The Moon Worm - Infects Home Routers - Shows Fake "Adobe Flash Critical Update Required" Message

This worm will just not go away! The title banner is: "Please Install Flash Player Pro to Continue".  It occurs randomly. Sometimes daily. The executable file name always changes. Norton detects it after the ad appears, says it is "not safe", and offers to uninstall it. Once Norton does its thing, the computer operates normally until the next occurrence. I run Windows 7 Pro with Chrome.  Here's what I have done to try and get rid of it!

1. Trashed my old LinkSys router and bought a TP-Link TL-WR841N router. I immediately flashed the firmware to the latest version.

2. Reset Chrome and MS Explorer to default.

3. Ran CCleaner, AdwCleaner, and Malwarebytes

I'm out of ideas. I was thinking of upgrading my motherboard and CPU anyway and using a late 2013 disk image, but I hate to go all through that and not know it will get rid of this problem.

I generally feel that I have a decent understanding when it comes to computers, however you have me stumped on the "reinstall your firmware". I thought I knew what you meant but apparently I didn't because I CAN NOT get rid of this stupid worm!!! I'm about to lose my mind! I downloaded Malwarebytes and AdwCleaner then deleted my history, cookies, cache and EVERYTHING I was able to in both IE and Chrome then closed them out. Then unplugged my Arris wireless router (so that it would reset) uninstalled it from my computer then ran my AVG, the Malwarebytes and AdwCleaner. After they were all done (and they only picked up a couple things surprisingly) I restarted my computer. Once it came back up I then completely just shut it down and went to bed. Got up this morning and plugged in my router, turned on the computer and got everything set back up and going and within 5 minutes the pop ups started covering my page and sending me off to other pages and locking up Chrome!!

I am about to throw my computer across the room! All this because it said Adobe needed to update. I am very careful and am not one to just dl ANYTHING! My stupidity was seeing and trusting the Adobe emblem PLEASE HELP!!!

https://www.facebook.com/groups/HollysSongofHope/

Well it seems this isn't just linked to Linksys and DLink.  I'm running a Technicolor router provided by Plusnet (UK).  I've started to see this message coming up on my machine while running chrome.  It tried to get me to download a program called "setup" from flash.zuqiuing.com - obviously fake, though the page looks like the original.  As it's stupid-o'clock here, I'll deal with the router et al tomorrow and hope it'll resolve the problem.

One thing I've noticed, that might be related, is that as I load any page, I'm getting what looks like loads of meta-data, and on top of that Chrome keeps crashing.  I am able to browse most of the time successfully, just every now and then get this issue.  I've no other computer to try on this, however I do have android devices which don't use flash, but they've seemed slower on download of late.  BitDefender hasn't reported any problems, though I did have to re-install recently.

I'm running Win7 Ultimate 64 bit.  I also have a buffalo airstation running as a wired access point.

YOU MUST RESET ROUTER TO FACTORY DEFAULT BECAUSE A MALWARE IS ON IT AND HAS CHANGED

ALL DNS ADDRESS TO DEVIATE TO ADOBE FAKE SITE.

YOU MUST REMEMBER TO SCAN PC WITH MALWAREBYTES TO BE SURE IT DON'T COME BACK.

BYE

FABIO

I figured out the problem. The router hack simply changes the DNS server to a DNS hosting service (severel.com). In my case a password hack could get downloaded. The malicious DNS server numbers in question for my issue were; 199.182.166.168 and 199.182.166.169  After you reset or flash your router firmware, make sure and install the correct DNS servers for your ISP.. Also make sure you disable "remote management". My router is a linksys E3000. Linksys has never updated the bios for this router.

A second option is to simply install the correct DNS server addresses for your ISP in the routers setup page.

Hey i am currently experiencing this problem at work. we have a Cisco router there.I made the mistake of getting my laptop (WIN 8.1) plugged into this network and then my laptop was experiencing the same thing. My questions are 1. is this transferable  i.e. if i take my laptop home to a Netgear router will this infect my home network.  2. has there been a firmware update for this. 3. any more news on this?

I have a Cisco E3000 Wireless N Router. I was having the issue accross OSX and Windows. This thread was a big help, but when I tried to get the latest firmware from Cisco I found the download link was no lnger present. I chatted with their support and obtained the following info if it helps anyone:

"Linksys is aware of the malware called “The Moon” that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default."

" If you have not enabled the Remote Management Access feature of the router, you are not susceptible to this specific malware. If you have enabled the Remote Management Access feature, we can prevent further vulnerability to your network by disabling the Remote Management Access feature and rebooting your router to remove the installed malware. Linksys will be working on the affected products with a firmware fix that is planned to be posted on our website in the coming weeks."

"What we can do to fix this issue is to make sure that the router's security settings is enabled and the remote management is disabled."

"Ensure that the Filter Anonymous Internet Requests on the Security Page is enabled."

"The next step would disconnect us from the session. We need to reboot the router to clear the cache."

"According to the system, your product is already outside the complimentary assisted support period. I’d just like to inform you that we normally charge a fee for supporting this type of issue,

but since we’re seeing a potential hardware problem with the product, we’ll be extending complimentary support just this one time."

"We also need to upgrade the Firmware. However, the Firmware for this router is no longer available for download. Disabling the remote management on your router and securing it would help fix the issue."

I did find the latest firmware for the E3000 here: http://www.userdrivers.com/LAN-Network-Adapter/Linksys-E3000-Wireless-N-Router-Firmware-Update-1-0-04-build-6/download/

You may want to contact support for the manufacturer of your router to see if there's any way to check for malicious code or the procedure to wipe and reload the router.  In our infected Linksys E2500 router we had already installed the latest firmware version.  I downloaded and reinstalled the latest firmware but it didn't seem to help. 

19.trollwv, the only way I could get rid of it was to go into the browser settings and do a complete reset on the browser.  Remember, your Linksys router could have had malicious code installed in it that will just keep reloading it into your browser.  I don't think that Linksys has a firmware update to fix this problem yet.  I pulled our Linksys out of service and used a Cradlepoint router that we already had on hand for temporary internet access until our Cisco router arrives.

Another thing, if you have remote management turned on in your Linksys router, turn it off as port 8080 seems to be one of the ways that they're placing the malicious code in the router.