you can use it with Windows Defender, so there is no need to disable the built-in Windows defenses.

    GridinSoft Anti-Malware main screen

    Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

    After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

    Scan results screen

    Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

    Removal finished

    The post Heuristic Virus appeared first on Gridinsoft Blog.

    ]]>
    https://gridinsoft.com/blogs/heuristic-virus/feed/ 0 8372
    Malware vs Virus https://gridinsoft.com/blogs/malware-vs-virus/ https://gridinsoft.com/blogs/malware-vs-virus/#respond Fri, 31 May 2024 18:41:22 +0000 https://gridinsoft.com/blogs/?p=6726 It is particularly easy to hear people calling the same thing malware or virus. However, while both terms are often used interchangeably, they carry distinct meanings. In this article, I will elucidate the definitions of each term and explain malware vs virus differences. Malware vs Virus – Is There Any Difference? The terms malware and… Continue reading Malware vs Virus

    The post Malware vs Virus appeared first on Gridinsoft Blog.

    ]]>
    It is particularly easy to hear people calling the same thing malware or virus. However, while both terms are often used interchangeably, they carry distinct meanings. In this article, I will elucidate the definitions of each term and explain malware vs virus differences.

    Malware vs Virus – Is There Any Difference?

    The terms malware and virus are often used interchangeably, but technically, they are not the same thing. In a nutshell, malware is a collective term for any type of malicious software, regardless of how it works, its purpose, or how it is distributed. A computer virus, on the other hand, is just one type of malware. Computer viruses have been around almost since the beginning of the Internet: the first self-replicating virus appeared in 1971. Although it did no damage, simply displaying the “I’M THE CREEPER. CATCH ME IF YOU CAN!” text on the screen, it can technically be considered a virus.

    Viruses, Worms, and Trojans
    Viruses, Worms, and Trojans are the tree types of digital infectious agents.

    So, all the difference boils down to all viruses being malware, but not all malware being viruses. It’s like calling all copy machines “Xerox” or all portable audio players “Walkman”. Moreover, in addition to the virus category, there are other categories of malware, which in turn are divided into subcategories. We are talking about such categories as worms, trojan horses, rootkits, stealers, spyware, ransomware, adware, etc. Now, we will take a closer look at all of them.

    What is Malware?

    Malware stands for malicious software, one that aims at damaging the system, files in it, or uploading these files to a remote server. The range and history of malicious software is vast, with changes happening almost every day. Nowadays, malicious software aims almost exclusively at earning money in this or another form. As a result, some analysts classify modern malware as crimeware. Let’s see some of the most widely used malware types.

    • Backdoor
    • Adware
    • Virus
    • Computer Worm

    This is not a complete list of threats, but the most widespread malware types. Some of the modern malware samples can possess functions typical for other malware types. For example, a dropper can collect user data, akin to an infostealer, or adware may act as a loader.

    What is Virus?

    A computer virus is a type of malicious software. While there are many variations of viruses, they all share the ability to spread through self-replication. Victims activate viruses by opening infected applications or files. Viruses are commonly spread through web applications, software, and email. They can also be transmitted via infected websites, content downloads, and removable media.

    The term “virus” has become synonymous with malware due to historical reasons, propagation methods, media popularization, and the broadening of the term to encompass various types of malicious software. Computer viruses have existed since the early days of computing, but “real” viruses began to emerge in the 1980s. The earliest canonical virus is considered to be the Elk Cloner, created in 1982 by high school student Rich Skrenta. It infected Apple II computers and spread via floppy disks. Though harmless, it was the first to spread beyond a single computer system.

    Malware and Virus Examples

    To summarize, let’s review a real representative of threats. Here, I have gathered the most prominent examples of different types of threats, along with their properties and their impact on cyberspace:

    ILOVEYOU

    The ILOVEYOU virus, an email worm, was released in 2000 by two Filipino college students. It quickly spread worldwide through email attachments, deceiving users into opening them. Once opened, the virus overwrote essential system files, leading to computer crashes and data loss. Additionally, it automatically sent copies of itself to every contact in the user’s address book. The global damages caused by this virus were estimated to be around $15 billion.

    Emotet

    The Emotet Banking Trojan, originating in 2014, was initially developed to steal banking credentials. However, it evolved into a highly modular and sophisticated malware capable of delivering various payloads. It primarily spread through spam emails and quickly became one of the most prevalent and costly forms of malware. Emotet was frequently utilized to distribute ransomware and other malicious software.

    WannaCry

    The WannaCry Ransomware attack of 2017 exploited a vulnerability in Windows systems to encrypt files and demanded ransom payments in Bitcoin for decryption. It spread rapidly across networks using the SMB protocol, infecting over 230,000 computers in 150 countries. The attack caused widespread disruption, notably affecting the UK’s National Health Service (NHS).

