Infected big time with Prevx

Discussion in 'Prevx Releases' started by shadek, Apr 24, 2010.

Thread Status:
Not open for further replies.
  1. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Okay, just today I bought myself a brand new licence of Prevx. Enthusiastic as I was, I wanted to test its abilities to the max. I set all settings at maximum heuristic and I set Prevx to autoblock and autodelete on detection of malware.

    Then I ran ***.com/***/****/***/fid.exe (~ Virus Total Results Removed per Policy ~) and sweet, Prevx prevented my computer from being infected and autoblocked the attempt. It did however not delete the fid.exe file. I ran fid.exe again and BAM, without Prevx even notifying me this time, I got infected by a rouge AV. Without rebooting, I ran a deep scan with Prevx, which couldn't find any installed malware. My solution was to revert back to an old restore point, which finally made the malware go away.

    My questions are now:
    1) Why did Prevx not delete the file which I specifically told it to upon detection?
    2) Why didn't Prevx do anything the second time I executed the same file? The installation mwent right through without even a propt from Prevx.
    3) How come Prevx, which detected the malware at first, did not find anything during deep scan when the malware was installed on my computer?

    Regards,

    Gabe
     
    Last edited by a moderator: Apr 24, 2010
  2. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    can you please post the link
    like this:
    hxxp//thelink.com/therest
    next, make a new scan, klick right the prevx symbol in the tray, select tools, safe log.
    send it to:
    report@prevxresearch.com
    write in the mail your problem and the topic link.
    next: say us the prevx version you are using.

    last: its no good idea to infect your pc i think you using it, next time use an vm or other pc.
     
  3. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    usedimageinstead.jpg

    I saved the log but on on-demand scan won't detect the malware. I am not sure how I should proceed with this matter. It bugs me that when executed, the file is detected as malware... but the fid.exe is not removed and after the detection, when I run it manually again, it infects me. I've tested it three times, and all of them ended up with the malware compromising my system.

    I am using Prevx 3.0.5.130 with all modules active on Windows 7 x64. The log file does indeed contain: [DN] c:\users\SSSSS\desktop\fid.exe PX5: 26402D6D00EFBC38688F0363A2731B005F1595D5]. But Prevx won't stop it from infecting me when I install the second time.
     
    Last edited: Apr 24, 2010
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @shadek

    I downloaded fid.exe and scanned it with Prevx

    fid.gif

    So i'm not sure why there is a discrepancy between your scan and mine ? However i did NOT run it :D

    But according to VT when i uploaded it, it IS a Trojan FakeAV as confirmed by 5 vendors.

    Let's see what Prevx says but at least you were able to restore :thumb:
     
  5. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Yeah, on-demand scan won't detect the malware, but the heuristic detects it when launched... and blocks it... but the second time it compromises your system (at least it did for me). I'm not sure why Prevx doesn't stop the second attempt as well... And yeah, I am super glad I got rid of it. First time ever I've actually had use of restore points Windows made. :)
     
  6. markusg

    markusg Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    248
    yer, send the prevx log to the prevx mail adress i posted, perhaps it helps to find the problem.
     
  7. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    I sent it to Prevx report e-mail, following the guidelines presented in this forum. Furthermore, even Avira set on high heuristic combined with Prevx set on max heuristic will help against this malware sample. It sure is a sneaky sample.
     
  8. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    No one solution will guarantee 100% detection and that's Prevx also! No AV will detect everything so if you play with malware you are going to get infected! :ouch: What would you do if your system restore was not working as some malware will delete all restore points o_O If you are going to play with malware you should use a VM and run Shadow Defender with it just in case!;)

    Regards,

    TH
     
  9. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    I do realize I was lucky. :) But it was detected first time, but not second time. That's what bugs me. :)
     
  10. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Sometimes it takes and hour or more because it's a "community database" so not many other Prevx users have seen this malware on there machines! I downloaded it and NOD32 stop it as a new variant of Win32/Kryptik.DXV trojan! Did you send it to them via this post? https://www.wilderssecurity.com/showthread.php?t=245129


    TH
     
    Last edited: Apr 24, 2010
  11. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    It bugs me too. I hope Joe can provide an answer here. Dubious PrevX behaviour...
     
  12. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    You play with fire you are going to get burnt! :blink:

    TH
     
  13. pabrate

    pabrate Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    685
    Wait a minute , is it behaviour blocker which detects something only based on what "community database" have said ?
    In either case, detecting this malware first time and then not detecting it second time is no good :(
     
  14. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Maybe it's in Detection Overrides?

    TH
     
  15. pabrate

    pabrate Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    685
    I thought of that, but he said that the settings was to autoblock and autodelete :blink:

    Maybe the question for him would be has he cheked detection overrides after not detecting it second time o_O
     
  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Quote Triple Helix

    Not just malware that does that, as i and a number of others have found out to our cost :(

    https://www.wilderssecurity.com/showthread.php?t=270069

    Yeah, sometimes :D Good point though :thumb:

    Quote pabrate

    Yes, very strange, be interesting to hear what Prevx makes of it all
     
  17. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    It's odd indeed. Hopefully Prevx can replicate the scenario and we'll see an even better antimalware product. :)
     
  18. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hello,
    We're investigating this infection further, but it looks like it may not directly exhibit malicious behaviors which would explain why it may not have been automatically found. Many of these fake AV threats sneak under the radar of antimalware software because of their reliance on social engineering rather than malicious actions, but we try to keep on our toes with regard to the newest rogue AVs. Our research team will be analyzing this sample closer and will report back with what we find.

    Thanks again for the help and please let me know if you find anything else!

    EDIT: We've confirmed protection for this sample but could you let you know what you initially responded to when the sample was blocked? If you hit the X on the warning dialog instead of clicking "Block" it could potentially respond differently in the future.

    Let me know what you find! :)
     
    Last edited: Apr 24, 2010
  19. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    I am pretty sure that I clicked 'X' when the pop-up windows said the malware had been blocked. This because Prevx informed the threat had been blocked and I saw no other way to get rid of the pop-up. I'll be installing a virtual environment today to test a few new rouge AVs.
     
  20. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    That is the best thing, I hate when ones get infected because they want to test malware with no virtual environment and they have no way of correcting but to do a format and reinstall the OS! ;) I remember a few years ago helping a friend because he was so infected we formatted and reinstalled the OS and then we installed NOD32 2.5 at the time and it found 4 malware running in memory still but we finely got it cleaned up! :thumb: Also download the trial of Shadow Defender 1.1.0.325 for the extra protection in Shadow mode!

    TH
     
    Last edited: Apr 25, 2010
  21. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I tried it and it is malicious. Killed my internet connection in IE8.
     
  22. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Yes But I know you do it in a safe environment :D

    TH
     
  23. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    463
    Location:
    UK
    If you don't want to use a virtual machine, at least take an image of your drive before experimenting with malware. ( I bet TH does both)

    I am not sure if the Prevx guaranteed malware removal (with remote support, if necessary) applies if someone infects their machine on purpose o_O .
     
  24. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    I'd never ask for remote help. I was about to reinstall my entire system. I was well aware of the risks when I tried to infect my computer. :) Glad the problem was sorted out and Prevx got a little better at the same time. :)
     
Thread Status:
Not open for further replies.