Endpoint Protection

 View Only

  • 1.  FakeAV Mitigation

    Posted Mar 03, 2010 12:46 PM
    I just ran into another variant of Trojan.FakeAV today (before rapid release coverage).   During the infection (SEP used latest AV, Proactive, and IPS definitions with maximum bloohound and 100 level Proactive sensitivity), any attempt to goto a security website, run task manager, cmd.exe, regedit, or explorer were terminated by the application showing as Antivirus Soft Demo.     Usually with this type of malware, there is a shortcut on the desktop for it so you can determine it's home directory.   In this case it was not.    Failed attempts at removing the malware included downloading and running Malwarebytes.   The malware responded by populating Internet Explorer with a bunch of porn and clamed that coh.exe (Symantec software) was the root cause of the porn and asked to terminate it.   

    Only way to resolve was to run IE as a different user than what was logged in to download Sysinternal's process explorer to identify the process, reboot into safe mode and to delete it manually.    This was a fully patched Windows XP box with a user running as a non administrator.    The process is now detected by Rapid Release v22 (today's date).

    Just thought I'd share the methodology as it looks like FakeAV infections are ramping up this week with little or no mitgation help from security removal products.


  • 2.  RE: FakeAV Mitigation

    Posted Mar 03, 2010 12:54 PM
     Today I spent half of the day removing Fake AV's and other things from my managers laptop.That too with cpu at 100%..Quite frustrating day.


  • 3.  RE: FakeAV Mitigation

    Posted Mar 03, 2010 01:03 PM
    We are also having a increasing problem with fake AV and I'm seeing the same problem as tekkid.

    It's really a pain!!


  • 4.  RE: FakeAV Mitigation

    Posted Mar 03, 2010 03:02 PM
    I wonder if the malware embeded itself so well because of a privilage escalation vulnerability or if its just that good running as a limited user.

    Good job figuring out how to get rid of it.


  • 5.  RE: FakeAV Mitigation

    Posted Mar 03, 2010 03:38 PM
    It runs in HKCU and in the %userprofile%\local settings\application data directory.   It can kill any Windows process running as the same user.   So if the logged on user in question is running as a restricted user, that's what privileges the FakeAV has most likely (I'm sure that's not an absolute and there are exceptions where it can gain privileges due to a vulnerability).    The FakeAV software can kill any process executed by that same user (which makes sense).   How I was able to circumvent was running processes as a different user than what was logged on at the time.    Safe mode is the best option, just not an option when the computer user is working remotely.