Skip to main content
W
whjco
Participating Frequently
March 24, 2014
解決済み

The Moon Worm - Infects Home Routers - Shows Fake "Adobe Flash Critical Update Required" Message

  • March 24, 2014
  • 返信数 14.
  • 143803 ビュー

Greetings,

This morning we had numerous workstations pop up with an Adobe Flash error.  The browser will be taken over by an Adobe Flash Critical Update Required page and won't let the browser go to any other internet site.  Within the page, a box will pop up that says:  "Attention!  your current version of Adobe Flash Player is outdated!  Your computer is vulnerable to malware now.  Update your Adobe Flash player now."

This message pops up on IE Explorer version 9-11, Google Chrome and Firefox and the operating systems are Windows XP Pro and Windows 7 pro.  It has all the behavior of a virus or malware so I don't want to run it's download file which is named install_flashplayer_12_x32_64_msaa_aax_latest.exe.

I've been able to download both flash player installs from the Adobe.com site for both IE and Other Browsers.  Sometimes I've been able to run the installs and it shows that the download and install ran okay with Adobe Flash Player 12 ActiveX showing up in the installed programs list.  Other times, the install won't run and the install file mysteriously gets deleted.  Even after the successful download and install, the browser works briefly okay and then gets seized by the "Critical Update Required" page again.

We're running AVG Anti-Virus Business Edition which is kept updated.  A scan with this program and an updated version of Malwarebytes isn't showing any viruses or malware that could cause this problem.

What can I do to get rid of this "Critical Update Required" problem and get our browsers working again?

Thanks.

Bill J., Lexington, KY

      このトピックへの返信は締め切られました。
      解決に役立った回答 douglas_kelly

      I got it fixed.

      It's called the Moon virus or worm. It does not reside in your pc. It is malicious code that is embedded into your wireless router primarily Linksys but D-Link and Motorola have also been affected. Simple fix is to reinstall your firmware and simultaneously delete all web browsing and cache from the browser than even resetting your browser to factory default and YOUR PROBLEM IS FIXED.

      dOUG

      返信数 14

      前の返信を表示
      W
      whjco作成者
      Participating Frequently
      March 26, 2014

      Okay folks, here's the latest.  Thanks to Mike M's post above I've been able to do some additional research and have come to the conclusion that our Linksys E2500 router has been hacked.  I pulled it out of service and set up a router from a different manufacturer and we're now able to access the internet.

      However, the redirects from the infected router had installed some additional settings in the browsers themselves, so I had to do a complete browser reset and that took care of the problem.  To do this in Internet Explorer, I clicked on Internet Options/Advanced Tab and then click on the Reset link at the bottom and also reset all personal settings.  In Google Chrome, I've had to go to Settings, click on Show Advanced Settings at the bottom, then click on Reset Browser Settings in the link at the very bottom. 

      So far, we've been back up and running without any problems.

      T
      trollwv
      Participant
      March 26, 2014

      Bill, one of my employee's downloaded this malware and we have a network, but only this one computer is affected.  The computer's OS is Windows 7 w/IE 11 and the network is using  Linksys E4200 router for intenet access.  I have noticed that only .com's seem to be affected from the computers browser and that I can acess the internet through another programs or bring up a website with .net only once.  None of our scans(4) picked it up either and we reran them through safe mode with no success.  We even tried a web base scan with no luck picking it up.  I did find something odd when I was able to acess a .net company in IE and tried to go another wesite the Adobe Flash Player malware reappeard and again asked to be downloaded.  When I cancel that proces and went to the tools icon and went to security and Delete Browsing History and checked all boxes and ran it.  Out of the 4 progams we've run  Microsoft Security Essentials was the only program to picked up the malware and showed it as BackDoor:Win32\Simda.AT and when MSE removed it. We rebooted but it's still there. once its downloaded now the job of refinding and removing it, so if you or anyone else has something to remove it completly please let me know.

      W
      whjco作成者
      Participating Frequently
      March 26, 2014

      The router hack still seems to be the best explanation.  However, does this mean that the redirect that could be in the router has caused the connected workstations to download malicious software?  None of my security software is showing anything so I've ordered a replacement Cisco router and will see if that helps the problem.

      W
      whjco作成者
      Participating Frequently
      March 25, 2014

      I downloaded and ran Kaspersky's TDSSKiller.  It's not finding anything.

      Any suggestions as to what to try next?

      Thanks so much for your help!

      Bill J.

      A
      Anonymous
      March 28, 2014

      In my experience, Malwarebytes reported finding Trojan.Happili within install_flashplayer_12_x32_64_msaa_aax_latest.exe.  It seemed a bit suspicious from the get go (very un-Chrome like behavior to hijack the start page with an Adobe Flash Install page). This was a redirect of http://www.google.com but not https://www.google.com.

      Changing my router settings to disable Remote Management solved the persistent redirct problem.  My security settings already included Filter Anonymous Internet Requests.

      Very glad to have found this page. Thankful for everyone's contribution.

      S
      scharique
      Participant
      April 4, 2014

      I experienced the very same issue being discussed here last night via all browers. I have a Cisco/LinkSys E3000, there is quite a bit documented on this 'Moon' worm from SANS but very little from Cisco directly. Disabling remote management on the router has done the trick but i see that only as a temporary workaround to disable the hacking/ridirecting via the HNAP, the real fix would be firmware update and I can't find any reference on that from the horse's mouth.

      C_F_McBlob
      C_F_McBlob
      Inspiring
      March 24, 2014

      install_flashplayer_12_x32_64_msaa_aax_latest.exe.

      is nothing that comes from here

      http://download.macromedia.com/pub/flashplayer/current/support/install_flash_player_ax.exe

      and

      http://download.macromedia.com/pub/flashplayer/current/support/install_flash_player.exe

      are the ONLY legitimate files for Flash Player FULL installers

      But, NOTHING with "latest.exe" would be legit.

      Do a "clean install" on any machine you believe is out of date. http://forums.adobe.com/message/4041846

      Also look into TDSSKiller from Kaspersky to remove adware.

      契約条件Accessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices