How This Savvy Techie Downloaded His First Virus

After 25 years of safe computing last Friday evening the social engineering behind viral transmission finally beat me. I downloaded my first ever virus on Friday night.

How on earth could I get suckered? Through my website’s statistics. I thought I was safe inside my web server’s stats program. Just like people used to think ten years ago about their email.

You’re not safe anymore. Don’t click the links within your stats.

I’ve been computing since playing snake in my preteen Commodore PET timesharing days in Berkeley’s Lawrence Hall of Science in the early 1980s.

I owned my first Apple //e in 1983 when I was in middle school. I worked for both America Online and Gateway computers in technical support. I’ve installed Citrix systems and rolled out configurations across five hundred desktops overnight.

And now I was another malware statistic.

Bloggers and small business owners who host on your own servers: beware of the tvsetmp3 dot com address. I’m sure it’s only going to be one of many such evil backlinks we will be dealing with soon.

Stats junkie sees referral link - who’s this?

When I was looking through the referring links I found this one for tvsetmp3. com. Warning: do not hit that site! That’s why I didn’t hyperlink it.

While it looked innocuous, this is a new and innovative method to get website owners to click on links they normally wouldn’t.

I had also been experiencing problems with my Apache server’s AWStats - it wasn’t showing results for over a week on any of the domains I’ve got hosted. So now my AWStats is under my scrutiny.

So I’m wondering who tvsetmp3 is…

Of course I am looking through AWStats and get to my links from external pages section.

Bad idea. Very bad idea.

After going to this site, a blank YouTube-style window popped up, and some sort of familiar sounding player codec asked to be set up. This is where I lapsed in judgement. My tech-savvy nature had me thinking the referring link was embedded within the Flash so I accepted it.

This is where the social engineering behind the application of this adware really worked on me. After all, if someone’s referring people to my site, they’re… they’re inside my web social circle, right?

Then all sorts of hell started breaking loose.

My browser changed, and some sort of quasi-porn image popped up, with an overlay made to look like I had been redirected.

A window in poor English stated that I had the Agent.bn virus and needed to get Advanced Cleaner to get rid of it. Conveniently, all I had to do was watch my browser be taken to the Advanced Cleaner website. How nice.

Apparently the download was supposed to coerce me into buying some sort of virus / adware cleaning product. How I and WordPress community folks fixed this is detailed beneath the fold.

And this content was also found in my windows directory in a file named search_res.txt.

1. tvsetmp3.com|t|videoaccesscodecinstall%2eexe+virus+symantec|sym-priority-demote|tvsetmp3 .com|tvsetmp3 .com|t|t|Ad-Aware 2007|t|advanced+cleaner. com|advanced+cleaner+removal| Advanced Cleaner| Advanced Cleaner|AdvancedCleaner|web counter|technical communication|instant messaging security|help authoring tool|go to my pc|virgin|key+influencer|internet media|spyware|

Advanced Cleaner obviously was supposed to be my solution. I think the other search results derived from my Google or IE7 search results, you can see technical communication and help authoring tool in there

Oops. What’s the name of that truck driving school, Maverick?

Since my frustration was mounting about the total loss of time, I decided to channel my anger and blog about it, therefore make the world a better place by educating more people about the risk and how I fixed it. Breathe in, breathe out. Breathe in…

I had immediately severed my data connection, and while i figured out that a trojan or some other data capturing algorithm would be blocked by Norton, I was still trying to recapture my browser control and rid myself of the constantly random display of porn that was trying to persuade me first, that there was a virus, and second, that I should buy Advanced Cleaner, what the window graciously offered in order to get rid of it!

Fix the problem that they created? How sleazy is that?

The porn images were some sort of layer or .gif file and these makers of the virus probably get money off of paid click links that they send to adware security companies.

So if you download their recommended products, you take care of the adware/virus that they in fact put onto your system. How nice.