How come ESS cannot detect e-set 2011

I have a customers laptop running XP Pro SP3 and all updates, ESS version 4.2.71.2 with latest updates, it still got infected by the fake e-set 2011 trojan!

How is it possible that this smart security is not so smart? it cannot even detect a trojan using a similar name. Had to download malwarebytes to remove it. I'm seriously reconsidering my long term commitment to re-selling Eset software when this sort of thing happens.

Rant now over, some answers would be great

Thanks

 

No AV detects all variants of particular malware. Until they do MBAM and similar software help. Of course blocking scripting in browser, except trusted sites, would also help

 

Hello,

Please see:

Rogue E-Set Antivirus 2011 malware

If you found a new variant that is not detected with the most recent version of virus signature DB, please submit a sample as per these instructions:

How to submit virus or potential false positive samples to ESET's labs

Thank you!

 

Hi Tony

That is what it looked like, unfortunately fixing the machine was top priority so all of the evidence was zapped by Malwarebytes, when was the Eset virus signature database updated to handle this variant? I think the machine picked it up on the 18th or 19th of this month.

The following is the result of 2 MBAM scans, the first one is on an old database as I had no Internet access to update it at the time, the second scan is with the latest MBAM database.

I hope that this is some help.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

20/03/2011 20:15:40
mbam-log-2011-03-20 (20-15-40).txt

Scan type: Quick scan
Objects scanned: 138031
Time elapsed: 9 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger (Security.Hijack) -> Value: Debugger -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**************************************************************************************************************

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6113

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

20/03/2011 20:25:04
mbam-log-2011-03-20 (20-25-04).txt

Scan type: Quick scan
Objects scanned: 146921
Time elapsed: 8 minute(s), 2 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
c:\WINDOWS\system32\msiexecs.exe (Rogue.FakeEset) -> 1380 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\msiexecs.exe (Rogue.FakeEset) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-796845957-1844823847-725345543-1003\Dc1\e-set.exe (Rogue.FakeEset) -> Quarantined and deleted successfully.
c:\documents and settings\jim\local settings\temporary internet files\Content.IE5\K89J6BCR\setup[1].exe (Rogue.FakeEset) -> Quarantined and deleted successfully.
c:\documents and settings\jim\Desktop\e-set antivirus 2011.lnk (Rogue.FakeEset) -> Quarantined and deleted successfully.

 

Registry entries are not supposed to be detected. As for executables, I couldn't not find any undetected msiexecs.exe nor e-set.exe, all variansts I found were already detected. Maybe you could submit MBAM's quarantine for perusal.

 

Hello,

Depending upon which components are present, they should be detected as one of the following:

• Win32/Kryptik.LSH trojan
• Win32/Kryptik.LVC trojan
• Win32/RogueAV.E trojan

Can you tell us what virus signature database your copy of ESET Smart Security is currently on?

Regards,

Aryeh Goretsky

 

I'd merely add there are many more names under which various variants of the rogue tool E-Set are detected.

 

Hi Guys

Thanks for the feedback, The virus database at the time of the incident was 5967, probably MBAM does not show the full picture as I had, by that time, already deleted the e-set 2011 folder from the program files directory and also disabled the startup entry in msconfig. Prior to me getting the machine for repair, the user had apparently scanned using ESS (or maybe he used e-set!).

Whatever the issues were, the machine is working now so I guess thet I'll just have to hope that this is the end of the story. The machine was only re-loaded from a system format level a month ago after AVG missed the version of the trojan masquerading as Windows Antivirus 2011. I said to the customer, "worry no more, I'll install ESS, that will sort your problems". Brave words indeed!!

Thanks