    How to Protect Against Malware and Viruses?

    To safeguard against malware and viruses, it’s crucial to employ a robust, advanced anti-malware solution. As the cyber threat landscape evolves, so do anti-malware developers. Today, there are numerous high-quality products available, including GridinSoft Anti-Malware. In addition to its primary protection features, it includes an Internet Security module, which has become more of a necessity than an optional add-on. Given that the majority of malware is now propagated via the Internet, I strongly advise utilizing Internet Security for enhanced protection.

    Malware vs Virus

    Equally important is exercising vigilance while browsing the web. Practicing good cyber hygiene is paramount, which means refraining from clicking on suspicious links or opening email attachments from unknown senders. Adhering to these fundamental rules can significantly decrease the likelihood of falling victim to any of the aforementioned threats.

    The post Malware vs Virus appeared first on Gridinsoft Blog.

    ]]>
    https://gridinsoft.com/blogs/malware-vs-virus/feed/ 0 6726
    11 Signs If Your Computer Has A Virus https://gridinsoft.com/blogs/understand-pc-infected-alert/ https://gridinsoft.com/blogs/understand-pc-infected-alert/#comments Wed, 15 May 2024 13:17:10 +0000 https://blog.gridinsoft.com/?p=300 Something seems off with your device, and you have a suspicion why: you might be infected with a computer virus. But don’t panic. Before taking any rushed actions, it’s important to understand what you’re dealing with. The world of computer viruses is vast and complex, much like the diverse flora and fauna of our planet.… Continue reading 11 Signs If Your Computer Has A Virus

    The post 11 Signs If Your Computer Has A Virus appeared first on Gridinsoft Blog.

    ]]>
    Something seems off with your device, and you have a suspicion why: you might be infected with a computer virus. But don’t panic. Before taking any rushed actions, it’s important to understand what you’re dealing with. The world of computer viruses is vast and complex, much like the diverse flora and fauna of our planet. So, take a moment to learn about the problem before you start addressing it.

    What is Computer Viruses?

    A computer virus is a type of program that when executed modifies the other existing programs. What it does is that it replicates itself and inserts its code. The areas of the program affected in such a way by the malicious program are said to be infected.

    Some computer viruses can steal your data, or encrypt your files to demand a ransom. The other kinds of malicious programs like cryptominers make your PC completely unusable. Not to mention that there exists quite an aggressive form of malware that once gets on the computer destroys the data with no recovery possible.

    How to Detect a Computer Virus: Pay Attention

    Despite the myriad of computer viruses existing out there in the world you will know when you get infected with some of them. Because in case of a computer infection, everything that doesn’t work properly may hint at it. But more precisely it is the following:

    1. Browser lags or makes unwanted redirects;
    2. You noticed that from your account has been sent emails that you clearly remember you didn`t write and send;
    3. You also noticed that the hard drive seems to be working overly when you even don’t do that much;
    4. New unknown applications appeared without you actually downloading them;
    5. Unexpected pop-up windows started to annoy you increasingly;
    6. The system began frequently to crash and message error;
    7. You started to have missing files;
    8. You also started to have shutting down or restarting system;
    9. Your computer performance significantly slows down (it takes too much time to start up or open programs);
    10. If your laptop’s battery is draining quickly, it could be a sign of malware running in the background. Malicious software can use a lot of your computer’s resources, causing your battery to deplete faster than usual, even when you’re not doing anything demanding.
    11. Antivirus programs or firewalls don’t work or work problematic.

    Prevent Computer Viruses

    Of course the old rule says it’s better to prevent a problem than deal with it. In the case of computer safety and security, the same rule also applies. Bad security hygiene makes the way for various kinds of viruses to infect your computer and interfere with its work. For the responsible user, cyber security hygiene is one of the top priorities if not the first. Make yourself a note to always keep up with the next points:

    #1. Have additional security solutions.

    Apart from having your main antivirus and firewall, consider buying another antivirus or firewall. Just in case the main security solution fails you will always have the backup of your security tools.

    #2. Make regular Backups.

    Make it a habit to do regular backups of all important data you have on your computer. You can store it securely in the cloud or on the hard drive. In case of a compromise you won’t get your data completely lost.

    #3. Use a firewall.

    If you have some antivirus solution it doesn’t necessarily mean you have a firewall. But both PCs and Macs have pre-installed firewall software so make sure you have that activated on your computer.

    #4. Use antivirus software.

    There’s not that much to say that`s the most essential thing in your cybersecurity. Don`t leave yourself without an antivirus solution at all.

    #5. Use strong passwords.

