First off if you have a WordPress website and have BulletProof Security installed then your WordPress website is completely protected from being infected or hacked by the LizaMoon SQL Injection attack.  The SQL Injection filters in BulletProof Security will completely block the LizaMoon SQL Injection attack.

Most websites are reporting that this is a relatively harmless form of website attack that will not lead to serious computer infection, but I see a huge red flag in one of the functions of the LizaMoon virus program.  The Windows Sysinternals Process Explorer is not allowed to load or killed by the LizaMoon virus so you can’t see what is going on with processes on your computer system.  What are the hackers trying to hide?  If my suspicions are correct then this is a variant of a very high level Facebook drive by virus that infected computers last Fall.  The utility that I used that exposed this virus program on that computer was the Sysinternals Process Explorer.  It made it obviously clear right away that something was running on that computer system that should not have been and also exposed that it was a very sophisticated self contained program running at the core system level.

The similarities in the visual design are very similar to the LizaMoon SQL Injection hack.  Before I can say with any certainty that this is something that people should be very concerned about I will need to infect a computer and see how deep it goes.  The Facebook drive by virus appeared to only be a nuisance, but I discovered that a computer that was not protected with a software Firewall was being remotely controlled.  That computer was protected with Anti-virus software.   How was this done?  The virus went right for the core of the Windows Operating System – the .NET Framework.   This is an area of the Microsoft Windows Operating Systems that most people are not familiar with or are not even aware that it exists.

Read this Wiki page on the .NET Framework and .NET Assemblies for information on the .NET Framework.

The Facebook drive by virus appeared to be only a nuisance intentionally in order to mislead people into thinking there was nothing to worry about.  The design and idea of that particular virus was to make people only see the surface attack and not look deeper into a very well hidden and completely silent program that was running in the background.  That virus program gave the hackers full remote control of your computer whether or not you had the desktop remote control service turned off.  The level that the virus program was written for was well beneath the surface systems.  The virus program was an assembly that was written for the core .NET Framework.  Have you ever wondered how Microsoft sends you notifications that updates are available if you have everything turned off?  The core exectutable program that handles this is the Microsoft Distributed Transaction Coordinator (MSDTC).  What is MSDTC?  It is the executable that performs the transaction coordination role for components, usually with COM and .NET architectures.

As I stated above I have not yet confirmed that the LizaMoon SQL Injection attack could also contain code that could infect your computer at the core .NET Framework, but all the signs indicate that this is a more advanced variant of that same virus program.  I will know conclusively once I have infected a computer system and checked the .NET Assemblies for the program or a similar program.  The Facebook virus was a full blown desktop remote control program added to the core .NET Framework that was designed to avoid any detection with the end goal appearing to be to allow a remote hacker to see every file on your computer because they had complete remote control of the system.  If you store sensitive financial information on your computer system, like bank account information, then this information would be compromised.

So I would advise that until the LizaMoon virus can be truly labeled as harmless, deep inspection of the .NET Framework Assemblies must be done on a computer that has been infected.  I will post results here once I have had a chance to infect a computer and fully diagnose the payload and capabilities of the program.  I am hoping that I find nothing, but I am expecting that I will find another similar remote desktop control program in the assemblies.

This is nuisance Malware and will not do any serious damage to your computer.  If you have clicked on any of the bogus Malware program buttons you may have further and more serious problems, but it appears that this Malware is just intended to trick you into buying bogus Malware cleaning software under the guise of being alerted by the Microsoft Security Essentials anti Malware program.  Since I did not click any of the buttons I’m not exactly sure what would happen next.

Clicking on a video on Facebook caused the download of mstsc.exe and 2 other files – hotfix.exe and dkfjasdfshd.bat.  This is a profile specific Malware attack that will only download these 3 files to your computer and launch what looks like a legitimate virus warning message – see below.  The 3 files are downloaded / located in your profile folder >>> C:\Documents and Settings\your_profile_name\Application Data folder.   This Malware does not add any Registry entries or any other Malware files to your computer system.  The program will disable Task Manager, Regedit, Regedit32, log off and shutdown so you may have to cold boot your computer in order to delete the 3 files.  Since this is a profile specific Malware infection it will be launched again as soon as you log back into the profile that is infected with these Malware files.  The easiest way to delete the 3 files is log into your computer with another computer account and navigate to the profile that has these files in it and delete them.  I did not try booting into Safe Mode and deleting them from the infected profile, but that may work.  You could also boot into DOS Safe Mode and delete the files that way using the DOS delete command.  I noticed that this Malware blocked the standard things like regedit32, etc that allow you to remove Malware programs, but it appeared that my computer functioned somewhat normally as far as opening other apps and panels so you could probably go to your control panel create a new computer account, reboot your system and log in with that new computer account and delete the 3 files in the profile of the computer account this is infected with the Malware.

The Microsoft Security Essentials Alert Warning Message is Bogus.  Microsoft Security Essentials is a legitimate anti-malware program, but this Malware is just imitating the legitmate software application.

Do NOT click on any of the Malware buttons!

Looks like F-Secure documented this Microsoft Security Essentials fake on 10/22/2010.

http://www.f-secure.com/weblog/archives/00002053.html

My original search did not find this documented case.  This post contains additional technical info about the Malware scam.  Also check out the F-Secure site for other details that are not covered in this post.

mstsc.exe is a legitimate Microsoft file used for Remote Desktop Connection and is located in your /system32 folder.  So do not delete that file.  Any time you are unsure of whether a file is legitmate or not check the file’s properties by right mouse clicking on the file and clicking Properties.  99% of all Malware, Spyware or other malicious programs / files will not contain a Version tab that will tell you who created the file if it is a legitimate .exe, .dll or other type of file.