AV2009 infection?

My parents complained to me that their computer (running NOD32 3.0.621 or .642 (can't remember which, I've since upgraded them to .669) was giving weird popups. When I took a look there was something that kind of looked like Norton Antivirus claiming it found a bunch of viruses. Really, this was something called "AV2009" which looks like some kind of trojan pretending to be an antivirus program. It managed to put some convincing Windows Security Center icons in the system tray (which gave different results to the real Security Center launched from the control panel). It also seemed to remove the NOD32 icon from the tray, although NOD32 appeared to be loaded based on a process in the task manager.

When I looked at the NOD32 log, it appeared to catch a file created by av2009.exe. Here's the log entry:
"21/07/08 7:37:14 AM Real-time file system protection file C:\WINDOWS\system32\scui.cpl Win32/Adware.XPAntivirus application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Antivirus 2009\av2009.exe."

I did save a copy of the av2009.exe file I found. I then proceeded to restore their system from a backup to get rid of the infection.

As usual, I'm concerned that NOD32 seems to have detected the virus, yet failed to allow the virus to run. It's also concerning that if I do an on demand scan of av2009.exe NOD32 does not identify it as a virus. In fact, when I submitted it to virustotal, only 1 scanner identified it as a fake antivirus tool.

So it seems like NOD32 detects at least one file created by av2009.exe, yet not av2009 itself. What's the deal with that?

I'm also concerned about how this got on their system at all. I've trained them not to open random e-mail attachments. They are using an old e-mail client (Eudora Mail - the last version before it was abandoned by Qualcomm). Is there any way this could launch automatically using some known exploit allowed by Eudora? Is it time I force them to switch their client?

Thanks.

 

Please refer to my post here.

 

A friend using ESS at my recommendation asked me to have a quick look at his computer last night while having a few beers at his place. He was also infected with this critter. He actually let it trick him into buying it online for $79. Nod32 first detected it on the 01-July. There are three more entries in the threat log but the malware was still up and running and still displaying the fake Microsoft Security screen.

His version of Nod32 was still 621 but the definitions were current. I think Nod32 should have a built in component updater that lets you select just how up-to-date you'd like to keep Nod32 - including the ability of rolling back to previous versions. Options like "Download on day of release" or "Download xyz weeks after release". Not everyone is into hitting this forum and then the download site every time a new release exists. V669 (or V657 and above) are clearly a heck of a lot more stable than V621 ever was.

I do respect your comment Marcos but if Nod32 had cleaned this known threat correctly, my friend wouldn't be needing to cancel his Credit Card. Many would say my friend deserved it. How could anyone fall for this rubbish but truth is, he did fall for it, which is why he pays good money to ESET. Not everyone out there is one step ahead of these rather clever scammers.

The fake is quite well done. Be careful out there people.



Removal instructions posted June 28: http://www.bleepingcomputer.com/malware-removal/uninstall-antivirus-2009

 

No offense intended but Folks way to much exspectations are being put on Eset or any others AV for that Fact.Eset is a very good product but with any AV We need to take some other measure to help take some of the weight off so to speak.Just something to keep in mind when we question a products Effectiveness.It has been my learning experience that any stand alone AV can not tackle every thing single handed.Again no offense intended.

 

I recently got hit by one of these nasties as well. My desktop background was changed, and entries in my Start menu literally disappeared, all without a warning from NOD32. All that remained were icons to some very dubious products on my desktop, as well as a popup that warned me my computer was infected which appeared every five minutes, urging me to buy whatever slimy product they were trying to foist on me.

I spent the weekend trying to clean up my PC with no success. All the while NOD32's icon sat in the system tray, merrily declaring that it was providing maximum protection and my PC was clean. In the end my neighbor's son came over to help me clean off all that gunk, and while I paid good money for NOD32's supposedly superior protection, it was a free product that my neighbor's son used to eventually get the job done.

As a longtime NOD32 user and believer I must admit I was very shaken by this encounter, especially when a forum search reveals that I'm not the only one who has run into this problem, and ESET's response is invariably the same unacceptable, cookie-cutter excuse over and over. NOD32 has served me faithfully for years, but when compared to the performance of a competitor who offers their product for free... I just can't help but wonder.

 

Yeah these trojans are getting nasty over the past few months. I've had many clients get whacked by them....all pretty much the same variants under different names..WinXPAntivirus, XPAntivirus2008, XPAntivirus2009, today I worked on a machine with one called Defender2008.

They get hit by means other than email attachments.....just by browsing an infected site, video codecs are another popular method.

 

None taken. I certainly don't expect any security product to fully protect me. Common sense helps protects me but doesn't appear to work for everyone.