    Strong password will consist of symbols, letters, and numbers and is at least eight characters long. And don`t reuse your username and password because once a hacker obtains them they can access all your accounts you have the same username and password on.

    #6. Keep Everything Up to Date.

    Just saying, if you have the latest version of the software it means you have a little possible percentage of being hacked. Companies like Oracle and Microsoft regularly do their updates to eliminate the bugs that hackers have been already exploiting.

    How to Remove a Computer Virus?

    So if you suspect that you have a virus on the computer take the steps below immediately to remove the threat:

    1. Update your antivirus. Before you do a scan check if your antivirus solution has the latest update. Software vendors regularly do the updates adding to the list of new discovered in the wild or lab threats. If you have not done it yet your antivirus solution may not detect the virus that has infected the computer.
    2. Disconnect from the internet. It will be a good idea to disconnect your computer from the internet as some viruses use the connection to do their malicious work. Once you have done it you can proceed further.
    3. Do the reboot of your computer into safe mode. In the safe mode you can remove the virus without it returning. Because in some cases malware tends to return. But this mode leaves only the essential programs to work while disabling all others and of course, it will stop the virus.
    4. Delete any temporary files. Some viruses initiate when your computer boots up. You may get rid of the virus if you delete the temporary file. But the advice will be not to rely on the deletion and proceed further to have the full proper deletion process.
    5. Delete or quarantine the virus. After a scan is finished you can delete or quarantine the found file. Having done the step, run another scan to make sure there’s no malware left.
    6. Reboot your computer. Simply turn your computer on. It doesn’t need to be in Safe Mode any longer.
    7. Change all your passwords. If you fear that your passwords may have been compromised, change on all accounts the passwords.
    8. Update your software, browser, and operating system. By doing so you will ensure that hackers cannot exploit the same vulnerability again.

    Types of Computer Viruses

    Out of the variety of viruses there are some most common ones. The possibility that it’s this particular virus has got onto your machine is very high. Because they are widely spread it won’t take too much effort to get rid of one of them.

    But don’t underestimate them the sooner you detect a virus and erase it the better. So once you know the cause of the problem it should be the matter of time to successfully deal with it:

    1. Trojan Virus. At first site a seemingly legitimate looking program but once on the victim’s machine will secretly do its primary job to steal, disrupt or damage the user`s data or network. Trojan can’t replicate itself. A victim should start the execution of it.
    2. Ransomware. A malicious software that encrypts files and keeps them locked until the ransom is paid. All the encrypted files receive “.encrypted” extension.
    3. Macro Virus. A computer virus written in the same macro language as Word or Microsoft Excel. It works with these software applications and doesn’t depend on what OS the victim has. If a macro virus infects a file it can also damage other applications and the system.
    4. Bootkit Virus. This virus infects the boot sector and executable files simultaneously. Most viruses infect only one thing either the boot, system or program files. Because of such a double functionality the virus causes much more damage than any other.
    5. Browser Hijacker. A malicious software that will change browser`s settings, appearance and its behavior. Browser hijacker creates revenue by dircting users to different websites and constantly showing pop up windows forcing users to click. Apart from such “innocent” things the virus can also collect the victim`s data or do the keystroke logging. Remove it as soon as you notice any changes you didn’t actually remember to make to your browser.

    Find The Best Computer Virus Protection

    It won’t be wrong to say that any antivirus protection is still protection. But of course, the question is how good that protection is. The best thing to do to know which antivirus software has the quality of protection is simply to try it out.

    In this way you will see the work of the product in action and will decide for yourself if what this or that antivirus software vendor proposes is enough for your needs.

    The search for the ideal antivirus solution won’t be hard if you know what the thing should do. The antivirus solution searches detects, and removes the malware. It’s the basic three-part system of any program that calls itself an antivirus solution. Additionally, most antivirus software has the feature of removing or quarantining the offending malware. Also an antivirus solution works on two principles: either way it scans the programs upon their uploading or checks those already existing.

    GridinSoft Anti-Malware main screen

    Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

    After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

    Scan results screen

    Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

    Removal finished

    Now that you’ve secured yourself with knowledge, try to secure your computer with Gridinsoft Anti-Malware. Not a bad start in testing out the various antivirus solutions in the search for that special one.

    The post 11 Signs If Your Computer Has A Virus appeared first on Gridinsoft Blog.

    ]]>
    https://gridinsoft.com/blogs/understand-pc-infected-alert/feed/ 1 300
    Virus:Win32/Expiro https://gridinsoft.com/blogs/virus-win32-expiro/ https://gridinsoft.com/blogs/virus-win32-expiro/#respond Thu, 18 Apr 2024 14:35:15 +0000 https://gridinsoft.com/blogs/?p=21430 Virus:Win32/Expiro is a detection of Microsoft Defender that refers to a malware with backdoor capabilities. It allows attackers to control the compromised system, spy on it, install other malware, manipulate systems, and create botnets. This malware is distributed under the guise of legitimate software. Once the computer is infected, it can spread to other executable… Continue reading Virus:Win32/Expiro

    The post Virus:Win32/Expiro appeared first on Gridinsoft Blog.

