Wednesday, August 4, 8:00 AM đź”—
We receive a phone call from someone complaining about “Wireshark Antivirus”. I take the call. The person on the other end isn’t able to provide many details other than that a program named “Wireshark Antivirus” is displaying some a shield and directing him to the cacetech.com web site.
This is new. We’ve been on the receiving end of a few false positives in the past but this is new. Some jackass is using our name do do harm.
This will not end well.
August 4, Morning đź”—
I start searching using Google and Bing, looking for other reports or any details. This is my job for the rest of the day.
So far our only exposure is through reports from other people. A forum post mentions “Wireshark Antivirus.exe”. I ask for screen shots so I can at least put an image online but don’t received any.
The calls continue, but are mercifully few. I add news items to www.wireshark.org and www.cacetech.com and send an email to wireshark-users and wireshark-dev.
This will not end well.
August 4, Afternoon đź”—
Two discussions pop up on Yahoo! Answers. This is a reputation-based Q&A site. Someone posts erroneous information but I can’t correct it. How do you get enough reputation to be helpful in an emergency?
At around 2:00 PM posts start showing up with recommendations for cleaning up the trojan.
Thursday, August 5 đź”—
We get our first angry letter! Threats and foul language and everything!
More calls come in. Most AV software has been updated to catch the code if it hadn’t already done so.
This will not end well.
Friday, August 6 đź”—
The reports and calls taper off.
By this time several blog entries and news articles have covered the malware. I add them to the news items on the Wireshark and CACE web sites.
This will not end well.
Saturday, August 7 đź”—
More cussing and threats via email. Someone managed to find our contact information on the CACE web site, but completely missed the “Wireshark Antivirus” Malware news banner at the top of the home page.
This will not end well.
Monday, August 9 đź”—
The crap-storm continues. We’re trying to help as best we can.
Tuesday, August 10 đź”—
Yahoo! Answers deleted one of my comments because it was flagged as spam. Thanks Yahoo! You guys are swell!
Lessons: đź”—
Communicate. Luckily its victims were visiting www.cacetech.com, so we could pass along updates in near real time. Google and Bing helped track down users posting questions to online forums. I responded to each question with any information I had at the time.
People don’t run AV software. Seriously — you should at least be running something like MS Security Essentials by now.
Even cake is dangerous. One of the infections apparently happened while looking for pictures of cake on Flickr.
Comments đź”—
Comment by James Wylie on 2010-08-09 13:58:08 +0000 đź”—
Gents,
I’ve had two customers in the past few weeks with virus infections from an app called Wireshark Antivirus. This was strange becuase I used your app a few years back. Took me a minute to realize that it was you guys and that some bonehead was using your name to exploit with bad character your company.
How can I help –
Mr Wylie
Comment by Gerald Combs on 2010-08-09 18:11:19 +0000 đź”—
@James It sounds like you’re helping already.
Comment by mary chang on 2010-08-09 20:35:21 +0000 đź”—
hello,
something calling itself WIRESHARK ANTIVIRUS installed itself on my computer & seems to insist on a subscription of some sort. I wonder if your program can uninstall it? I have notified CONSUMER FRAUD REPORTING.ORG. Many thanks for any help!
MARY CHANG.
Comment by Lee Anne Farnham on 2010-08-09 21:19:22 +0000 đź”—
How do I get rid of this sharkware virus? It tagged on to my computer this morning when I was taking a look at wedding anouncement web sites.
I will also send an email to consumer fraud reporting.org.
Comment by Gerald Combs on 2010-08-09 21:31:07 +0000 đź”—
Mary & Lee Anne,
There are a links with removal instructions at http://www.wireshark.org/news/20100804.html . Googling for “wireshark antivirus” (WITH quotes) turns up a lot more information about removing the trojan. I don’t have any way of testing them here and so can’t recommend any particular one.
Comment by belensaurus on 2010-08-12 22:48:11 +0000 đź”—
i got the wireshark thingy and i managed to get rid of it,
download thee Malwarebytes’ Anti-Malware program and it will actually get rid of it
the wireshark program thingy wont let the program pop out but all you have to do it press the alt+ctrl+delete keys together and youll get the windows task manager pc lick on the wireshark and end the task then once the malwarebites program pops out do a quick scan and once the scan is finished remove the threats and your done your computer will restart and your computer will be ok go on malwarebites again and delete the threats and your done
Comment by Matt on 2010-08-13 10:50:08 +0000 đź”—
The MalwareBytes solution seems to have eliminated the bug itself. However, further investigation has revealed that my browser is hijacked. I do not know if this was part of the Wireshark Antivirus bug or some prior threat I missed, but Googling “Malwarebytes” and following any of the links redirects me to off-the-wall websites that I’m sure are attempting to add more malicious garbage to my machine. I highly promote MalwareBytes, but be very careful attempting to download it. You may want to DL it from the comfort of another (uninfected) machine, and copy the installer to your infected machine. Also, you may need other solutions besides MBAM if your browser has been hijacked as mine has.
