New Windows Protection Suite in the wild now

Got on a machine today... Only 2/41 products detected it on Virustotal.. Very new variant, I took the hash off it, and added it to my Software Restriction Policy. I sent in the variant, sysinspector information, and screenshots to ESET labs.. Just thought I would let the community know. I hope you guys are looking out for me and sending in variants to eset!

 

I'm too lazy to jump through the hoops with the way they want you to submit.If they just took it the way of the right click and submit through the NOD32 program, I would be submitting every new undetected thing I find !

They way they have you submit is whats keeping them in the number 3 ( or 4 ) spot in the antivirus world.The other vendors make it easy to submit a file, so people actually bother with it, then that vendor catches the virus frst and makes every other antivirus vendor look bad.....

 

I don't think it's that tough to submit.. I just take a sysinspector snapshot, and collect the variant, put it in a password protected file/send it in.. The variant I uploaded to Virustotal is still not being caught by anything hardly.. One vendor is now detecting it as low risk malware (PrevX).. I have never uploaded anything that Symantec caught that NOD32 did not..

 

Hello I have the Virus running in a secured VM setup.. I have found out a lot of information about it, and what it tries to do in the background.. It keeps trying to dial home to a ~ snipped ~ which goes to Russia.. I have the IP address, and additional information for ESET if they wish to have the information along with the samples I sent in today.

 

NOD32 now detected this with 4430 virus signatures woohoo!

Only 12-24 hours after reporting good job ESET!

 

I sent in another submission of PersonalAV yesterday
The PAV has been out for what, over a year now?
Same exact C:\Program Files\PersonalAV\PersonalAV.exe for months and months.

Eset didn't even squeek at it, even when right clicking the directory and executable itself and scanning. Yet MalwareBytes, as it has ever since PAV came out, cleaned it right up.

 

PAV changes as soon as they add detection for it. The virus maker just goes in, and rebrands it, makes little changes, and gets past signatures added for it in the past. I had a new PAV.exe that came out, and it was detected by 0/41 vendors when I uploaded it.. I used Spyware Doctor, and it's Anti Virus zero day found it and removed (threatfire). It's almost seems as easy as changing the MD5 hash value of the file, and it gets past AV makers.. Because the code seems the same.

 

I know the rogues have new variants each day, 3 to 4 new variants per day. We deal with usually several new ones per day across many clients. But what's amusing about it, the program directory and the executable name are the same...since like...last Christmas. And MalwareBytes always..always..without fail, cleans that puppy up on the first sweep. This lady had it on her system for 2 days until I could get there. Even on the 2nd day when I got there, NOD didn't even care about it, yet MWB gobbled it right up.

I can clean PAV manually, by hand, going by memory. A human being knows how to clean it by heart...since he has been doing it (this rogue) for almost a year now. Yet an AV program can't? A human can, an AV program can't...hmmm.

 

I don't know enough on what ESET does to add signatures to detect these.. I understand how hard it may be to detect these, but you would think that maybe they could find some kind of common heuristic that the PAV makers use, and make it as to where it can be detected with new releases until the virus maker completly rewrites the code from the ground up.. At this point I am wondering if all the virus makers are doing is recompiling, and changes the hash values.. I manage around 4000 machines and I've had PAV get by a couple of times, and also Windows Protection Suite.. A lot of the time Malware Bytes does not detect these for me.. I upload them, and at the most 2/41 or 3/41 vendors may catch.. I think the main reason I can weather the storm on a lot of these is because I am not lazy/I am pro-active and see it was my job to submit these to ESET, Symantec, and Kaspersky which are the three makers we use.. ESET on Servers/Clients, Symantec/Kaspersky email filtering..

I have this variant at home, and last night I threw everything at it, and all that detected it was Spyware Doctor With Antivirus with it's zero day behavior based Threatfire module.

 

As far as I know, web protection module should intercept new variants of PAV upon download. Detecting files just by the file name is not safe and, as soon as AV programs would started doing that, the malware authors would use different tricks to evade detection.

 

Thanks for all your help in the past.. Marcos literally saved ESET 2,000 licenses with his help!

 

Just make sure that web protection is enabled It provides additional protection, including blocking of websites known to host malware.

 

I traced the variant back to a Russian Domain name, and IP address. Should I have included that information in my report to samples@eset.sk?

 

Not necessary. A brief analysis is always carried out on each sample.

 

Just found a new personal anti virus variant.. File name is PersonalAV.exe instead of PAV.exe.. I got it off a turnpike authority machine.. Will be sending it in.

3/41 detecting it

For those who block these parasites using a AD Software Restriction Policy

File size: 1335296 bytes
MD5...: 49b30cedef1a6fafe4b1f95d4095fb24
SHA1..: 2e2ef7b38063be9e1702c054cba4f4290b4651f0
SHA256: b51340aab49a549563ce68c155f85d57cea41e67acdeadbcf546a26730260245