    ]]>
    Virus:Win32/Expiro is a detection of Microsoft Defender that refers to a malware with backdoor capabilities. It allows attackers to control the compromised system, spy on it, install other malware, manipulate systems, and create botnets.

    This malware is distributed under the guise of legitimate software. Once the computer is infected, it can spread to other executable files on the system, complicating its removal. The specific behaviors and capabilities may vary depending on the variant. However, typical activities associated with this malware group are the delivery of other malicious software.

    Viruses evolved into a more sophisticated and evasive malware. To protect against them, proper anti-malware softaware is a must. GridinSoft Anti-Malware is capable of stopping even the most modern threats. 👉🏼 Get yourself proper security tool

    Virus:Win32/Expiro Overview

    Virus:Win32/Expiro is a generic detection name used by Microsoft Defender Antivirus to identify malware belonging to the Expiro family. In our case, this family includes backdoors and RATs, which are similar in their principle of operation. The primary purpose of this class of malware is to provide remote access to the target system.

    Virus:Win32/Expiro detection screenshot
    Virus:Win32/Expiro detection window

    Expiro malware often enters a system through various means, but mainly through malicious advertising or within pirated software. Once installed, they operate stealthily, avoiding detection by antivirus programs thanks to the extensive usage of detection evasion tricks.

    Significant number of Expiro malware samples leverage JDK to establish communication channels and hide their activities. Using this legitimate toolkit the malware is capable of avoiding the checks of a significant number of antivirus software. Though, the detailed analysis shows even more interesting details.

    Detailed Analysis

    Let’s take a closer look at one of the samples. The original sample masquerades as a Java update file, imitates accessing Java servers and using the Java library. After the execution though it morphs into a regular binary file. Once on the victim’s device, Virus:Win32/Expiro performs some basic check-ups. Most aim to determine whether the malware is in a sandbox or virtualized environment. To do this, it checks the following keys:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\AppV\Client\RunVirtual\
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl

    The last key contains settings that may indicate whether the system is running within a virtual environment by controlling certain features or behaviors of Internet Explorer. After the successful check, the malware decrypts the rest of its file and launches.

    Persistence & Networking Trickery

    To gain a foothold in the system and permanence, the malware adds itself to the autoloader by adding appropriate keys to the registry:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    For providing reliable and hardly detectable connection to the C2, Expiro modifies several files related to Adobe software suite and Google Chrome update mechanisms. Also, malware performs a call to the Java Web Start, potentially to look benign. This is probably why Microsoft gave this a designation of a virus.

    C:\Program Files (x86)\Google\Temp\GUM871F.tmp\GoogleCrashHandler.exe
    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe
    "C:\Program Files (x86)\Java\jre1.8.0_121\bin\javaws.exe" -J-Djdk.disableLastUsageTracking=true -SSVBaselineUpdate

    Command and Control Communications

    Next, the malware establishes communication with the server. It performs DNS lookups, and posts data to the command server. Malware then requests the following files, which are probably the payload.

    • 104.198.2.251/dybacct
    • 34.128.82.12/horvwm
    • 34.128.82.12/jeeifmfnna
    • 34.174.61.199/kvlpjj
    • 34.41.229.245/otmxwev
    • 72.52.178.23/
    • 72.52.178.23/qqhxribl
    • 82.112.184.197
    • cvgrf.biz/dybacct
    • cvgrf.biz/flk

    How To Remove Virus:Win32/Expiro?

    To remove Virus:Win32/Expiro, I recommend GridinSoft Anti-Malware. It is an advanced solution that finds and neutralizes malware and provides proactive protection. It also has an Internet Security feature that blocks potentially dangerous pages, thus minimizing the risk of downloading something malicious.

    Virus:Win32/Expiro

    The post Virus:Win32/Expiro appeared first on Gridinsoft Blog.

    ]]>
    https://gridinsoft.com/blogs/virus-win32-expiro/feed/ 0 21430
    TOP 10 Most Dangerous Computer Viruses In History https://gridinsoft.com/blogs/top-10-most-dangerous-computer-viruses/ https://gridinsoft.com/blogs/top-10-most-dangerous-computer-viruses/#respond Fri, 13 Oct 2023 19:25:00 +0000 https://gridinsoft.com/blogs/?p=17190 Computer viruses really resemble real ones. They can infect thousands of computers in a matter of minutes, which is why we call their outbreak an epidemic. It’s hard to imagine how we could live without antivirus software now, but once it was a reality. But which virus was the most dangerous? I’ve compiled a list… Continue reading TOP 10 Most Dangerous Computer Viruses In History

    The post TOP 10 Most Dangerous Computer Viruses In History appeared first on Gridinsoft Blog.

