Computer Security Scam (Infosis.net and 00C04FD7D062)

phone_malware_scamI spent an exciting twenty minutes on the telephone this morning with a guy claiming to know my computer had all sorts of malware on it, that hackers had taken control of it, and it was generally full of bad juju (my words, not his).

I spent the time because I wanted to see where this all went and how good he was (I was also bored). I acted dumb, and never told him I have a doctorate in computer science and did computer security.

The call came from a “Private Number” with no caller ID to my home phone. I never really understood the caller’s name; he had a very pronounced Indian/Pakistani accent and always mumbled when saying his name. For simplicity, I will call him Tabaqui (before you look it up, Tabaqui is the jackal in The Jungle Book who ate scraps the other animals left).

Tabaqui claimed to be from Microsoft’s outsourced computer security support center, and that the Microsoft security server had been getting all sorts of malware alerts from my computer. He was calling because the malware on my computer would intercept any corrections they sent, so he was calling to put this right in person.

There is a grain of truth here because Microsoft does collect information from Windows computers.

He told me my unique Windows machine security code ending in “00C04FD7D062” had been filling the Internet with badness and his job was to help me stop this. (Hint: This number is a recurring theme)

Tabaqui walked me through opening a command prompt and running the “assoc” command. One of the last things that appear when you run the command is::

.zfsendtotarget=CLSID{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}

“See!!! It matches the number I told you about earlier. You computer is infected!”

Comment: That number does match what he originally said. Unfortunately, that particular “unique number” is returned by over 90% of the Windows computers in the world. So … I don’t really think it is unique. Perhaps Tabaqui’s definition of unique is different than mine?

Next, he had me open the event viewer and then led me to look at the “Administrative Events” listing.

“How many events are there?” 6,136. “Oh, my goodness! Your computer is so infected.”

Comment: He conveniently ignored both the “Critical Event” list (with no items) or anything else (like the “Security Event” list).

Tabaqui then asked me to describe some of these 6,136 bad events. When I did he told me how bad they were.

For example, the error for the Garmin updater not starting had been caused by malware. Comment: Amazing … I thought it hadn’t started because I had disabled the start process; I didn’t want it loading every time the computer booted up when I only used the updater a couple of times a year.

Finally, we got around to going to his web site, where I could download some simple software to make this all go away. The web site is: www . infosis . net, but I seriously recommend staying away from it.

I asked Tabaqui why it wasn’t a Microsoft.com site. I had to repeat the question a couple of times while he came up with an answer. Tabaqui said Microsoft had outsourced everything like this to Infosis. I thanked him for his time and hung up.

If you Google either “infosis.net” or “00C04FD7D062” you will get a lot of returns reporting scams. So, this isn’t new. It was pretty well done though.

reader submitted

Tim Gibson from Fairfax, VA