ESS does claim to be anti spyware as well as AV and a full security suite to boot. My beef is that this is a well known threat, first detected by ESS on 01-July. Nearly a month later, a well documented and well known nasty managed to survive quite happily alongside a fully operational and fully updated installation of ESS and trick my friend into parting with $79. Was he unbelievably stupid? You bet! He received plenty of flak and a heap of payouts from everyone drinking beer that night.

I'm not blaming ESS - far from it. I would expect better is all. "av2009.exe" was running in memory and starting on every boot. The executable is well known and has existed in that form for nearly a month.

I was surprised more than alarmed or overly concerned.

EDIT: One payout was a beauty, "Did you buy your virus from the same place you got your bargain fishing gear from?"

 

And one more rogue/malware !!!! And not detected...

I'm a ESET consumer for a long time now (but this is the same for other AV suppliers) and I'm becoming paranoïd because of inefficiency of traditional antivirus programs... !!!!

I would suggest to start now to work on such threats....
Sorry ESET team, I know you work hard everyday and I thank you for that, but there is an emergency situation that should trigger detection algorithms evolution, taking into account IDS/HIPS (that is now necessary) and real time web databases (DNS lookup, malicious URLs, suspicious file names and Checksums....)

Regards

 

One post removed.

Please remember this is the ESET Support Forum.

Blackspear.

 

Na my fishing gear cost hundreds of dollars Back to topic I know what your saying and it really does suck when are favorite or loved security apps fail badly.Just like people can't count on anyone Family nor friends.Anyways I am sure your friend is taken proper measures to secure his purchase method and tell your friend he is not stupid it happens to the most intelligent people. I call it a error in judgement we all make them sometimes.

 

"In the first place, malware should not get through the first layer of defense which is common sense of the user. This means the user should avoid visiting warez/porn/underground sites that often contain malicious code. Marcos"

That is unacceptable. We are not children. Customer for now 2 years of Eset (2.7 and now Ess) I don't accept this kind of lame excuse. I don't pay a antivirus every year for watching Cnn, surfing in sites like yahoo, etc. For this you can have Avira free, Avast free.
"Porn, underground..." is also internet. Open a unknown file, yes is stupid! and I can live with that.
My subcription goes until novembre 2008. If you continue this kind of policy, you will lose a faithfull customer.

 

Trust me not just Eset is struggling with these rouge apps. If you were to look at other AV forums you'd see av2009 all over the place.

 

Exactly.

 

Hello,

XP Antivirus and similar programs are downloaders. When NOD32 doesn't detect it, your firewall in interactive mode (not only ESS) should inform you about this network communication. When this program doesn't download his majority part, your pc won't be infected.

 

the rogue apps are almost impossible to keep up with, today alone i downloaded 7 undetected versions, and thats not even changing the numbers of the file, like aavsetup01.exe, and it could be 00-99, and change every week

 

In defense of ESET, I'm a network admin with a company that services many different clients, and I've seen this particular bug successfully infect many systems, including ones protected by: AVG8 Enterprise, Symantec 10 Enterprise, Sophos Enterprise, and all of whom were behind Cisco PIX firewalls. There's only so much you can do against determined users who keep clicking on popups. Getting your users to stop that behavior is the most important step to stopping this kind of thing.

Our most successful sites with regards to viruses are those that have strong web filtering (We use Websense usually) and very strict filtering policies in conjunction with explicit instructions not to click on anything claiming to be an "Important" update or program. Instead, they submit a helpdesk ticket and ask us if it's legit.

 

>>Our most successful sites with regards to viruses are those that have strong web filtering (We use Websense usually) and very strict filtering policies in conjunction with explicit instructions not to click on anything claiming to be an "Important" update or program. Instead, they submit a helpdesk ticket and ask us if it's legit.

Our LAN is that way and Surfcontrol, eSafe, and our Layer 4 inspection firewall all do a good job to aid in protecting us.

I just did a full scan of my ~75 remote PC's (laptops, home PC's) and and am reviewing the Nod32 logs. So far 4 of them appear to have Antivirus 2009 on them. Nod doesn't detect it, but there are locked files which it reports about which are tale tale signs of Antivirus 2009. We just cleaned one variant off a laptop with Nod32 which it did detect -- which was a pain in the rear to clean.

I think we need to find these guys making all these variants and shut them down for good... rip..

 

another good point to eset, found a variant today, 0 detection except for 1 'suspicious' and eset detected it through the web module(as marco's told me atleast), so thats atleast 1 that eset proactive detected and noone else did, the only other i can think of with new heuristics is kaspersky(as virustotal uses the old version), otherwise eset is the only one that has different modules that detect stuff better i do believe

and yes these guys are nasty little buggers, luckily most the install files download the same stuff(atleast the ones i've analyzed recently)

-Brian