Comment by margy on 2010-08-13 11:37:00 +0000 đź”—
how to do you know if your browser’s been hijacked? I have this Wireshark AV thing and can’t open apps to download anything to get rid of it. Had just downloaded MalwareBytes the night before…then got this. Can’t open MB to even scan
Comment by Gerald Combs on 2010-08-13 12:15:07 +0000 đź”—
@margy According to a Malwarebytes forum post you can rename mbam.exe to something else:
http://forums.malwarebytes.org/index.php?s=bf5375540445801cd46624397aa2918a&showtopic=59850&pid=297318&st=0&#entry297318
Comment by brian on 2010-08-13 17:36:36 +0000 đź”—
For those of you having issues running malwarebytes or other removal tool, your best bet is to boot in Safe Mode prior to executing anything. To enter safe mode, simply pres F8 while your computer is in BIOS prior to windows start up.
Comment by mary chang on 2010-08-13 19:15:13 +0000 đź”—
Success to report! Our computer guru has solved all my problems, cleaned the whole system, besides identifying & removing that fake program. I intend to forward the fake’s name to Fraud Prevention authorities. If anybody wants to know, I can share my guru’s name — he has a huge reputation in our counties.
Comment by Curt on 2010-08-19 23:24:47 +0000 đź”—
Is there a chance to monitor ports on unmanaged switches and the NIC´s of the machines attached to these ports?
I am experiencing ports to be hung up by machines in a way that they are not reachable anymore. The switch seems to be physically well but traffic to these ports is impossible.
Comment by James Eighmey on 2010-08-21 10:16:47 +0000 đź”—
If you are a newbie to system security. You can run clamav portable or stinger to remove wireshark anti-virus. here are the links to both. McAfee Stinger – http://vil.nai.com/vil/stinger/ ClamAV Portable – http://portableapps.com/apps/utilities/clamwin_portable Your best bet is to run these from a flashdrive or memory card, and download them from a clean system.
Comment by Jamie on 2010-08-23 16:20:38 +0000 đź”—
Wow… There’s some really stupid people floating around. “Wireshark” is an awesome packet-sniffing program. “Wireshark Antivirus” is a virus, and is not related to Wireshark in any way. Get a brain, people.
I would smack you people so hard, if I could. Give Gerald a break from your stupidity…
Comment by Joe Sammarco on 2010-08-24 13:13:10 +0000 đź”—
This piece of malware is almost indistinguishable from the “SuperAntivirus 09” bug of recent fame. These idiots probably pulled the name “Wireshark” out of the blue because it sounded cool to them. The bug is easily eradicated by running the free application “Malwarebytes anti malware scanner” in windows safe mode. Just download the free software and make sure it updates before you scan with it. If you are not computer literate enough to do this for yourself, there are plenty of guys like me around willing to charge for this work.
Comment by Chris Maynard on 2010-08-29 07:36:45 +0000 đź”—
Wow, how sad is it that the first site listed after a google or yahoo! search for wireshark is “Wireshark Removal”.
Comment by Michael McNamara on 2010-08-30 20:37:38 +0000 đź”—
I’ve been on the receiving end of a few similar situations. Unfortunately you’ve got to bite your tongue and soldier along. You did a great job of communicating the issue once you learned of it. It’s a shame that users continue to be the mindless people that we know them to be.
Cheers!
Comment by Jason Cruse on 2010-08-31 07:58:50 +0000 đź”—
Well I do computer work and let me tell you this and other fakeAlert programs and rogue spyware is crazy here in ohio. some let it go as far as were the system is so far bogged down that I end up having to do a renistall. Usually you can get rid of everthing but the redirector. Its my job…but still a pain.
Comment by M. O’Connor on 2010-09-16 13:16:58 +0000 đź”—
Don’t want to sound flippant but…
Whoever created the wireshark AV app has created a new definition of “Wireshark” 🙂