MalwareTeks Blog

It’s been a little more than a week since I first posted on this subject.

Links of Interest:
http://www.securitycadets.com/2006/08/new-possible-rogue-virusrescue/
http://www.vitalsecurity.org/2006/08/virus…-rescue-me.html
http://securityticker.blogspot.com/2006/08/virusrescue-appears-to-be-n ew-trojan.html
http://www.realtechnews.com/posts/3393
http://blog.spywareguide.com/2006/08/virus…up_a_noble.html
http://www.siteadvisor.com/sites/virusrescue.com?aff_id=0
http://research.sunbelt-software.com/threa…;threatid=48317
http://www.bluetack.co.uk/forums/index.php?showtopic=15209
http://billpstudios.blogspot.com/2006/08/virusrescue-warning.html

So what exactly is VirusRescue?

From the VirusRescue website -

“VirusRescue is a powerful and easy-to-use Trojan horses, Viruses and all types of Malware removal software, which detects and eliminates more than 100′000 Trojan Horses and Spywares. It also detects viruses, trojans, worms, spyware, malicious ActiveX controls and Java applets. The latest version of VirusRescue features outstanding detection abilities, together with high performance.

You can expect 100% detection of In-the-Wild viruses (viruses already spreading between users) and excellent detection of Trojan horses. VirusRescue also detects and deletes computer viruses and trojans from inside the most common archives: zip, rar, ace, cab, chm, eml compressed files scan etc.

The program has a unique system of daily updating from the Internet, allowing to easily and surely update not only the antivirus bases, but also any other program components. Your copy of VirusRescue will be securely updated every day over the Internet so that you could always stay on top of cutting-edge technologies. VirusRescue license owners benefit from daily virus definition updates and free product upgrades.”

- Notice that english, apparently, is not the native language of the writer.

This little program has caused quite a stir in the security blogs of late, and with good reason. This particular “Rogue” finds it’s way onto a system via Zlob, which is a fake video codec that you install in order to view video content on certain adult sites. Once the “Video Codec” is installed the user is inundated with pop-ups warning you that the system is infected and that you must pay $29.95 to remove these infections. Now that’s some kind of scam; infects your system, tells you that you are infected, has you download a scanner that will detect the virus and pay $29.95 to get the full version that will disinfect your computer. Sounds great, well maybe not so great.

VirusRescue is just another in a long line of “Rogue” programs; SpywareQuake, SpywareFalcon, SpyHeal, VirusBlast, SpyAxe, etc., etc., etc. The problem with these programs is that they don’t seem to actually do anything. Well, that’s not really fair, some of them do seem to remove some of the more benign infections. What they don’t do is remove the original infection, the trojan that was placed on your system when you installed the fake video codec from that adult site you visited last night.

So, what is the trojan? “Trojan.Zlob is a back door Trojan that allows the remote attacker to perform various malicious actions on the compromised computer.” Source Symantec Security Response. Zlob is often accompanied by a Smitfraud.c infection. “Trojan-Spy.HTML.Smithfraud.c is a phishing attempt where a fake login screen is presented to user, in an attempt to collect user account information.

Note: There is also a spying trojan that installs a fake warning message on computer screen saying

A fatal error in IE has occured at 0028:C0011E36 in VXD VMM(01) +
00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c

This trojan has nothing to do with Trojan-Spy.HTML.Smitfraud.c. More information is available here: http://www.f-secure.com/v-descs/agent_eo.shtml” Source F-Secure Computer Virus Information Pages. So, as you have noticed, it’s just not one infection but multiple infections.

I opened with a quote from the VirusRescue website of the product description. English is obviously not the native language of the writer. “VirusRescue is a powerful and easy-to-use Trojan horses,…”; well, that’s an interesting statement when separated from the rest of the description. Is VirusRescue a Trojan Horse? No, not really. “… Viruses and all types of Malware removal software, which detects and eliminates more than 100′000 Trojan Horses and Spywares.” That’s a very bold statement in the least. I have seen many programs that make similar claims; and only a handful live up to such a bold claim.

So, what exactly is VirusRescue? if it’s not a Trojan Horse, a virus, Malware or Spyware. What exactly is it? VirusRescue is a “Rogue” application, it’s sole purpose is to fleece you out of your hard earned cash. I am eagerly awaiting the addition of this product to Spyware Warrior’s Rogue/Suspect Anti-Spyware Products list.

~ VirusResuce Removal Guide ~

Updates -

(August 24, 2006) - VirusRescue added to Spyware Warrior’s Rogue/Suspect Anti-Spyware Products list on August 21, 2006.

(August 27, 2006) - Malware Complaints::View Topic::VirusResce http://malwarecomplaints.info/viewtopic.php?p=7369&sid=3d554152a18d3cf 26937d2c53bd89491

(September 03, 2006) - Link to MalwareTeks VirusRescue Removal Guide Added.
http://www.malwareteks.com/VR-Fix_Guide.php