Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

New FAKE AV "MS REMOVAL TOOL"

Created: 07 Apr 2011 • Updated: 19 Sep 2011 | 13 comments
FbacchinZF's picture
This issue has been solved. See solution.

Lately I'm facing a new malware which calls itself "MS REMOVAL TOOL" (see attached pic) and tries to sell "fake" AV protection to the user.

The Trojan is able to infect user’s PC even if it runs SEP11 with PTP enabled and latest defs.

So far, I've found (and submitted to Security Response) 3 variants for this same Trojan :

Contry

Filename

Date

Tracking #

MD5

Germany

hCa06504ePaDa06504.exe

4/4/2011

19747815

AD6CB4A1880EA89DE0AB2F0D275C6088

Chech Republic

eMd27500lKfNd27500.exe

5/4/2011

19785919

04AACF354B964A4E6FBAF83A94D2024B

Germany

bOe27500oEmFn27500.exe

7/4/2011

19786295

3B9BF61AD5B902E879DCBF744A2C7496

But this reactive work makes no sense !! It seems that the Trojan writers are releasing a new variant each day.

Proactive Threat Protection is useless , since it cannot detect the Trojan.

SEP11 Tamper Protection protects itself when the Trojan tries to stop it but this is not enough.

MalwareBytes and similar tools also do not detect it.

So, what we should do ?

I really expect Symantec to go deep on this in order to find and stop the distributing source (which seems to be some several websites with IFRAME exploits).

And if you also saw this Trojan before leave a comment…

Comments 13 CommentsJump to latest comment

Thomas K's picture

Are you running SEP with the recommended AV Security settings?

Security Response recommends the following Scan Settings

Antivirus Security Setting Default Setting High Security Policy Security Response Recommendation
Lock settings Some Some All
Remediation: terminate processes No No Yes
Remediation: terminate services No No Yes
Auto-Protect action taken for security risks Quarantine/Log Quarantine/Log Quarantine/Delete
Network Auto-Protect Disabled Enabled Enabled
Bloodhound Level Default (2) Default (2) Default (3)
SEP Startup System Start System Start System Start
Auto-Protect Scan Modify and access Modify and access Modify and access

Security Response recommends the following setting changes to Truscan for best protection

Truscan Default Setting Security Response Recommendation
Scan Sensitivity 9/Low 100
Action on Detection Log Terminate
Scan Frequency 1:00 00:15

http://www.symantec.com/business/support/index?pag...

Also follow the Security Best Practices - http://www.symantec.com/business/theme.jsp?themeid...

Brɨan's picture

I've already posted on this in a previous thread. I don't remember the name of the thread though. Probably 2 months ago. It is easy to remove.

The problem is the authors of it don't change the code only once per day but multiple times per day, so trying to keep up with signatures is nearly impossible. FakeAV is not a worm or trojan so I wouldn't expect PTP to catch it.

Until SEP 12.1 comes out with its file reputation, I would suggest using an application control policy to stop this.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

FbacchinZF's picture

Yes, I'm using exactly these settings except for the Bloodhound which um' using on level 2 .

Mithun Sanghavi's picture

Hello,

Try Following,

Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 
 
https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec
 
Also, Try Running the Power Eraser.

About Symantec Power Eraser

http://www.symantec.com/business/support/index?page=content&id=TECH134803

Hope that works for you.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

sandra.g's picture

Not only Windows and IE, but update Adobe Reader / Flash, Quicktime, Java to the most current version. A good deal of these things sneak in through website advertising, usually through third party ad servers.

Are you using Network Threat Protection for Intrusion Prevention?

Best practices regarding Intrusion Prevention System technology
http://www.symantec.com/docs/TECH95347

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

la_ripper's picture

Well , my advise to you would be to check if there is any anything at the start up

start > run > msconfig > startup

check fpr suspicious file then check the location of suspicious threat and submit it to symantec security response.

and as far as I have experiece that fake av is always  in user profile . To get rid of it change the user profile if that still exils create a new user and scan the machine . It  would take care of it.

also please make sure you delete all files from user profile that is C:\Documents and Settings\%USER NAME% \Local Settings\TEMP

and c:\windows\temp

Don't forget to mark your thread as 'solved'  or vote with the answer that best helped you!
 

FbacchinZF's picture

I know how to remove the threat manually, that's not the problem
I want to know how to avoid new clients get infected, since Realtime or PTP cannot detect it.
Symantec Power Eraser do not detect it either.
The PC's have the latest MS,  Adobe and IE updates.

So far, I didn't try NTP+IDS or app&device control......

sandra.g's picture

Since the code on those change so frequently, you will definitely want to install NTP and enable IPS--it is more proactive than reactive. This document will give you a good idea of what the IPS Signatures are capable of detecting:

SEP and Norton Network Threat Protection/IPS Signature Naming Improvements
http://www.symantec.com/docs/TECH152794

May want to increase heuristic sensitivity too, if you haven't.

How to enable, disable, or configure Bloodhound (TM) heuristic virus detection in Endpoint Protection.
http://www.symantec.com/docs/TECH92424

Also recommend:

https://www-secure.symantec.com/connect/forums/tur...

https://www-secure.symantec.com/connect/articles/h...

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

Prahveer's picture

The golden rule is that security is only as strong as the weakest link in your company - end users who invite malicious code by clicking on dubious links on the internet - for example,clicking ok to install xyz screensaver,free software to get music/porn.

Your IT personel should educate and sensitise end users to act responsibly on the internet.I hardly doubt there is a security software which will give you 100% protection against malware if your employees consistently click OK on everything on the internet without thinking about consequences.

You could also consider using Application and Device control policies to prevent creation of exe files in C:\Documents and Settings\%USER NAME% \Local Settings\ and  c:\windows\temp

Document yourself on

http://www.symantec.com/avcenter/security/ADC/Conf...

Also,note that enabling IPS and NTP should help protect against network borne threats/exploits including FAKE AV's.

Ideally,I would suggest you apply Application and device control policies and IPS/NTP on a few workstations for testing purposes to guard against issues.

You should understand that finding the best possible configuration will take time and result in possible issues ranging in severity in the beginning.But in the long run,it's you who will derive maximum benefit.

Prahveer Kumar
BSc(Hons) Mathematics - year 2 student
University Of Technology,Mauritius

david in canada's picture

I am annoyed that Norton Internet Security allowed this malware to infect my main computer when Symantec has clearly been aware of it for several days.  

I will try to figure out what all the fixes in the preceding messages are telling me to do, but come on, Symantec!  I paid good money for your protection, and you have let me down, badly.

Brɨan's picture

Everyone is aware of it. As mentioned many times, the code changes hundreds of times a day staying one step of the virus definitions. Other methods are now needed to stop this junk. It is a fun new era that is upon us...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Santhosh k's picture

I also faced same problem .I just started my system in safe mode.and i restored back . It is working fine now.