WinAntivirus2009

A client system was plagued by WindowsAntivirus2009.

Modified the Nod32 v3 scan options to include Potentially Unwanted Applications. A full system scan and didn't even find the virus and/or malware, even though popups and other obvious infections are bouncing all over the screen.

It took a program titled SuperAntiSpyware to detect and remove the infection.

How can the best antivirus software not catch this?

 

Also had one user yesterday who managed to get this installed, did get this message in RAS:

Code:

C:\WINDOWS\system32\scui.cpl	Win32/Adware.XPAntivirus application	cleaned by deleting - quarantined	Event occurred on a new file created by the application: C:\Program Files\Antivirus 2009\av2009.exe.

But had to manualy remove the application. And revoke his local admin rights

 

Who says it's the best?

 

here, here and here for example.

 

Rogue AV authors adopt very fast to famous antivirus programs and release dozens of new undetected variants on a daily basis. Just have a look at the forums of other AVs and you'll see.

 

I concur with marcos, i find daily samples of these that have little to no detection, one sample i found yesterday had 2/35 detection at virustotal

 

Yes, they have a nerve.....ever since the release of version 3.0, it has never been the same as it used to!

 

guys relax, nod32 is a good AV, i have a few gripes with them, but oh well it does it's job

i wasn't lying when i said these rogue programs change daily

look at the sample i got today

AVG - - Agent_r.H

eSafe - - Suspicious File

Panda - - Suspicious file

Symantec - - SecureExpertCleaner


no other av touches it

while i don't think eset responds very well to submissions, marco's said it right one time, people like me that spam submit items get low priority, often times i don't remember where the files came from, and can give 0 information

Chances are other av's wouldn't have saved you either way

-Brian

 

It seems to be though that it is precisely these samples that are important and need to be processed ASAP. If you ask me, ESET is making a grave mistake by ignoring you just because you send them many samples.

 

I have only one thing to say: I'm glad I'm not in the antivirus industry.

And here's a free hint to all: whitelisting.

 

What about ThreatSense - Detecting Unknown Malicious Software? Is it on holidays ?

 

There are a lot of these recent "rogue" products slipping past over the last several months...I'm getting lots of clients getting hit by them. Most of them seem to come from the same trojan family..WinFixer/Defender2008/XPAntivirus2008/2009, etc etc. I see mentions of the ZLob trojan, Virtumunde, Smitfraud, etc.

They seem to be slipping past many AV products.

 

Re: NOD32 blocking Windows Automatic Update + Some Websites

I have the same problem along with antivirus 2009 constantly popping up and asking me to install it. If you hear anything , please let me know & i will do the same. I read a post on the antivirus 2009 that said they had found a program to get rid of anti2009

 

malwarebytes antimalware from

http://www.malwarebytes.org/


or superantispyware

from

http://superantispyware.com

should remove it, both are free

 

Re: NOD32 blocking Windows Automatic Update + Some Websites

Please send a log from ESET SysInspector to samples[at]eset.com with this thread's url and we'll help you remove it completely.

 

the same thing happend to me, im using avira professional 8.1 in the office and yet i was infected by the virus and could not remove it, pop ups always appear when ever i click folders and click the back button. only SAS clean my infected pc. and now i change my antivirus to AVG 8.0 which i think does the well.

 

Hello,

every AV misses samples today. If you want, I can send you undetected files by AVG.

Regards

 

2 systems completely HOSED yesterday by this crapware, both running 3.0.669 with latest defs.

2 False positives and 1 HUGE miss later I will be requesting a refund from ESET for this absolutely USELESS AV.

I actually identified the exe file that the virus came in and scanned it directly with NOD32, NOTHING!! Using AVG FREE, yes FREE! it immediately detected and quarantined.

I am horrified that I have 200 users here now who are unprotected....unless they are being attacked by Adobe Acrobat.....

 

As it's been stated above by other users, these rogue antispyware programs are frequently modified to evade detection by famous AVs. As an additional protection, ESS/EAV blocks access to the websites hosting these fraud tools, but there is still a chance one could get it from elsewhere. We have tested our collection consisting of hundreds of these fraud tools and the AV you mentioned detected just a few of them. It always depends on what files you test - there are variants that would be detected by us and missed by other AVs and vice-versa.

Which false positive do you mean? If a false positive is sent to samples[at]eset.com with "False positive" in the subject, it's fixed quickly usually in the next update.
As for the huge miss, which one you mean? Would you be please more specific?

Would you please provide more details as to why you connect Adobe Acrobat with this issue?

 

If you aren't aware of the 2 false positives, one that was deleting Acrobat as a virus then i'm not sure you even use NOD32. There are plenty of posts in this forum regarding the false positives, I even posted a temporary workaround for one of them.

The HUGE miss? This winantivirus 2009 isn't the only thing that it drops on your system, in the package are multiple version of zlob and at least 5 other spyware/virus packages. For NOD32 to be running UP TO DATE and miss all of these things being dropped on to the machine, COME ON! "Best in real time detection" my a$$!

I will be talking with my sales rep regarding a refund, any AV that misses all of that at the same time has no place here....

