TOPIC: A gr8 l8 PSA

Have you ever seen something similar to this?

And I mean almost identical, if so. Wipe your PC.
This is Betabot, betabot is a fucking crazy ass botnet designed not to be removed.


What does betabot do?
It runs, hides it's files using a userkit/ring3 rootkit (Fancy way of saying FUCK YOU Anti-viruses and any prying eyes)
It then forces admin using that prompt you saw
Then it kills all AVs (Anti-viruses) on your system.
You are now stuck with a hectic botnet, designed to steal Passwords and Credit cards from you. GLHF.

Getting rid of it can be a pain, finding a file hidden by a root kit is kinda hard. Since rootkits affect only system api calls, reading directly from hardware is one way to do it. Try finding programs against it.

The positives of betabot are as follows, it stops most malware from running as its root kit hooks functions used by most malware and renders them unusable. Once a bot kill has been completed your machine would be cleaner then if you had run a Virus Scan.

Why your AV can't help you. Making it undetected by all anti viruses is easy, once its run it then has a foothold and can beat the AVs.

If you need help removing it just ask.

Malwarebytes Chameleon

Good thing soxey is back telling us this information. Don't understand most of it, but still hey, he's helping

gr8 to heer i hav not encconterd this befor thank for shering.

In reality, I've only suffered from one major virus. I can't remember it's name. All it did was stop me from opening any program and saying it's infected. I just rolled my PC back. it fixed that twat.

>makes botnet
>warns everyone about botnet

It is not actually always a virus if you see that pop up. I had it recently, because my HDD was dying. I did multiple S.M.A.R.T. scans on my harddrive and it was actually my harddrive failing, not a virus.

So how can you tell the difference?

I found some more detailed information

Ruben wrote:
Viruses that display error messages like this are designed to be the same as the real ones. from my experience, there is no 'real' way to tell...The best way is to not rush into thinking its legit, just because its says its from 'windows' dont mean it true.
look on the internet, google is your best friend. always.

Yeah, the virus tries to gain permission through command prompt.

So, that means, if you get this pop-up without command prompt (while you have UAC enabled), it is legit.

Section wrote:
Done.

Ruben wrote:
NONONONO!!!!!!! CMD has nothing to do with this. It tricks you into giving it Admin rights or smthn like that if you have UAC enabled...

usa.kaspersky.com/internet-security-center/definitions/beta-bot

If you read the article I posted, you could clearly see that the virus USES the command prompt to ask for permission. If you start up command prompt with elevated permissions, processes started through that instance of the command prompt inherit the permissions and thus have elevated permissions as well.

So the virus starts cmd.exe with admin rights, you are prompted with a pop-up to ask if you want to give permission. If you don't click "More details" you won't be able to see WHAT it is running, thus you won't see any harm in accepting it. As soon as you accept it, it opens, runs a command, closes the command prompt. Virus is now up and running.

If you don't have UAC enabled, it can do this without even asking for permission.

So if you see a pop-up about a corrupt folder or files, without being prompted with a command prompt asking for admin permissions and you have UAC enabled, you can almost surely say that it is not a virus, but a legitimate warning.

Ruben wrote:
If you have actually seen the botnet in action you'll notice it does not always use CMD. The virus runs w/wo admin priv.

Once clicked, it spams UAC, and you cannot use your PC without wiping. So you know, poor programming = fun for me.

An easy way to tell is that it'll always say Documents, always 3 and many other things like the lack of a close, min, or max controls.

---

Section wrote: <3 you section. they don't know what I have on my site.

---

DarthVader wrote: I do believe that it even kills that, not entirely sure, but BB was released after this so i'd assume so.

---

DarthVader wrote:
What it does is it executes CMD with arguements to execute itself with admin privileges.

---

Extra information:
A single build (A binary/executable like .exe designed for 1 site) costs $50 even after the program was leaked and cracked. Builders can go for $200 and are not easy to come across. I may have one.

Section wrote:
Yep.