Every few months or so, an aspiring malware coder comes across a new attack vector to hit us with. I remember when the "Shared Task Scheduler" was first used to keep a virus in memory on every boot, even a boot into Safe Mode. Later things like winlogon scripts surfaced, and more recently userinit.exe replacements. Just Friday I was confronted with a whole new beast, who comes at us by the name of "XP Internet Security 2010." 

Now I've seen "Internet Security 2010" and some others, which use nasty userinit.exe replacements to stay loaded, but this new one is of particular interest because of the way it takes over a system. I noticed that there were no entries in the HiJackThis log of a machine, so I figured it was surly a rootkit. However, that may not be the case. In one of the two infections I've seen, the software was using the standard class definition system to infect the system.

The version of this that uses an "av.exe" file to run the graphics is actually quite easy to remove once you understand how it works. You'll be able to see this program in Task Manager, and actually are able to kill it by simply hitting "End Process Tree" on it, however you'll notice every time you launch an application it comes back. This very rootkit-like behavior is actually much simpler that it appears. The scam has changed the way Windows sees .exe files. It has hijacked Windows so that instead of treating .exe files as applications, they are now opened with this av.exe program, relaunching the virus.

This is easily cured in one of two ways. I did it this way:

1. Hit the windows key + R to bring up the run dialog box. Type command.com in there. (.com files aren't affected by this scam yet ;) )
2. Type "regedit" in there and hit return to bring up the registry editor
3. Navigate to HKEY_CURRENT_USER\Software\Classes, and delete two keys: .exe and secfile. This will allow your programs to open up as usual.
4. Last, turn on view hidden files and protected system files, then hit the windows key + R again and go to "%UserProfile%\Local Settings\Application Data". In here you'll see "av.exe" and probably "MSASCui.exe" which are bad, so delete them.

Then run a scan with Microsoft Security Essentials to clear out anything else that might have hidden away in there.

The caveat to this procedure is that in the second infection I saw, these files were not there, nor were the registry entries for .exe files. I'm still wracking my brain to figure out what was going on in there, whether they had hijacked the <null> process that makes .exe's work or something more sinister, but I'm hoping that more information will surface as this spreads around. It's a really neat attack, and I'm honestly rather impressed.