 

We have already explained that this was not a standard false positive and was caused by various coincidences. A file detected on one computer would not have been detected on all others, hence it passed the internal pre-release tests.

As I have explained, no famous antivirus programs 100% detect these rogue antispyware programs as their authors can easily adopt to detection techniques of any AV vendor. As I have said, we detect hundreds of variants of this rogue software that the antivirus program you mentioned missed. We understand that we do not detect 100% of malware, especially these "antispyware" fraud tools, and we have never claimed to detect 100% of all malware. If you suspect your computer from being infected, you can always send a log from ESET SysInspector to samples[at]eset.com and we'll analyse it. We should be able to find any malware, even if missed by all AV scanners in the world.
As I say, the best protection is using common sense, keeping the programs up to date and avoid running OS in the account of an admin user when not necessary. No AV program will ever gurantee that no malware will slip through it so the users themselves must adhere to certain security rules instead of blindly believing that an AV will save them at any time. An AV program can only eliminate the risk of getting infected, but will never be able to 100% protect you from malware.

I wonder how many users who have moved to another AV got shortly infected by malware missed by the new AV that would have been otherwise detected by their previous AV At any rate, our users are free and can decide themselves what product they want to use. I think that many of our users could testify how many times NOD32 has saved them.

 

Well, I've been an avid NOD32 fan for almost 10 years and was an Independent AV tester back when Independents were still used by some of the big (nowadays) AV companies back in the day.

I also got nailed with Zlob just yesterday and it was missed with AV 3.0.669 #3331, on a known Zlob file that has been on Google search results for almost 3 WEEKS now!!! Of course I already knew that WinAntiVirus is a known Rogue product, so that won't catch me and I could tell that the Security popups were not Windows generated.
After removing with MalwareBytes (written by my good buddy RubberDucky...Thanx Marcin!!), I searched for the exe's and dll's I found installed by Zlob and some of these have been known for some time now, so why haven't they been added to NOD32 DB yet?

Marcos, I better than most, understand that no AV product will catch 100% of malware yet. I decompiled and studied virus/trojan/spyware injection processes on sandoxed systems for many years, I know how persistent and cunning they can be...remember the LOP.com boyz?? Those buggers released over 100 new varients a day from over 20,000 affiliate sites back in 05.

But NOD's advanced heuristics "should" pick up on the "activity" of this one since it does use known malware techniques. My Comodo FW (without Defence + active) picked it up as an "exe exhibiting known malware procedures", which immediately notified me even before the 1st popup appeared. That's when I realized the NOD had missed known malicious behavior and was aghast...gasp!! My FW doesn't receive daily updates so it has to rely upon a whitelist/blacklist of known apps and certain characteristics that this crud exhibits. So for Comodo to catch what NOD32 didn't just floors me as I doubt their knowledge of malware behavior is not as vast as Eset's should be, and the heuristics engine should have caught this.
Another thing that bothered me is when I scanned the known infected/dropped folder "Applications" in Program Files (x86), NOD reported it failed to open the 2 ZLOB exe's because they were Locked. Fairly simply way to defeat an AV woiuldn't you say...so NOD reported it was a "Clean" scan...wow.

I have to say that I'm a bit concerned that this Zlob Trojan is not triggering something within Nod32, even without having the latest exe and dll names in the sig DB. Signatures alerts are the old way of cathching nasties, back when they didn't change their process names daily, they're quickly becoming obsolete in today's world of constantly transforming malware programs. Heuristics and recognized possibly unwanted behaviors are what makes today's AV products able to keep up with these threats, and it's obvious that right now, the bad guys are winning this race.

 

Re: NOD32 blocking Windows Automatic Update + Some Websites

Marcos,

I submitted a couple samples of infected machines using sysinspector to samples@nod32.com, not even as much as a courtesy response to say we received your file.

It's been two weeks since I submitted the files and Nod32 is still doing nothing to prevent, detect and/or remove any of these Winantivirus variants.

I search the KB via ESET's website and Winantivirus isn't even mentioned.

A month or so ago I submitted an email to customer service that when viewing knowledge base articles that they are in frames and can't be printed, and that they needed to add a print button to these KB articles. A rep responded saying that they'd bring this to the attention of the webmaster. Something so simple still not done.

Now I hear Nod32 ads on Jim Rome's popular sport show.

I think given all the above I see what's happening:

Symantec mass market, push crap ignore customer and due to advertising dollars all the popular crap magazines i.e. PC World give them great reviews so they make $$$.

Nod32 v 2.7 and earlier, no mass market, push great product and IT professionals push and rave about the product. v 3.0 and later cut out small channel partners, push a buggier/slower product (just look at how many version releases there have been), advertise to get good reviews in PC World and consumer related sites, ignore customer requests end result Nod32 is making more $$$ while they can until they reach Symantec 'crap' status.

Somebody at ESET's camp is clearly only focused on making money and not on the product/customer.

 

My antivirus 2008 submissions have been well responded, but i think thats just because marco's took special attention to them

that being said, i alone submit so many files through the program from trying to dl stuff, imagine everyone else aswell, sucks but it's truth

-Brian

 

Re: NOD32 blocking Windows Automatic Update + Some Websites

Please PM me your email address, I'll try to get the status of the emails.