Viruses can remove anti-viruses again: Trojan.VkBase.1

Discussion in 'other anti-virus software' started by sg09, Dec 19, 2010.

Thread Status:
Not open for further replies.
  1. sg09

    sg09 Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    2,713
    Location:
    Kolkata, India
    http://news.drweb.com/show/?i=1406&c=5&lng=en&p=0
     
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Wow, very clever. I'm wondering if those uninstall routines are the official ones or not. As quite some AV's have a password protect option that also prompts when using the uninstaller.
     
  3. Nevis

    Nevis Registered Member

    Joined:
    Aug 28, 2010
    Posts:
    786
    Location:
    255.255.255.255
    i wonder how can it turn off so many av... ??
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    It's concerning such happens, but this article seems to be rather a self-promotion: Ours will protect you, because we have promptly fix a vulnerability in ours, but with others you're screwed...

    Hey users (This is what Dr.Web folks could think of): Want to learn to deploy some software restriction policies, applocker, limited user account, harden web browser, etc? No? OK, thanks... better for us.

    :D
     
  5. Rampastein

    Rampastein Registered Member

    Joined:
    Oct 16, 2009
    Posts:
    290
    An interesting way of fooling users. A good BB or HIPS should block that though, especially when it tries to restart the computer / obtain shutdown priveleges.
     
  6. carat

    carat Guest

    Maybe that's the first uninstaller that completely removes Avira :D
     
  7. Tunerz

    Tunerz Registered Member

    Joined:
    Jun 12, 2007
    Posts:
    96
    Location:
    Philippines
    Hopefully, it is good on removing old pesky Norton installs, which were as good as malware itself.
     
  8. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    There's a better one - called NRT
     
  9. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    I wonder if Sandboxie can contain it as well.
     
  10. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    Thanks sujay for share :) DefenseWall can protect against it, as it will not allow shutdown privileges to untrusted files/executable.
     
  11. Barthez

    Barthez Registered Member

    Joined:
    Apr 28, 2010
    Posts:
    112
    Location:
    Poland
    Thanks for the heads up. Now we need someone with copy of that nasty to perform a test against various AVs ;]

    On the other hand, giving user a 90 minutes is a tricky move. Long enough to be able acquire some money and give it to them, but too short to get some help in forums.

    As for quoted noted itself. It of course contains Dr.Web self-promotion elements, but nevertheless it's important news, and Dr.Web is known for strong self-defense and good removing capabilities, so nothing explicitly bad has happed IMO.
     
  12. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Without actually testing this malware I'd have to say that I'd be extremely surprised if SBIE didn't contain this,it does so with every other similar threat I've tried.

    It's hard not to be impressed by the ingenuity behind this malware though,such a pity it isn't focused in a positive way.
     
  13. Barthez

    Barthez Registered Member

    Joined:
    Apr 28, 2010
    Posts:
    112
    Location:
    Poland
    They should name it Universal AV remover PRO and sell it for $9.95. The Free version would only delete AV leftovers. Giving away some licenses through some known websites wouldn't be bad idea also ;)
     
  14. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    +1
    If its an executable thats run in the sandbox, it should be contained. Executables run in the sandbox have no access to system processes.
    If its run outside, then your out of luck.
     
  15. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Excellent idea :D
     
  16. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    What would the world be like without the monthly virus scare to sucker people into a specific AV? :)

    Once again, if it escaped detection onto your system to even uninstall your AV, it already failed, your passwords could already be stolen, your personal files could already be encrypted, and every other bad thing a virus can do... etc...
     
  17. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    Since Comodo has D+ and sandboxing for unknown files (Set as untrusted/restricted/blocked) I'm sure it should be able to prevent anything from this malware.
     
  18. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    ANyone have a link for the sample? PM me if you do.
     
    Last edited: Dec 19, 2010
  19. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    I guess the malware author used the same technique which was used in a previous KillAV.BAT virus. It was an OLD batch file virus which kills all the AV process and then remove them.. Not sure though..

    Well malware trading is not allowed in this forum, but in case if anybody have this samples do send me his MD5 or SHA256 .. After that I will find it...:p
     
  20. the dummy

    the dummy Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    71
    How likely would it be to come across this kind of malware in the wild for the average joe here in the U.S. ?
     
  21. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    There lots of Viruses that delete the resident AV or their processes and most of them come from fake AV's and fake AM's that make your AV & AM's useless that's where Rescue CD's and portable Security Apps come into play!

    TH
     
    Last edited: Dec 19, 2010
  22. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Well don't forget, "If it cannot EXECUTE, it cannot INFECT .."

    So better start Implementing SRP, if you have Windows XP or Windows Vista & AppLocker, if you have Windows 7 Enterprise or Ultimate.

    Well I know there are many users who are using Home Basic, Home Premium and Professional version of Windows Vista and Windows 7, but don't worry you can also implement SRP by using special made registry files by Sully, Tlu, Kees1958 and by me also :p ...

    And if you are comfortable with HIPS or other Anti-Executable softwares like Faronics Anti-Executable or AppGuard, then go for it.. I am sure these kind of softwares will gonna protect you from number of malware infections.

    Last but not least "Use your common sense too while navigating on Internet World ..."
     
  23. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    99% of the users in the world don't know that, that's why Malware Cleaning forums are always full of users infected! At least the one's that go to security forums like Wilders try to learn how to keep there machines protected and clean of malware I just feel sorry for the one's that don't!

    TH
     
  24. Raven_X

    Raven_X Registered Member

    Joined:
    Dec 8, 2010
    Posts:
    36
    me & my family use Avira AntiVir Free, and it has not a password protect as it had on Avira Premium.
    So my question is how to protect against those viruses that disable avira ? without using any other apps, because we use firewall router + windows firewall
     
  25. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Great info here: https://www.wilderssecurity.com/showthread.php?t=252253

    TH
     
Loading...
Thread Status:
Not open for further replies.