Antivirus Live, fake AV program (Trojan)

Discussion in 'ESET NOD32 Antivirus' started by vasamreddy, Dec 30, 2009.

Thread Status:
Not open for further replies.
  1. vasamreddy

    vasamreddy Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    7
    Yesterday night, my PC was infected with Antivirus Live trojan, that would not let most of the applications run. It keeps on giving fake scan results and pop ups asking you to buy their antivirus product. It even changed the proxy settings of IE to always go to their product's home-page and nothing else.

    I am really surprised why NOD32 didn't catch this, full protection turned on.

    I usually run NOD32 and MBAM(malwarebytes anti-malware, full version with real time protection) simultaneously. I turn off MBAM while I am playing Modern Warfare 2 as it seems to cause some problems with IW.net servers (probably IP protection feature of MBAM).

    I forgot to turn it back on after exiting the game. A few hours after that my wife was browsing and got my PC infected with this Antivirus Live trojan.

    When it was in the infected state, NOD32 was still running. I started a scan and it found nothing. I couldn't launch MBAM as the trojan was preventing launching any new applications that were not already running. I had to reboot in safe mode and clean it with MBAM.

    I don't have any files to send to you guys, but it generally looks like this.
    <random letters>sysguard.exe. Plenty of info on the internet about this new trojan.

    Hope, you guys keep NOD32 up to date, to tackle these kind of things. Whats up with the advanced heuristics and all? This kind of aggressive fake antivirus behavior is not flagged by NOD32, looks bad to me.

    PS: I am in no way bashing NOD32, but expecting you guys to be more effective in dealing new threats like this. I am a 2-year subscribed customer to ESET.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Already discussed here.

    The standalone ESET Rogue Antivrus tool downloadable from here should be able to cope with it if there's a problem removing it with EAV/ESS.

    If it's not detected at all, submit the suspicious file(s) per these instructions.
     
  3. vasamreddy

    vasamreddy Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    7
    Thanks for giving me the link to that thread. I have a question and I will post it there.
     
  4. Tango23

    Tango23 Registered Member

    Joined:
    Jan 3, 2010
    Posts:
    3
    Marcos, you should figure out what Vassamreddy is trying to say,
    "Antivirus Live trojan is not letting most of the applications run".
    The standalone ESET Rogue Antivrus tool you are directing to is .exe File which you can't run if you are attacked with this Trojen.
    I was attacked with the same trojan (ESET Smart Security was unable to detect it either). I was even unable to open .doc document.
    I do realize that since the rogue AVs are changing extremly frequently, it's important not to rely solely on antivirus programs. It's crucial to take other precautions as well, such as not browsing the web in an administrator account, not visiting dodgy sites, keeping the OS up to date, use the browser in a sandbox whenever possible, etc (albeit I dont know how to run browser in sandbox).
    The ESET smart security experts should work on overcoming this threat so the program automatically detects these rogue AVs and delete it.
    Once attacked, Antivirus Live trojan automatically re-installs itself (if somehow you are able to delete it).
    Did the experts fix the problem permanently or still working on it?
     
  5. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    Rename it to iexplore.exe and then run it ;)
     
  6. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Last edited: Jan 3, 2010
  7. Nerimash

    Nerimash Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    86
    Location:
    Ukraine
    AFAIK this trick was performed by some variant of Baggle family. In some cases at the next step you shall correct WinLogon Notify(HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit), because after removing troj executable your system may not able to run in any cases.
    Just make sure that this registry key is looking like this: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit with value "C:\WINDOWS\system32\userinit.exe,"(with comma separator at the end of the value and without quotas).
     
  8. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  9. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Symantec released a great tool for repairing the OS when it comes to not being able to run programs or get to certain functions, Google "symantec unhookexec.inf"

    Then use MalwareBytes and Microsoft Security Essentials, they've both been doing a GREAT job in fighting these rogues. Can follow up with some other tools like SuperAntispyware, Spybot, Combofix....but in my experience in cleaning many rigs with these latest rogue variants, MWB and MSE have been building a solid track record of keeping up with them.
     