    ]]>
    Computer viruses really resemble real ones. They can infect thousands of computers in a matter of minutes, which is why we call their outbreak an epidemic. It’s hard to imagine how we could live without antivirus software now, but once it was a reality. But which virus was the most dangerous? I’ve compiled a list of the 10 most dangerous viruses in history to remember how it all began. Let’s begin 😊

    CIH Virus (1998)

    This virus was created by a student from Taiwan, whose initials were CIH. It began spreading on April 26 – the day of the Chernobyl nuclear power plant accident, which is why many users simply call it “Chernobyl”. This virus is dangerous because it not only overwrites data on a computer’s hard drive, rendering it unusable, but it could even overwrite the host system’s BIOS – after that, the PC wouldn’t be able to boot. No one expected such cunning in 1998. CIH or Chernobyl infected almost half a million computers worldwide. Impressive, isn’t it?

    Morris Worm🐛 (1998)

    Morris Worm became famous worldwide and gained significant attention through the media. Its creator was the first person (!) convicted in the United States under the Computer Fraud and Abuse Act. Today, this might seem like a common occurrence, but in 1998, no one could expect imprisonment for “some” virtual fraud. November 1998 is remembered as the month when one virus paralyzed the entire Internet, causing $96 million in damages. Quite impressive for one of the first viruses. Due to a minor mistake in its “code,” it continued to install itself an unlimited number of times on one PC, completely disrupting computers worldwide.

    Melissa Virus (1999)

    This virus is memorable for spreading through email. On Friday, March 26, 1999, people around the world received an email with only one offer: “Here is that document you asked for… don’t show it to anyone. 😉 with an attached Word document. Nowadays, we all understand that it’s a virus, but in 1999, it was something new. Moreover, on the final day before the weekend, a tired mind couldn’t immediately recognize the threat. Those who opened the .doc file (and there were thousands who did) allowed the virus to infect their system and send this email to all the contacts in their account, using their name. Worst of all, this virus modified all the Word documents in the system with quotes from “The Simpsons” TV show. The author of this virus was caught and sentenced to 20 months in prison.

    Iloveyou Virus 💖 (2000)

    The most romantic virus in our list – the ILOVEYOU virus. Perhaps because of its cute name or its cunning strategy, it infected 45 million users within just two days! How does this virus work? A user receives an email with a file named “LOVE-LETTER-FOR-YOU” with a .vbs (Visual Basic) extension. When it enters the system, it changes all your files, images, music, and then spreads itself to all your contacts through the same email. The damage from this virus was enormous – not the kind of love letter we expect to receive. The creator of the virus was found, but their identity was not disclosed. At the time, the Philippines had no laws against cybercriminals. Lucky, one might say 😊.

    ILOVEYOU virus
    Email message that was spreading ILOVEYOU virus

    Code Red (2001)

    The Code Red virus didn’t need to send emails to infect the Internet. To get infected with Code Red or Bady, you should have been connected to the Internet and opened an infected website displaying the text “Hacked by Chinese!” It spread instantly – in less than a week, almost 400,000 servers and nearly a million PCs were infected. The Chinese indeed put in some effort 🙁.

    Code Red message
    Message displayed on the site which spreaded Code Red malware

    MyDoom Virus (2004)

    The MyDoom virus emerged on January 26, 2004. This epidemic managed to infect nearly 2 million PC users. The virus was attached to an email that claimed to be about a shipment error (Ошибка почтовой транзакции). When you clicked the attachment, it duplicated this email to all the addresses present in your contact lists. Stopping it was genuinely difficult because the virus blocked access to the websites of the most popular antivirus programs, as well as Microsoft’s update services. They thought of everything!

    Sasser Virus (2004)

    The Sasser virus made it to the headlines as it managed to interrupt satellite broadcasts of French television and even affected a few Delta Airlines flights. To infiltrate systems, the virus used a vulnerability in unpatched Windows 2000 and Windows XP systems, instead of traditional email spam. Once the virus infected a computer, it would start searching for other vulnerable systems. Infected PCs would crash and operate unstably. This virus was created by a student who released it on his 18th birthday. He was indeed fortunate to have written the code as a minor, as he received only a suspended sentence. What can you say – a teenager 😊.

    Sasser virus system message
    System message shown upon the Sasser virus execution

    Bagle Virus (2004)

    In early 2004, a new virus emerged – the Bagle worm. The Bagle virus infected PC users through email messages. This virus was one of the first to be created for profit, as it gained access to financial, personal, and other information. This marked the beginning of profit-driven malicious software, and it remains a significant problem for many users and antivirus companies today.

