JS.SecurityToolFraud

Looks like I got hit by the new threat (discovered by Symantec on 29/12/09) JS.SecurityToolFraud in evening of 29 Dec local time (midday GMT). Norton Antivirus definitions of 23/12/09 didn't pick it up.

 

Kids had been watching DVDs on the computer & had just gone to bed when I went to check mail & to turn it off. Found numerous red Norton alerts on screen. First time this has happened in the background (security issue for WinXP?).

 

Next morning on boot-up, wife was horrified to have screen filled with SecurityToolFraud dialog boxes! I was able to close these on the screen but was unable to get anything to run & stay on the screen [including Regedit & Norton (Systemworks 2004)] and had annoying dialog boxes continually popping up. But Windows did log off and shut down when Off button was depressed!

 

Computer is dual boot & I was able to run (uninfected) Win98 but unable to use this to fix the problem as Win XP is on a SATA RAID mirrored pair of drives (not accessible to Win98). WinXP would not boot in any mode other than 'normal'; it kept recycling to the BIOS POST (in safe mode too).

 

The simplest solution seemed to be to scan disks on another computer [but took a day to acquire a USB hard drive case for the 3 1/2 SATA disks (already had one for the IDE disks)]. Removed the drives from computer and virus-scanned them via the USB on another computer (with another brand of antivirus software). 7 threats found on the drive(s) that had XP installed & 1 threat on another drive, all removed. Drives reinstalled.

 

WinXP still booted to SecurityToolFraud dialog boxes (argh! I thought) but I discovered that I could close the various SecurityTool dialog boxes that kept popping up on the screen and I could now access some software including Win Explorer (but not Regedit). I could also view program menus & shortcuts, & their Properties boxes. But, opening Norton Antivirus & Systemworks shortcuts and their exe files directly resulted only in bringing up the SecurityTool screens.

 

Luckily, JS.SecurityToolFraud installs a shortcut in the Programs list  and so I was able to find the name & location of the source file & directory from the link (properties box). I now note that the location of this source file is consistent with the Symantec Tech details for the initial (non-self installing, non-JS) SecurityToolFraud threat first noted on 9 Oct. [The 'random name' for the source file on my computer was 42744223.exe]. But, as the SecurityToolFraud exe file was (obviously) still active on the computer, it could not be deleted.

 

Therefore shut the computer down, took out the hard disks (again), rescanned for threats (I was not exactly trusting Norton Antivirus at this stage, but there were none) & manually deleted the above offending file & directory via the USB on the other machine.

 

Reinstalled disks and it now works fine. Rescanned & ran other Norton routines, registry seems to be suitably repaired and all back to normal again.

 

I now await download of the latest (post Dec 29!) threat definitions! 

 

As all my files, including the Norton Systemworks files seem to have survived, it appears JS.SecurityToolFraud did not corrupt or destroy the Symantec files, just altered the registry entries to redirect instructions.

 

All up it didn't cost me much money, but did cost quite a few hours of frustration and worry over 3 days computer downtime; and it could have been worse if the threat had been more malicious. It just reminds one that you can be caught out even with automatic updates, firewalls and everything else!