Video Screencast Help

XP antivirus 2008

Created: 30 Apr 2008 • Updated: 21 May 2010 | 54 comments
This issue has been solved. See solution.
We recently got this malware and neither Symantec Endpoint nor CounterSpy could remove it. Has anyone else been infected with this as we have? What did you do to get rid of it.

Comments 54 CommentsJump to latest comment

pbogu's picture

i saw one infection with that and it came with smitfraud. use smitfraudfix first and then scan everything with spybot s&d after that you can with av just to be sure.

ChadG's picture
We had to to use AVG to clean up a few systems that Symantec couldn't.  Just use the free version for the scan, then you can remove it afterwards.
 
 
 
I hope it works for you.
 
 
 
Knottyropes's picture
Just nailed another machine.
 
This time it is locked down ctrl alt del does nothing.
Not worth the time to remove it, I can rebuild it faster than I can search how to fix it.
 
 
 
 
Lincster's picture

Has anyone contacted symantec to find out why there product does not detect/fix this?

 

The error I get states that "access denied" when trying to fight these processes.

Someone Else's picture

We got hit by this also.  The older Symantec Antivirus 10.1.7/10.2.1 was also unable to block/remove it.  Coincidentally, we are up for maintenance/support renewal this month.  If management gets wind of this, we're in deep doo-doo.

Knottyropes's picture

just had my 5th run in with this one at work and like 4 times on friends machines.

 

was an ecard link in email

user did not notice the exe at the end.

 

if you catch it fast enough you can stop its services and delete all the files(random names)

 

This one is starting to get to me.

Kwegar99's picture

I have managed to remove this on one system so far and will be trying it on many more today and tomorrow.

 

from the website majorgeeks.com you can get an anti spyware thats is free and removes this.  (or at least seems too)

 

But to start go into safe mode and run msconfig, remove the SVHOST.exe and there may be a few other random files loading you want to stop.  (random names that end in .exe)

 

The anti spyware program is   superantispyware-free-eddition  (long funny name but I trust majorgeeks) 

 

a few settings you want to change before scanning.

 

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click "Yes",
Let it through your firewall!
Under "Configuration and Preferences", click the "Preferences" button.
Click the "Scanning Control" tab.
Under "Scanner Options" make sure the following are checked:
1>> Close browsers before scanning
2>> Scan for tracking cookies
3>> Terminate memory threats before quarantining.
4>> Ignore System Restore/Volume Information on ME and XP
5>> Please leave the others unchecked.
6>> Click the Close button to leave the control center screen.

On the main screen, under "Scan for Harmful Software" click "Scan your
computer".
On the left check "C:\Fixed Drive".
On the right, under "Complete Scan", choose "Perform Complete Scan".
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click "OK".
Make sure everything in the white box has a check next to it, then click "Next".
It will quarantine what it found and if it asks if you want to reboot, click
"Yes".

 

This was able to find and remove most of the program.  I manually deleted the files in c:\program files\<random name>  as well as from the start menu.  (the random name in program files is the same one you would see in the msconfig.)

 

I hope this helps anyone with this.   (its upsetting that symantec can seem to do nothing to help with this one.)

 

 

David-Z's picture

We should be able to detect and remove XP Antivirus 2008, XP Antivirus 2009, Vista Antivirus 2008, and Vista Antivirus 2009 without issue as far as I'm aware.

 

As with any removal procedure we recommend that you reboot the machine into safe mode and launch a full scan from there. Access Denied may occur in some instances if you are not in safe mode.

 

Whatever the threat is being detected as there may be some additional instructions you have to follow to ensure complete removal. These instructions can usually be found by clicking on the link associated with the detection. (Example: Trojan.Fakeavalert, Trojan.Virantix.C)

 

If the threat is not being detected or we are unable to remove it, please call into Symantec Support for assistance or open a case via the Mysupport website. You can submit a sample of a virus that is not being detected to:

https://submit.symantec.com/gold

 

Symantec Technical Support:

http://www.symantec.com/enterprise/support/contact_techsupp_static.jsp

 

Lincster's picture

David, thanks for the input.  I have a case that I opened 2 hours ago and someone has yet to call me back.

 

Anyhow I believe that the access denied messages are because a process is running preventing symantec from killing the virus.  After I manually kill the process I can then remove all the files/reg entries associated with threat.  That being said symantec autoprotect should be able to identify the process that is running and not allow it to run in the first place.  Thoughts on this?

 

For example I just manually eraditacted AV2009.  A process was running and I could not do anything until I killed that process.  My concern is that Autoprotect should not have allowed that process to launch in the first place.

Maver's picture

We have just started testing with SEP 11.0 and on my test 32bit Vista and 32bit XP, I went to the so called product's Homepage and I get Page cannot be displayed and an Intrusion notification: [SID: 23033] HTTP Misleading Application Detection detected.

 

We've had numerous infections with that XP AV junk and I have built a Virtual Machine with 10.1.5 and STILL couldn't get infected with XP AV 2008.

 

John H's picture

Maver, Glad you got some good results!

