Antivirus Outbreak

Wednesday, August 4, 8:00 AM

We receive a phone call from someone complaining about “Wireshark Antivirus”. I take the call. The person on the other end isn’t able to provide many details other than that a program named “Wireshark Antivirus” is displaying some a shield and directing him to the cacetech.com web site.

This is new. We’ve been on the receiving end of a few false positives in the past but this is new. Some jackass is using our name do do harm.

This will not end well.

August 4, Morning

I start searching using Google and Bing, looking for other reports or any details. This is my job for the rest of the day.

So far our only exposure is through reports from other people. A forum post mentions “Wireshark Antivirus.exe”. I ask for screen shots so I can at least put an image online but don’t received any.

The calls continue, but are mercifully few. I add news items to www.wireshark.org and www.cacetech.com and send an email to wireshark-users and wireshark-dev.

This will not end well.

August 4, Afternoon

Two discussions pop up on Yahoo! Answers. This is a reputation-based Q&A site. Someone posts erroneous information but I can’t correct it. How do you get enough reputation to be helpful in an emergency?

At around 2:00 PM posts start showing up with recommendations for cleaning up the trojan.

Thursday, August 5

We get our first angry letter! Threats and foul language and everything!

More calls come in. Most AV software has been updated to catch the code if it hadn’t already done so.

This will not end well.

Friday, August 6

The reports and calls taper off.

By this time several blog entries and news articles have covered the malware. I add them to the news items on the Wireshark and CACE web sites.

This will not end well.

Saturday, August 7

More cussing and threats via email. Someone managed to find our contact information on the CACE web site, but completely missed the “Wireshark Antivirus” Malware news banner at the top of the home page.

This will not end well.

Monday, August 9

The crap-storm continues. We’re trying to help as best we can.

Tuesday, August 10

Yahoo! Answers deleted one of my comments because it was flagged as spam. Thanks Yahoo! You guys are swell!

Lessons:

Communicate. Luckily its victims were visiting www.cacetech.com, so we could pass along updates in near real time. Google and Bing helped track down users posting questions to online forums. I responded to each question with any information I had at the time.

People don’t run AV software. Seriously you should at least be running something like MS Security Essentials by now.

Even cake is dangerous. One of the infections apparently happened while looking for pictures of cake on Flickr.

19 thoughts on “Antivirus Outbreak

  1. James Wylie

    Gents,

    I’ve had two customers in the past few weeks with virus infections from an app called Wireshark Antivirus. This was strange becuase I used your app a few years back. Took me a minute to realize that it was you guys and that some bonehead was using your name to exploit with bad character your company.

    How can I help –

    Mr Wylie

  2. mary chang

    hello,
    something calling itself WIRESHARK ANTIVIRUS installed itself on my computer & seems to insist on a subscription of some sort. I wonder if your program can uninstall it? I have notified CONSUMER FRAUD REPORTING.ORG. Many thanks for any help!
    MARY CHANG.

  3. Lee Anne Farnham

    How do I get rid of this sharkware virus? It tagged on to my computer this morning when I was taking a look at wedding anouncement web sites.

    I will also send an email to consumer fraud reporting.org.

  4. belensaurus

    i got the wireshark thingy and i managed to get rid of it,
    download thee Malwarebytes’ Anti-Malware program and it will actually get rid of it
    the wireshark program thingy wont let the program pop out but all you have to do it press the alt+ctrl+delete keys together and youll get the windows task manager pc lick on the wireshark and end the task then once the malwarebites program pops out do a quick scan and once the scan is finished remove the threats and your done your computer will restart and your computer will be ok go on malwarebites again and delete the threats and your done

  5. Matt

    The MalwareBytes solution seems to have eliminated the bug itself. However, further investigation has revealed that my browser is hijacked. I do not know if this was part of the Wireshark Antivirus bug or some prior threat I missed, but Googling “Malwarebytes” and following any of the links redirects me to off-the-wall websites that I’m sure are attempting to add more malicious garbage to my machine. I highly promote MalwareBytes, but be very careful attempting to download it. You may want to DL it from the comfort of another (uninfected) machine, and copy the installer to your infected machine. Also, you may need other solutions besides MBAM if your browser has been hijacked as mine has.

  6. margy

    how to do you know if your browser’s been hijacked? I have this Wireshark AV thing and can’t open apps to download anything to get rid of it. Had just downloaded MalwareBytes the night before…then got this. Can’t open MB to even scan

  7. brian

    For those of you having issues running malwarebytes or other removal tool, your best bet is to boot in Safe Mode prior to executing anything. To enter safe mode, simply pres F8 while your computer is in BIOS prior to windows start up.

  8. mary chang

    Success to report! Our computer guru has solved all my problems, cleaned the whole system, besides identifying & removing that fake program. I intend to forward the fake’s name to Fraud Prevention authorities. If anybody wants to know, I can share my guru’s name — he has a huge reputation in our counties.

  9. Curt

    Is there a chance to monitor ports on unmanaged switches and the NICs of the machines attached to these ports?
    I am experiencing ports to be hung up by machines in a way that they are not reachable anymore. The switch seems to be physically well but traffic to these ports is impossible.

  10. Jamie

    Wow… There’s some really stupid people floating around. “Wireshark” is an awesome packet-sniffing program. “Wireshark Antivirus” is a virus, and is not related to Wireshark in any way. Get a brain, people.

    I would smack you people so hard, if I could. Give Gerald a break from your stupidity…

  11. Joe Sammarco

    This piece of malware is almost indistinguishable from the “SuperAntivirus 09” bug of recent fame. These idiots probably pulled the name “Wireshark” out of the blue because it sounded cool to them. The bug is easily eradicated by running the free application “Malwarebytes anti malware scanner” in windows safe mode. Just download the free software and make sure it updates before you scan with it. If you are not computer literate enough to do this for yourself, there are plenty of guys like me around willing to charge for this work.

  12. Chris Maynard

    Wow, how sad is it that the first site listed after a google or yahoo! search for wireshark is “Wireshark Removal”.

  13. Michael McNamara

    I’ve been on the receiving end of a few similar situations. Unfortunately you’ve got to bite your tongue and soldier along. You did a great job of communicating the issue once you learned of it. It’s a shame that users continue to be the mindless people that we know them to be.

    Cheers!

  14. Jason Cruse

    Well I do computer work and let me tell you this and other fakeAlert programs and rogue spyware is crazy here in ohio. some let it go as far as were the system is so far bogged down that I end up having to do a renistall. Usually you can get rid of everthing but the redirector. Its my job…but still a pain.

  15. M. O'Connor

    Don’t want to sound flippant but…

    Whoever created the wireshark AV app has created a new definition of “Wireshark” 🙂

Comments are closed.