WTOP victim of malicious cyber attack

Posted May 8, 2013, at 8:43 p.m.

The information below has been posted to help FederalNewsRadio.com and WTOP.com visitors check their computers for malware, in light of the recent cyber attack on our system.

  1. How do I know if my computer was infected?

    The malware attack targeted the Internet Explorer browser. If you accessed FederalNewsRadio.com or WTOP.com from Internet Explorer recently, you may have been infected. While other browsers may not have been directly infected, the malware still may have installed a cookie on your browser. We urge everyone to clear their cookies and browser cache no matter what browser they have been using to access FederalNewsRadio.com and WTOP.com, and to do a full virus scan on their machine (see instructions below).

    An infected machine may exhibit some or all of the following behavior:

    • Active programs will be shut down.
    • Fake virus scanner, often labeled “Internet Security,” will automatically open and run.
    • Inability to open or access any programs or applications. Attempting to do so may result in a fake virus warning.
    • Periodic pop-ups displaying a fake warning and/or prompting the user to purchase the full product.
    • The malware (often called amsecure.exe) resides in memory and adds itself to the list of startup programs.

    An infected machine will likely open numerous windows with an error message such as:

    • “Amsecure.exe warning! Application cannot be executed. The file cmd.exe is infected. Please activate your antivirus software.”
    • “Warning! Running Trial version!! The security of your computer has been compromised! Now running trial version of the software! Click here to purchase the full version of the software and get full protection for your PC!”
    • “Attention. Suspicious software activity is detected by Amsecure.exe on your computer. Please start system files scanning for details.”
    • “Amsecure.exe detects application that seems to be a key-logger. System information security is at risk. It is recommended to enable the security mode and run total System scanning.”
    • “Warning! Name: taskmgr.exe. Name: C:WINDOWStaskmgr.exe”

    You may also see error messages when trying to access the Internet, such as the ones below:

    • Iexplore caused an Invalid Page Fault in module3 (the number at the end can vary)
    • The web page you requested is not available offline
    • Explorer caused an exception C06D007EH in module Sens.dll

  2. What do I do if I was infected with malware?

    If you don’t already have an anti-virus program on your machine, download one. Some free possibilities are AVG or Avast. A removal tool, which may help, can be found here. The best practice for removing malware is to download the anti-virus program to a trusted, non- infected computer instead of the computer which you believe has the virus.

    If you have access to a trusted, non-infected computer:

    • Download the anti-virus program and save it to a CD or flash drive.
    • Reboot the infected computer.
    • As soon as you see the screen come on, begin tapping the F8 key.
    • You should soon see a menu of options. Use the arrow keys to move up and down the options list (your mouse won’t work) until the “Safe Mode” option is highlighted.
    • Press “Enter” to choose “Safe Mode”.
    • After the computer is done booting into safe mode, insert the CD or flash drive that contains the anti-virus program you downloaded earlier. Navigate to the drive that contains the program. Run the anti-virus program by double clicking on it.
    • Run a full scan on the computer and have it remove any infected files.
    • Restart the computer into its regular state.

    If you do not have access to a trusted, non-infected computer:

    • Reboot the infected computer.
    • As soon as you see the screen come on, begin tapping the F8 key.
    • You should soon see a menu of options. Use the arrow keys to move up and down the options list (your mouse won’t work) until the “Safe Mode with Networking” option is highlighted.
    • Press “Enter” to choose “Safe Mode with Networking”.
    • After the computer is done booting into safe mode, open a browser and download the removal tool from:

      http://www.sophos.com/en-us/threat- center/threat-analyses/viruses-and-spyware/Troj~FakeAV-GOJ.aspx

    • Run a full scan on the computer and have it remove any infected files.
    • Restart the computer into its regular state.

FederalNewsRadio.com and WTOP.com continue to block access to our websites via the Internet Explorer browser.

WTOP will provide more updates in this space as they become available.


If you have questions or wish to report any issues, please contact John Meyer via phone at (202) 895-5077 or email.


Advertiser Content