Friday, May 4, 2012

Fake Hard Drive Diagnostic Virus; Browser Pop-up/Redirection Fix

Pacific NorthWest Computers KNOWS rogue security and fake software applications very well. Fake software virus applications make up for 85% of the infections that we see on a day-to-day, week-to-week, month by month basis here in the shop. At first it was just fake security software programs. But the newest "trend" in the fake malicious software world is fake hard drive diagnostic software.

This fake diagnostic software virus pretends to have found issues with your hard drive, proceeds to hide your data (to seem more legitimate) and then tries to sell it self as a fix for all "problems" it has identified with your hard drive. When first released, it was not to difficult to remove. But the issue we are running into now however is that when a customer brings a system in that has this virus on it, we aren't just worrying about just getting the virus removed. But more importantly, reversing the changes the virus has made to an affected system. The big challenge has been with Browser hooks.

Most of the time when we encounter this virus it will actually "hook" into (or simply put; infect) the executable "IExplorer.exe", which is Internet Explorer. Once "hooked" the virus can change, modify how Internet Explorer functions and can generate pop-ups and redirect searches and navigation in the browser. All after the virus cleaning is completed on the affected computer. Now, most of the time programs like Spybot Search & Destroy are very effective at reversing system modifications created by viruses. But so far, this browser hook issue is not "automatically" fixed by virus scanners and utilities and since hooks can sometimes be impossible to remove. This type of an issue can prevent us from declaring a system clean and can sometimes require us to reinstall the computer's operating system. Well, we think we figured out a fix!

After working on a computer from a local insurance agency, I did some extensive poking around an infected computer's file system and registry and was able to locate a registry location for something called “DOMStorage” under Internet Explorer’s HKEY_ CURRENT_USER registry key (HKCU\Software\Microsoft\Internet Explorer\DOMStorage). In this registry entry, I found folders matching the names for some of the websites that were being generated in the random IE pop-ups's. I knew I was onto something but did not know what "DOMStorage" even was nor did I know why or how Internet Explorer even used it.

After doing some research on DOMStorage ( it looks like DOMStorage, or Document Object Model Storage, is a web application software method and protocol used for storing data in a web browser. So I thought to myself, “Well if they can store data there, they could very well plant a program in those locations to hide and allow themselves to generate those pop-ups!”. So I went ahead and deleted all of the folders in the DOMStorage registry location (and there were A LOT of sites listed in there) and it’s safe to now say after removing those folders there have not been ANY Internet Explorer pop-ups since! After pop-ups coming up several times a minute, the system is running great and is running flawlessly for several days; with web surfing and all! No browser re-directions or anything!
So I would say this is another problem solved and another win against viruses for Pacific NorthWest Computers!

Jon Pienkowski
Pacific NorthWest Computers