Resurgence of "Win 7 XXX 2011" Fakeware

Discussion in 'ESET NOD32 Antivirus' started by Khakiass, Apr 15, 2011.

Thread Status:
Not open for further replies.
  1. Khakiass

    Khakiass Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    8
    Over the past three days there has been a huge upswing in the number of my users infected by variants of "Win 7 Total Security / Antispyware / etc. 2011." Yesterday alone I dealt with approximately 70.

    The vector appears to have been an injected web advertisement, and unfortunately ESET does not appear to be detecting it presently (not just failing to prevent its install, but when I right-click the malicious .exe and choose to scan it is returned as clean) These are fully up to date Windows 7 Ultimate machines running ESET Nod32 4.2.58.3 and definitions 6045. I was hoping someone could speak to this particular malware, and as to whether an updated def pack will be addressing it. I have submitted multiple samples over the past few days.

    Behavior appears as follows:

    3 alpha character name.exe (e.g. smc.exe) stored in %\AppData\Local
    10 numeric character system file stored in %\AppData\Local

    Processes attaches itself via registry keys so that launching any .exe file on the host machine calls the .exe file stored in %\AppData\Local.

    Runs in Safe Mode, preventing easy cleaning.
     
    Last edited: Apr 15, 2011
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Have you submitted the file in question to ESET as per the instructions here? You can also submit it to Virus Total to see which AVs detect it by the on-demand scanner.
     
  3. Khakiass

    Khakiass Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    8
    Marcos, according to VirusTotal, 7/42 are currently detecting this .exe (Kaspersky, BitDefender, and SuperAntiSpyware of note). For on-demand scanners, I can attest that Malwarebytes detects it, albeit classified as a GEN.trojan.

    ~Virus Total link removed per Policy.~

    Samples submitted again per your provided instructions -- I had previously been submitting them via the ESET context menus in Windows.
     
    Last edited by a moderator: Apr 15, 2011
  4. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Please see this thread regarding the new engine update several days ago.
    Rogue AV's like these appears under different guises every day, no one is impervious to them. As Marcos said there is the option of the online scanner and the free stand-alone removal tools and free removal utilities that are rogue | pest specific.
     
Thread Status:
Not open for further replies.