System Windows Antivirus 2008 malware

A computer at a company I manage computers for keeps getting this malware infection. (title) I have NOD 32 Ver 3 and all setting in set-up are check. Block unsafe programs, etc. The user of this computer from this office is from Russia. She visits many websites from that CO.. She has be instructed not to "surf" at work, but you know how that goes. So now, I will set this computer to limited user use. Anyway, Why is NOD32 failing to knock this problem out. Is the user somehow over-riding NOD 32 protection? I would like to know how she manages to infect this machine with this same program. (this is the 2x). I will prevent this from happening by stronger account user control, so yes I know that, what I would like to hear from you guys is... again, how is NOD 32 missing this as I read "infamous malware"

Thanks
Folk

 

You can have a look at any forum, every AV program is having difficulties detecting this stuff as it's being continually produced by a group of coders with a very good motivation. The reason is simple, the more people they deceive, the more money they will get from them. Of course, every AV vendor takes measures to achieve as best detection as possible, but there is and always will be one on turn, like in chess.

 

I've submitted samples. You are not my only antivirus vendor, so I submit to more than just eSet. Total virus showed no antivirus vendor detecting the sample I had of Antivirus 2009 virus when I obtained it yesterday. Today, two do. But still not eSet. Other people are submitting samples too, but they are not being added for considerable time.

I have am up to 5 machines infected now. Only one infection is detected by Nod32 3.0 w/latest patterns. These are remote PC's so I'm kinda at a loss what to do with them.

I understand it takes time to react to these variants, but when samples are submitted and days go by with out it being added - it is concerning.

I've uploaded a video of one sample to www.acmenews.com/antivirus2009.avi It's a VMware workstation video which seems to play in Windows media player, but not in VLC for some reason.
The total virus hash of the scan of this I did Yesterday showing 0 detection;
a3c4c8c49bdf9a52cd14016a6f3b71b4
The hash from todays scan showing two detections (one is a zip of it the other isn't);
e4d9fd859ee9c62dbb4bc02e28dc3716
I'd like to think perhaps if I'd let it install Nod would detect that which is downloaded, but the 4 undetected & infected PC's I have make me not so sure.

 

Use the following tools to clean it, it's fairly easy to clean, we've been slammed with these Vundu/ZLob variants. The following tools have had us cleaning machines up and returned to end users quickly.

CCleaner
Malwarebytes
SuperAntispyware
Spybot S&D 1.6

Done!

 

It is not that she *personally* manages to reinfect the machine . It is NOD32 that is unable to remove the rogue program and it is either still there or gets redownloaded .

 

A colleague of mine at work decided to open up a .zip attachment to an email which resulted in this virus infecting his PC.
I agree with your choice of software for removal but would add the latest version of smifraudfix to this. It did a good job of cleaning a lot of it up.

 

sound advice , indeed.

 

Re: Antivirus 2009 malware

On 27th Aug 2008 I googled for "windows 2000 server password restriction per user" and on the first page of hits was a site which purported to allow recovery of Win 2000 passwords. I went to it out of curiosity and my browser offered to download AV2009Install_880135.exe because "my PC was infected and dangerous" ! I downloaded it to my quarantine area, renamed its extension to mjq to avoid it being run accidentally, and then submitted it up to VirusTotal.com. The report came back that, as of 27/8/2008 14:14 CET, only 4 out of 36 scanners found it - GData, Kaspersky, Prevx1, and Sophos. All others had failed. I reran the test today, as at 29/8/2008 12:08 CET, and now 13 out of 34 scanners detected it. NOD32 is one of the scanners that still fail to detect it. You're dragging your feet a bit!

 

I used to use smitfraud (smitrem), vundufix, SDFix, but the above tool I mentioned have gone through substantial definition updates to be able to clean the infections well.

Many of the machines are regular clients of mine whose offices I stop by regularly, they had no returns of the infection.

Due to these outbreaks becoming widespread over the past 6 months....I've introduced a new line of defense at many clients. I've replaced their traditional router/NATbox/firewall with a UTM appliance called Untangle.
http://www.untangle.com/
The free open source version includes scanning of web/mail traffic via ClamAV, and there's an included antispyware module which utilizes several technologies to scan same traffic, and an optional subscription based 2nd antivirus layer using Kaspersky. Since implementing these boxes at some of my larger clients....the infections have stopped.