How come ESS cannot detect e-set 2011

Discussion in 'ESET Smart Security' started by Niloc, Mar 20, 2011.

Thread Status:
Not open for further replies.
  1. Niloc

    Niloc Registered Member

    Joined:
    Dec 13, 2007
    Posts:
    4
    I have a customers laptop running XP Pro SP3 and all updates, ESS version 4.2.71.2 with latest updates, it still got infected by the fake e-set 2011 trojan!

    How is it possible that this smart security is not so smart? it cannot even detect a trojan using a similar name. Had to download malwarebytes to remove it. I'm seriously reconsidering my long term commitment to re-selling Eset software when this sort of thing happens.

    Rant now over, some answers would be great

    Thanks
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    No AV detects all variants of particular malware. Until they do MBAM and similar software help. Of course blocking scripting in browser, except trusted sites, would also help
     
  3. tony_m

    tony_m Eset Staff Account

    Joined:
    Nov 22, 2010
    Posts:
    239
  4. Niloc

    Niloc Registered Member

    Joined:
    Dec 13, 2007
    Posts:
    4
    Hi Tony

    That is what it looked like, unfortunately fixing the machine was top priority so all of the evidence was zapped by Malwarebytes, when was the Eset virus signature database updated to handle this variant? I think the machine picked it up on the 18th or 19th of this month.

    The following is the result of 2 MBAM scans, the first one is on an old database as I had no Internet access to update it at the time, the second scan is with the latest MBAM database.

    I hope that this is some help.


    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5363

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    20/03/2011 20:15:40
    mbam-log-2011-03-20 (20-15-40).txt

    Scan type: Quick scan
    Objects scanned: 138031
    Time elapsed: 9 minute(s), 37 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 4
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe (Security.Hijack) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger (Security.Hijack) -> Value: Debugger -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    **************************************************************************************************************

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6113

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    20/03/2011 20:25:04
    mbam-log-2011-03-20 (20-25-04).txt

    Scan type: Quick scan
    Objects scanned: 146921
    Time elapsed: 8 minute(s), 2 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    c:\WINDOWS\system32\msiexecs.exe (Rogue.FakeEset) -> 1380 -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\WINDOWS\system32\msiexecs.exe (Rogue.FakeEset) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-796845957-1844823847-725345543-1003\Dc1\e-set.exe (Rogue.FakeEset) -> Quarantined and deleted successfully.
    c:\documents and settings\jim\local settings\temporary internet files\Content.IE5\K89J6BCR\setup[1].exe (Rogue.FakeEset) -> Quarantined and deleted successfully.
    c:\documents and settings\jim\Desktop\e-set antivirus 2011.lnk (Rogue.FakeEset) -> Quarantined and deleted successfully.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Registry entries are not supposed to be detected. As for executables, I couldn't not find any undetected msiexecs.exe nor e-set.exe, all variansts I found were already detected. Maybe you could submit MBAM's quarantine for perusal.
     
  6. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Depending upon which components are present, they should be detected as one of the following:
    • Win32/Kryptik.LSH trojan
    • Win32/Kryptik.LVC trojan
    • Win32/RogueAV.E trojan
    Can you tell us what virus signature database your copy of ESET Smart Security is currently on?

    Regards,

    Aryeh Goretsky
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'd merely add there are many more names under which various variants of the rogue tool E-Set are detected.
     
  8. Niloc

    Niloc Registered Member

    Joined:
    Dec 13, 2007
    Posts:
    4
    Hi Guys

    Thanks for the feedback, The virus database at the time of the incident was 5967, probably MBAM does not show the full picture as I had, by that time, already deleted the e-set 2011 folder from the program files directory and also disabled the startup entry in msconfig. Prior to me getting the machine for repair, the user had apparently scanned using ESS (or maybe he used e-set!).

    Whatever the issues were, the machine is working now so I guess thet I'll just have to hope that this is the end of the story. The machine was only re-loaded from a system format level a month ago after AVG missed the version of the trojan masquerading as Windows Antivirus 2011. I said to the customer, "worry no more, I'll install ESS, that will sort your problems". Brave words indeed!!

    Thanks
     
Thread Status:
Not open for further replies.