Olmarik Trojan - How to guard aganst it?

I operate a computer service business and during the past few weeks several of my customers already running NOD32 became infected with the Olmarik.ADA Trojan which infected their MBR on the physical disk.

After researching Olmarik here at Wilder's I originally tried various suggested cleaning tools but none worked. I was SUCCESSFUL at removing Olmarik by booting to an "Ultimate Windows Boot CD" , using Revovery Console to first do a.. chkdsk /r/p followed by FIXMBR and FIXBOOT. Since then, this is how I remove Olmarik MBR infections AFTER running the NOD32 scan on the infected hard drive from a clean computer.

Ok, the above info is just for anyone else interested. My main reason for posting is to find out what measures can be taken with NOD32 to guard against this nasty virus disabling NOD32. Or... what additional measures have proven effective for keeping this Olmarik virus from disabling NOD32.

For example, is SuperAntiSpyware pay version effective as a second layer of protection to keep NOD32 from being disabled?

BTW: This is the first time in many years where after installing NOD32 on my customer's computers that they are coming back infected. So I do have a lot of faith in NOD32. I just need to know how to fortify to keep this from happening.


---pete---

 

what do you do to protect yourself against malware? how much time or will do you have transfer that knowledge onto your customers (assuming they equally have time or are willing to learn)

 

I FULLY understand what you are saying, however, that kind of thinking is more idealistic and theoretical than practical. Practically speaking, the average person that comes to me for help is not able fully understand or even remember all that needs to be known about security or even control all the family members that use the computer and this is why we must rely upon software to protect against attack. I'm not looking for 100% perfection in security because I know that is not possible.

Ok with all that said, in recent weeks our trusty NOD32 has proven to be vulnerable, specifically to this Olmarik virus, so all I'm asking is whether there are any specific tweeks that can be done to NOD32 or any additional software that can be used so that Olmarik can't disable (or has less of a chance) or otherwise defeat NOD32.

Thank you

---pete---

 

On the contrary, my thinking, is precisely practical. There are no tweaks apart from keeping the AV current and active, from keeping the OS updated, from encouraging people to do minimum to protect themselves. Especially average people. It must be easier to recommend additional software and not following everyday common sense and easy security practice.

 

The stand-alone removal tools are at your disposal.

Over the period of time that I have been using EAV - I have not been infected by such a trojan

The virus signature files show protection against this pest. Todays's signature update also shows that Olmarik should be detected without issue.

 

Yeah, I hear you, I don't even come in contact with any malware, so as Cudni suggests it's largely about the user and how they operate on the Internet. The real question to ask yourself is how many times did a particular anti-virus actually stop a virus in it's tracks and quarantine it.

When I go to service a customer on a non-virus related issue I'll sometimes check the logs of their anti-virus program to see if it's been catching anything. If it has, I'll point it out to them to show them how effective their anti-virus app has been to protect them. Usually, if something gets past NOD32 I can clean it out easily if they call me right away, but this Olmarik thing is real bad, hard to get out, and renders NOD32 defenseless.

I don't think that adding a password to NOD32 would help because one time I found all the files in the NOD32 program folder to be deleted. Other times, NOD32 won't startup and it's generally disabled. I'm thinking that having SuperAntiSpyware pay version running as a second layer of protection, may help.

---pete---

 

The Eset removal utility for Omarik is unable to clean the rootkit.

 

did you contact support about it? They can advise you further, how to possibly detect if unknown variant it and then remove it

 

Did you use the correct removal tool, are you sure the rootkit was Olmarik ?

 

Sorry dont mean to hi-jack the thread, quick noob question here...

Am i correct in assuming that the "stand-alone" removal tools are not included in the ESET AV or SS suites? (hence the name stand-alone)

My second question would be if not, then why? Wouldn't incorporating them be beneficial to both ESET suites i.e. improve cleaning of malware?

Regards

 

Are we talking about business customers is a more managed environment, or just home users that you are supporting?

 

I had one of these last week - the reason it got onto the machine was the client was using version 3.0 I think - not the latest v4.2

The mbr-rootkit I removed using mbr.exe after confirming it's presence with gmer. v4.2 found the other portions and cleaned them, but v3.0 had missed them.

 

New variants of Olmariks are often detected by ESET proactively or detection is added very quickly (personally I've seen variants detected only by ESET or variants where ESET was one of 3-4 AVs to detect them).
In order for recent Olmariks (tdl4) to be detected when already active, an update of the Anti-Stealth module is required. We assume this could be ready some time soon. For cleaning systems infected with Olmarik, you can use the ESET stand-alone Olmarik cleaners (one for tdl2/3 variants and a new one for tdl4 variants) that are downloadable from here. Note that after running the Olmarik TDL4 cleaner, it's necessary to restart the computer and run a full system scan for the cleaning to complete.