    Conficker Virus (2008)

    The Win32/Conficker worm, or simply Conficker, is a very cunning virus specifically designed to target Windows. By exploiting vulnerabilities in the operating system, Conficker could discreetly bypass antivirus checks and, more importantly, block access to OS updates. It replaced the names of all services and registered itself in various parts of the system, making it practically impossible to find and eliminate all its fragments. It infected over 12 million computers worldwide, prompting antivirus companies and OS providers to enhance their security.

    Stuxnet (2010)

    In 2010, the Stuxnet virus caused significant harm to global security. It was designed for large industrial facilities, including power plants, dams, waste processing systems, chemical and even nuclear installations. This allowed hackers to control all critical control system elements without being detected. It was the first attack that enabled cybercriminals to manipulate real-world equipment and cause massive damage to global security. Iran was the hardest hit, with 60% of the total damage attributed to the country.

    Stuxnet virus infrastructure

    TOP 10 Most Dangerous Computer Viruses In History

    The post TOP 10 Most Dangerous Computer Viruses In History appeared first on Gridinsoft Blog.

    ]]>
    https://gridinsoft.com/blogs/top-10-most-dangerous-computer-viruses/feed/ 0 17190
    PDF Virus https://gridinsoft.com/blogs/can-pdf-have-virus/ https://gridinsoft.com/blogs/can-pdf-have-virus/#respond Fri, 14 Apr 2023 16:45:35 +0000 https://gridinsoft.com/blogs/?p=14196 Among numerous other files, PDFs are considered one of the most convenient to use for read-only documents. They prevent editing the content, yet retain the ability to carry interactive content. But is it totally safe? Can a PDF have a virus? Let’s find out. Background of PDF Virus First things first, so let’s see the… Continue reading PDF Virus

    The post PDF Virus appeared first on Gridinsoft Blog.

    ]]>
    Among numerous other files, PDFs are considered one of the most convenient to use for read-only documents. They prevent editing the content, yet retain the ability to carry interactive content. But is it totally safe? Can a PDF have a virus? Let’s find out.

    Background of PDF Virus

    First things first, so let’s see the definitions – just to be sure we have the same things. Under PDF viruses, people most commonly mean any kind of malicious payload embedded into a PDF file. Viruses as a malware type were one of the most massive ones in the mid-00s, which made their name a common noun for any malware. In years to come, viruses were pushed out from a scene with more advanced and self-sufficient malware. Spyware, stealers, dropper malware, and sometimes even ransomware – that’s what’s expected from infected PDFs.

    Using legitimate files as a carrier to malicious things is more common for infection continuation rather than initial access. Hackers tend to use PDF (along with JPEG and PNG images) as a disguise for a data package needed to send new guidance to the malware. For users, the file will look like something legit or a nonsense item they got by mistake. Still, nothing stops hackers from using PDF files to spread viruses directly. Let’s check out the main causes of such an occasion.

    PDF Virus: Technical details

    I pointed out that PDFs can be used for malware distribution. However, they differ from, say, MS Office documents armed with infected macros. Key attack surfaces in PDF documents are related to JavaScript applets and reader applications. While JS is a pretty classic story, vulnerable readers are less common. These days, people tend to use web browsers as PDF readers – and OS use this setting by default. However, some users prefer stand-alone applications, which receive fewer updates, and may contain security vulnerabilities.

    JScript

    JavaScript, or JScript/JS for short, is a script programming language used massively in web applications and (obviously) scripting. It is overall used in cyberattacks as a way to leak information about the users or redirect them to another page. But having things that reside in the computer’s memory, it is possible to prepare a completely different treat.

    JScript PDF file
    Malicious JavaScript applet present in the PDF file

    Hackers embed a malicious JS script into the PDF file. By design, JS is attachable to PDF files to make their contents dynamic. That may be used when these documents are displaying the current instructions, but the latter depends on the weekday or other circumstances. However, a malicious instance of the JavaScript applet will run as soon as you open the file. If there is no antimalware software running in your system, the script will flawlessly run and download whatever the hacker asked it to.

    Vulnerabilities in the reader application

    PDF readers, as I mentioned before, are used less often these days. That actually works against them – seeing less popularity, developers tend to spend less time and effort on making them better. And they have enough things to change, as with time more and more vulnerabilities are getting uncovered.

    The content needed to trigger the exploit and give the hackers what they need is commonly embedded in the document’s editable elements. They require your device to run the code that displays the corresponding information. Normally, the code executed in the document should remain in the specific execution environment, called the sandbox. Bypassing it, however, is not a big deal, and hackers are always ready to do that trick and start acting in a live system. Actually, the very essence of the exploitation is quite similar to JScript’s case: a part that stores the active content gets a malicious filling.

