Uncleanable malware ; KAV & Avira inefficient

Discussion in 'other anti-virus software' started by mike113377, May 17, 2008.

Thread Status:
Not open for further replies.
  1. mike113377

    mike113377 Registered Member

    Joined:
    Jun 3, 2007
    Posts:
    19
    Hi,

    Some friend of mine has been infected by W32.Tenga malware, also known as W32.Stanit, W32.Gael and so on (more infos there http://www.sophos.com/security/analyses/viruses-and-spyware/w32tengaa.html). From what I could understand, it keeps infecting random applications everyday. I immediatly advised him to give Kav a try, which is what he did. Using latest version (7.0.1.325), after a full scan with tweaked settings (such as high heuristic detection), KAV successfully detected the infected .exe and deleted them, but couldn't clean the virus itself. He also tried Avira classic, fully updated. The results are the same, applications infected were detected, but the malware remains. We could question the ability for both of these AVs to clean such an old malware, but that's not the point of this thread. I don't know what should I recommend to him anymore, as both of these products were, in my eyes, esteemed for years and known to be the most efficient if the not the best AVs.
    Any hint ?

    Thanks
     
  2. ASpace

    ASpace Guest

    I remember that in the past I have successfully cleaned very infected machine with this virus Tenga thanks to NOD32 v2.70.39

    It might have been different variant , ESET NOD32 detected it with generic signature but did cleaned the files.

    You can try this , too .

    No matter the AV , the best would be to run a cleaning from non-infected environment (such as a bootable disk or another OS) . If my suggestion is not effective , tell your friend contact the Support dept. of their AV vendor
     
  3. alloucho

    alloucho Registered Member

    Joined:
    Dec 26, 2007
    Posts:
    145
    I suggest to try CureIt. You can grab it from here:
    http://www.freedrweb.com/
    It´s free and you don´t need to install. Just download and execute.
    I hope it will delete the malware. It´s known to be the most efficient in this area.;)
     
  4. mike113377

    mike113377 Registered Member

    Joined:
    Jun 3, 2007
    Posts:
    19
    Thank you both for your quick answers.
    Well I guess any AV / Anti Malware would detect and clean/remove the infected files ... the main issue is removing the virus itself.
    Anyway, I'll tell my friend to give Nod32 & Cureit a try.
     
  5. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    also try superantiwpyare one of the three are bound to get rid of it.
     
  6. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Yes. I can confirm that since i took a closer look at this virus when i was at ESET. For everyone who want's to learn a bit assembly here's my description of the Tenga Virus:

    http://www.eset.com.br/threat-center/msgs/tengaa.htm
     
  7. mike113377

    mike113377 Registered Member

    Joined:
    Jun 3, 2007
    Posts:
    19
    I will keep you guys up to date :)
     
  8. btman

    btman Registered Member

    Joined:
    Feb 11, 2006
    Posts:
    576
    I once had a virus that would multiply itself.... I had like 50 of the same virus on my machine but I couldn't click delete as fast as it was multiplying... You say both AV's detect and delete it..But it's still there...

    I'd just boot the computer into safe mode... That stopped it from multplying for me... And then Kaspersky had succesfully deleted the remaining ones.
     
  9. harlan4096

    harlan4096 Registered Member

    Joined:
    May 6, 2008
    Posts:
    113
    Location:
    Almería (Spain)
    Did You tried with Kaspersky a full scan into Safe mode? or even make a Rescue Disk with Kaspersky with databses updated.

    Regards.
     
  10. FRug

    FRug Registered Member

    Joined:
    Feb 7, 2006
    Posts:
    309
    Avira offers a special removal tool for it:
    http://www.avira.de/en/support/antivir_removal_tool_details.html

    However your friend should keep in mind, that even cleaned executables might not be able to run properly anymore. This is especially true for binaries that do self-checks or installers which originally had overlay data, as file infectors sometimes irreparably damage files without the chance for cleaners to detect the damage as such.
    Also it will often break signed executables if their signature is being checked on execution.
     
  11. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Yes. The problem here is that some parasitic fileinfectors checking only the header for section number, adding +1 to it and attaching themself as a new section at the end of the file. HOWEVER. They strip/overwrite the Overlay. Overlay data is basically similar to a "COPY /B Executable.EXE+Binarydata.DAT Installer.EXE".
     
  12. ASpace

    ASpace Guest


    Very kind of you , the review and perhaps the threat analysis have been created by you personally :D :)
     
  13. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,702
    Hello,

    Boot from CD.
    Remove offending files.
    Boot into Windows.
    Use existing tools (AV etc) to remove the remnants.

    Mrk
     
  14. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    So one finally got by Avira and Kaspersky. Bout time.:cautious: ;)
     
  15. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    He was infected before installing KAV or KIS.
    And like said harlan4096, if he scans in safe mode, KAV or KIS probably will clean it up.
     
  16. mike113377

    mike113377 Registered Member

    Joined:
    Jun 3, 2007
    Posts:
    19
    Actually, I should have mentioned that he was ALREADY using KAV when he got infected. I just told him to make sure that he was using the latest version with latest definitions and tweaked heuristic scan settings.
     
  17. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
  18. mike113377

    mike113377 Registered Member

    Joined:
    Jun 3, 2007
    Posts:
    19
    Sure.
    That is still quite a questionable way of cleaning this. I mean, both KAV/Avira detected infected files (and keep detecting new infected files), but the user is never advised to do a full scan in safe mode. The way it is now is a never ending circle, removing different infected applications each day ...
     
Loading...
Thread Status:
Not open for further replies.