Viruses can remove anti-viruses again: Trojan.VkBase.1

http://news.drweb.com/show/?i=1406&c=5&lng=en&p=0

 

Wow, very clever. I'm wondering if those uninstall routines are the official ones or not. As quite some AV's have a password protect option that also prompts when using the uninstaller.

 

i wonder how can it turn off so many av... ??

 

It's concerning such happens, but this article seems to be rather a self-promotion: Ours will protect you, because we have promptly fix a vulnerability in ours, but with others you're screwed...

Hey users (This is what Dr.Web folks could think of): Want to learn to deploy some software restriction policies, applocker, limited user account, harden web browser, etc? No? OK, thanks... better for us.

 

An interesting way of fooling users. A good BB or HIPS should block that though, especially when it tries to restart the computer / obtain shutdown priveleges.

 

Maybe that's the first uninstaller that completely removes Avira

 

Hopefully, it is good on removing old pesky Norton installs, which were as good as malware itself.

 

There's a better one - called NRT

 

I wonder if Sandboxie can contain it as well.

 

Thanks sujay for share DefenseWall can protect against it, as it will not allow shutdown privileges to untrusted files/executable.

 

Thanks for the heads up. Now we need someone with copy of that nasty to perform a test against various AVs ;]

On the other hand, giving user a 90 minutes is a tricky move. Long enough to be able acquire some money and give it to them, but too short to get some help in forums.

As for quoted noted itself. It of course contains Dr.Web self-promotion elements, but nevertheless it's important news, and Dr.Web is known for strong self-defense and good removing capabilities, so nothing explicitly bad has happed IMO.

 

Without actually testing this malware I'd have to say that I'd be extremely surprised if SBIE didn't contain this,it does so with every other similar threat I've tried.

It's hard not to be impressed by the ingenuity behind this malware though,such a pity it isn't focused in a positive way.

 

They should name it Universal AV remover PRO and sell it for $9.95. The Free version would only delete AV leftovers. Giving away some licenses through some known websites wouldn't be bad idea also

 

+1
If its an executable thats run in the sandbox, it should be contained. Executables run in the sandbox have no access to system processes.
If its run outside, then your out of luck.

 

Excellent idea

 

What would the world be like without the monthly virus scare to sucker people into a specific AV?

Once again, if it escaped detection onto your system to even uninstall your AV, it already failed, your passwords could already be stolen, your personal files could already be encrypted, and every other bad thing a virus can do... etc...

 

Since Comodo has D+ and sandboxing for unknown files (Set as untrusted/restricted/blocked) I'm sure it should be able to prevent anything from this malware.

 

ANyone have a link for the sample? PM me if you do.

 

I guess the malware author used the same technique which was used in a previous KillAV.BAT virus. It was an OLD batch file virus which kills all the AV process and then remove them.. Not sure though..

Well malware trading is not allowed in this forum, but in case if anybody have this samples do send me his MD5 or SHA256 .. After that I will find it...

 

How likely would it be to come across this kind of malware in the wild for the average joe here in the U.S. ?

 

There lots of Viruses that delete the resident AV or their processes and most of them come from fake AV's and fake AM's that make your AV & AM's useless that's where Rescue CD's and portable Security Apps come into play!

TH

 

Well don't forget, "If it cannot EXECUTE, it cannot INFECT .."

So better start Implementing SRP, if you have Windows XP or Windows Vista & AppLocker, if you have Windows 7 Enterprise or Ultimate.

Well I know there are many users who are using Home Basic, Home Premium and Professional version of Windows Vista and Windows 7, but don't worry you can also implement SRP by using special made registry files by Sully, Tlu, Kees1958 and by me also ...

And if you are comfortable with HIPS or other Anti-Executable softwares like Faronics Anti-Executable or AppGuard, then go for it.. I am sure these kind of softwares will gonna protect you from number of malware infections.

Last but not least "Use your common sense too while navigating on Internet World ..."

 

99% of the users in the world don't know that, that's why Malware Cleaning forums are always full of users infected! At least the one's that go to security forums like Wilders try to learn how to keep there machines protected and clean of malware I just feel sorry for the one's that don't!

TH

 

me & my family use Avira AntiVir Free, and it has not a password protect as it had on Avira Premium.
So my question is how to protect against those viruses that disable avira ? without using any other apps, because we use firewall router + windows firewall

 

Great info here: https://www.wilderssecurity.com/showthread.php?t=252253

TH