    Malicious links in the text

    Same as the previous two things, malicious links are also related to the active content. However, instead of relying on code execution, links try to trick the victim into sharing sensitive data. It is a classic example of phishing – but embedded into a PDF file instead of an email message. The key problem (for hackers) here is the fact it does not work automatically – the victim should click the link to make it run. Though after opening the link, it will most likely see a malicious copy of a login page of a website related to the PDF topic.

    Malicious link PDF
    Malicious link added to the PDF file

    Risks of PDF Viruses

    The risks related to PDF viruses mostly rely on what exactly is happening. When a malicious JScript runs, it most likely contacts the command server to retrieve the payload – i.e. act as a downloader. As an outcome, any kind of malicious program is possible. However, the most common types of malware, in that case, are spyware or stealers. Ransomware, vandal malware, APTs and other things are possible though, but there are no documented cases of these threats being spread in that way.

    Vulnerabilities in the reader can be used to both deploy the initial payload and boost the existing one. Same as with JScript applets, they can be the source for any malware – everything depends on the choice of hackers. When it comes to boosting the already running payload, everything depends heavily on the type of a used exploit. Privileges escalation breaches may be used to make malware run; arbitrary code execution vulnerabilities can initiate the connection to a command server to get additional instructions.

    Phishing threats are less likely to be related to malware infection. The key thing most phishing operations aim at is the victim’s personal information. The aforementioned malicious link will try to resemble a website you know, and will likely ask you to type login credentials or certain info about yourself. The reasons to follow the instructions will be mentioned in the PDF body.

    How to avoid infected PDF files?

    Preventive, and the most effective way to avoid facing malicious PDF files is to avoid interacting with questionable things at all. PDFs that contain viruses are unlikely to appear on official websites, genuine emails, and stuff like that. Strange emails sent by a stranger rather than a company, that ask you to open the attached file or a link to a third-party website – that is what you should look for and avoid. For both individuals and companies, being aware of what attacks to expect is essential.

    Obviously, it may not be an easy task when you have to deal with dozens and hundreds of emails each day. That case requires a counteraction of another kind – reactive. If you cannot prevent a malicious file from making its way to your system, then it is vital to be able to stop one when it appears. There are several types of software solutions that suit that case.

    Content Disarm and Reconstruction (or CDR) will fit organizations that have extensive networks. CDR solutions control the launched files and excise the active content which can be malicious. They may apply that blindly to all files, as well as have a detection system that distinguishes good from bad.

    Anti-malware software is a more all-encompassing solution that can effectively detect and stop the execution of malicious code. PDF, however, is a bit troublesome, as some antivirus software considers it safe and ignores it completely. GridinSoft Anti-Malware is a different story – it offers a top protection rate against any kind of threats – even cunning things like a PDF virus.

    PDF Virus

    The post PDF Virus appeared first on Gridinsoft Blog.

    ]]>
    https://gridinsoft.com/blogs/can-pdf-have-virus/feed/ 0 14196
    Security Breach https://gridinsoft.com/blogs/what-is-security-breach/ https://gridinsoft.com/blogs/what-is-security-breach/#respond Thu, 05 Jan 2023 16:46:59 +0000 https://gridinsoft.com/blogs/?p=13066 A security breach is an unauthorized access to a device, network, program, or data. Security breaches result from the network or device security protocols being violated or circumvented. Let’s see the types of security breaches, the ways they happen, and methods to counteract security breaches. What is a Security Breach? First of all, let’s have… Continue reading Security Breach

    The post Security Breach appeared first on Gridinsoft Blog.

    ]]>
    A security breach is an unauthorized access to a device, network, program, or data. Security breaches result from the network or device security protocols being violated or circumvented. Let’s see the types of security breaches, the ways they happen, and methods to counteract security breaches.

    What is a Security Breach?

    First of all, let’s have a look at the definitions. A security breach is when an intruder bypasses security mechanisms and gets access to data, apps, networks, or devices. Despite their close relations, there’s a difference between security breaches and data breaches. A security breach is more about getting access as such – like breaking into someone’s house. On the other hand, the data breach results from a security breach – as the latter may aim at tasks other than leaking data. It is instead a specific consequence of security breaches.

    What are the types of Security Breaches?

    Threat actors may create a security breach in different ways, depending on their victim and intentions. Here are the three most important ones.

    1. Malware injection

    Cybercriminals often employ malicious software to infiltrate protected systems. Viruses, spyware, and other malicious software are transmitted via email or downloaded from the Internet. For instance, you might receive an email that contains an attachment – generally, an MS Office document. Moreover opening that file can end up infecting your PC. You may also download a malicious program from the Internet without any tricky approaches. Often hackers will target your computer to get money and steal your data, which they can sell on the Darknet or other appropriate places.