  10. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    Strange that other anti-malware apps appear to have been reasonably effective but Nod32 (for which I'm a paid subscriber) has not.
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If the standalone Rogue AV removal tool (works on a similar principle like Combofix / Malwarebytes) was unable to clean out a particular threat, let me know. Even if it should cover most prevalent rogue AVs, it may need some adjustments to cover the rest.
     
  12. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    I wasn't aware we supported these sorts of combinations of software to weed malware.
     
    Last edited: Jan 4, 2010
  13. no brain

    no brain Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    2
    hello.
    yesterday i had the same problem as vasamreddy, and i'm very surprised that actually no update have been made on antivirus.
    only one diffenrence with you : my antivirus is securitoo (using Fsecure)
    and has detected a program ("av") trying to connect to internet.
    after trying to close the windows with xp style, who was "scaning and founding" virus, i launched a manual analyse, then my antivirus found it and delete it. but it was too late and no more .exe where working.
    i was unable to use the restoration program of Xp.
    ....
    now i'm searching how to prevent a new attack cause i really dont know how it comes....
     
  14. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    Some of the ways FAKE AVs propagate are:

    * Compromised LEGIT web sites
    * A browser plug-in or extension
    * An image, screensaver or archive file attached to an e-mail message
    * Multimedia codec required to play a certain video clip
    * Software shared on peer-to-peer networks
    * A free online malware scanning service
    * Drive-by Downloads
    * Search Engine POISONING

    etc.

    The fake scanner pages are pandemic on the Internet.

    It's nearly IMPOSSIBLE to catch up with this kind of Malware [more than 100 Fake AV “programs” exist on the Internet today and if on top of this you include each one of their variants, this number grows to HUNDREDS of THOUSANDS]

    For example, I have submitted to ESET more than FIFTY [50] variants of the Fake AV named “Security Tool” in the last 3 weeks and, every day I found that at least 5 to 7 new variants of this same Rogue appear on the Internet and go undetected.

    I don't really know what AV companies are going to do about this but it looks that only adding HIPS to monitor suspicious behavior might be able to help a little but not solving the problem, though.

    Perhaps we're losing the battle... :( :( :(

    Regards,


    Carlos
     
  15. no brain

    no brain Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    2
    thx for this answer.
    i 'm asking myself : i run on my computer 2 server of game, and is it possible that someone hack me by this way?
     
  16. 1Jnodder

    1Jnodder Registered Member

    Joined:
    Apr 8, 2009
    Posts:
    28
    I have 2 friends who have been infected with these rogue fake AV's, one of them in the last few days with Antivir Solutions Pro. As a safety measure against these things today I installed Malwarebytes on both of my computers, an XP notebook and a Vista notebook. I updated them and did both the quick scan and the the full scan on each of them. During the full scan of Malwarebytes my nod32 did an update of itself. The Malwarebytes scan paused during the nod32 update and continued when nod32 update finished. No problems found on either scan but if you get one of these monsters I think it's good to have the Malewarebytes waiting for them. The first friend had to pay McAffee $89.00 to remove the thing with assistance from them. Their scan wouldn't detect it this about a year ago. The other friend got infected with this Antivir Solution Pro thing last Saturday. His wife paid them the ransom money before she found out its a scam.
     
    Last edited: Aug 6, 2010
  17. Skywolfe

    Skywolfe Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    82
    if things are based on a signature based detection. it should detect it anyway even if the variant is different. example. the kiddo infection has many variants but I can almost bet the base code for the first one is basicaly the same as others just changed a bit. if it detects one code, it should be able to detect others unless it is a completely different code then you have another thing going on there. I had something attempt to go through kaspersky a while back that was a rouge av and stopped it before it went through fully.
     
Thread Status:
Not open for further replies.