    2. Man-in-the-Middle-attack

    As the name says, the assailant’s route is in the middle. Now we’ll determine what it means. Also hacker can intercept communications between two parties, which results in one party receiving a false message, or the entire communication log may be compromised. Such an attack is often carried out due to hacked network equipment, such as a router. However, some malware examples may fit that purpose as well.

    Man-in-the-Middle-attack
    Scheme of Man-in-the-Middle atack

    3. Insider threat

    Insider threat is the danger of a person from within the company using their position to utilize their authorized access to commit a cybercrime. This harm can include malicious, negligent, or accidental actions that negatively affect the organization’s security, confidentiality, or availability. Other stakeholders may find this general definition more appropriate and valuable to their organization. CISA defines an insider threat as the danger that an insider will knowingly or unknowingly misuse his authorized access. It does so to harm the department’s mission, resources, personnel, facilities, information, equipment, networks, or systems. This danger can be manifested through the following behaviors of insiders:

    • Corruption, including participation in transnational organized crime
    • Terrorism
    • Sabotage
    • Unauthorized disclosure of information

    4. Advanced persistent threat

    An advanced persistent threat is a persistent cyberattack that employs advanced tactics to remain undetected in a network for an extended time to steal information. An APT attack is meticulously planned and executed to infiltrate a specific organization, circumvent existing security measures and remain undetected. Also APT attacks are more complex and require more advanced planning than traditional cyberattacks. Adversaries are typically well-funded, experienced teams of cybercriminals that target organizations with a high value. They’ve devoted significant time and resources to investigating and identifying vulnerabilities within the organization.

    Advanced persistent threat

    Examples of Security Breaches

    Recent high-profile breaches include:

    • Facebook: In 2021, the personal information of over half a billion Facebook users was leaked, including phone numbers, dates of birth, locations, email addresses, and more. As a result, the attack was a zero-day exploit that allowed hackers to harvest a large amount of data from the company’s servers.
    • Equifax: In 2017, the US credit bureau Equifax experienced a security breach via a third-party software vulnerability that was similar to the EternalBlue exploit. Fraudsters gained access to the personal information of over 160 million people; this is considered one of the most significant identity theft cyber crimes to date.
    • Yahoo!: In 2016, 200 million Yahoo users were active. A schedule of usernames and passwords for Amazon accounts posted for sale on the dark web. Yahoo! The company blamed the breach on “state-sponsored hackers,” who could manipulate cookie data to gain access to user accounts.
    • eBay: In 2014, it experienced a severe security breach resulting in the widespread disclosure of personal information.

    How to help Protect yourself from a Security Breach

    Monitor your accounts and devices

    After a security incident, closely monitor your accounts and devices for any unusual activity. If one is present, ask the site administrator to suspend your account and help prevent the threat actor from accessing it.

    Change your passwords

    Choose complex passwords on all devices that need configuring. Ensure that you pay special attention to routers and utilize public Wi-Fi. Remember to update your password frequently. The password must include all upper and lower case letters, numbers, and special characters.

    Passwords security breach
    Example of weak password

    Contact your financial institution

    Contact your bank immediately to prevent fraudulent transactions if your credit card or other financial information is compromised. They can tell you what the problem is and how to fix it. Sometimes, it may take time to resolve issues with your card. The best thing to do in these cases is to block your card so that fraudsters can’t withdraw money from it.

    Perform an antivirus scan

    If someone has gained access to your computer or home network, they may be infected with malware. Use a reliable antivirus software to identify and remove any threats that may be present. Run an initial scan to determine if your computer has any issues or bugs. Depending on the scan you run, it may take time for the scan to complete. The default is to run a quick scan. The standard scan is recommended, but it takes longer.

    Report the incident to the appropriate authorities

    Contact your local law enforcement agency if you’ve been the victim of identity theft or fraud. They will assist you in the necessary steps to regain control over your accounts.

    You should know that avoiding any attack is possible if you take the proper steps to protect yourself. This requires creating strong passwords, using two-factor authentication, and keeping track of your credentials with a strong password manager.

    Multi-Factor Authentication (MFA)
    2FA usage minimises the chance of security breach

    Good digital hygiene also includes using comprehensive security and privacy software to prevent threats from infiltrating your devices and protecting your data. This makes it harder for hackers to enter your device, get your data, and sell it on third-party paywalls.

    Security Breach

    The post Security Breach appeared first on Gridinsoft Blog.

    ]]>
    https://gridinsoft.com/blogs/what-is-security-breach/feed/ 0 13066