 

We have recently been adding Network Threat Protection coverage for the fake antivirus products (like XP antivirus 2008, AntiVirus 2009, Doctor Antivirus) and fake vdieocodecs to give you an additional layer of protection (it was been VERY succesful in keeping these things from making it onto systems). 

 

As you noted, users can't make it to a fake product page or the pop-ups that start fake scanning (which are just animation btw) in many instances.  These fake virus scanners/fake codecs directly correlate to Trojan Vundo and Trojan Zlob that are challenging to keep up with.  The Network Threat Protection coverage may also help you identify systems that have been infected that we don't currently have an AV def to clean up the system.

 

For other folks, if you don't have Network Threat Protection on, please give it a try.

 

Thanks,

John Harrison, Symantec Security Response aka Dr. Drive-By

 

 

 

John Harrison
Symantec Security Technology and Response

Maver's picture

Well, I spoke to soon...seems like the latest Fex Ex tracking notice spam is getting past both SAV CE and SMSE 5.10.

 

Attachments with WD6128922.zip are just now getting blocked by SMSE as Unrepairable virus Backdoor.Paproxy.

 

Earlier, Fedx-retr871.zip was successfully getting caught by SMSE as Unrepairable virus Backdoor.Paproxy.

 

However, before WD6128922.zip was caught by SMSE, we are/were able to save this locally and run it and BOOM, XP AV 2009 shuts down the machine and totally infects it on reboot. SAV CE 10.1.401 catches Pandex I believe but the damage is done.

 

Now, on my XP/SEP 11.0 test VM, I can run the WD6128922.zip, inside there is an EXE disguised as a Word Doc. Unless you have extensions being shown, you can't even tell it is an EXE...anyway, if I run that on my XP/SEP client, nothing happens...nothing at all, even in the logs.

Message Edited by Maver on 08-21-2008 01:13 PM
DHS's picture

Let me enlighten you...

 

malwarebytes antimalware - malwarebytes.org

 

also google and use SDFix.exe

 

 

use MB first, then SD, in safe mode and reboot (SDFix will automatically reboot and continue)

 

These two together destroy almost ANY threat.  Symantec... TAKE NOTE 

Mrkrad's picture

Does anyone have any custom signatures to block the antivirus 2008 pop ups?

 

In my opinion when a malware like this hits a machine it is best practice to do a full restore.

 

These custom malware droppers can not always be eliminated 100% and if they ever decided to throw a time bomb off in the future you may shoot yourself in the foot by just cleaning it up?

 

 

Mrkrad's picture

http://top-pc-scanner.com/1/?xx=1&in=2&ag=2&end=1&g=1&affid=401&lid=111

 

^^ i found this one today and it is considered a clean exe file according to latest defs.

 

don't feel bad AVG didn't think it was a threat either.

Message Edited by Mrkrad on 08-22-2008 08:31 AM
joshfrombrooklyn's picture

In the past I have used smitfraudfix to deal with this infection, but there seem to be a number of new variants that are resistant to it.

These new variants are particularly virulent and invasive.

I have had at least 3 completely different software packages on users that I support, and Symantec Corporate edition has been next to useless at helping to remove them.

With one of the variants, I used 3 different types of anti-spyware and the result was multiple blue screens.

With another, I manually went through the registry and msconfig, and removed all associated files, but the **bleep** thing still came back.

The virus comes from a link in a fake e-mail from UPS or FedEx.

If the user clicks on the link, they get the initial pop-ups and annoying bubbles.  If it is caught at this point, it is simple to remove.

However, many users have then clicked on the pop-up windows (which are made to resemble windows security alerts) causing the full installation to occur.

 

Is there some reason why Symantec has not been keeping up with this?

joshfrombrooklyn's picture

Tried SDFix on one machine, the program lagged forever and never finished...

Maver's picture

Thanks...we are using the malwarebytes. It simply does the job with NO fuss.

 

Today, I tested my XP Virtual machine with unmanaged SEP client by downloading a postcard with an exe link. It went thru, and basically put something in my registry to launch some processes. SEP catches a few things, but after every reboot the "hook" still is able to try and download more stuff.

 

I was able to successfully install XP AV 2008 by clicking "Yes" [I know it's difficult to get around a user who basically does everything to click yes] but I wanted it on here to see if SEP will remove it.

 

So far, SEP is a-ok with XP AV 2008 installed on it...doesn't catch it at all. Ran a scan in Safe mode...0 threats found.

 

Geez

joshfrombrooklyn's picture

"malwarebytes" is the name?  OK, I'll check it out.  Thanks.

burningtower's picture

What I did;

Downloaded "Malwarebytes" and "SDFix"

Ran Malwarebytes - rebooted to "Safe" mode - used the same login (important) - ran SDFix

rebooted

Worked for me, so far so good, may not work for everyone cause there are so many variants out there.

Message Edited by burningtower on 08-27-2008 08:40 AM
joshfrombrooklyn's picture

Malwarebytes definitely worked better than anything else I've tried.  I used it and it took out the variant I was working on.

Thanks for the tip!

ProfileX's picture

This thread was started on April 30th!  Here it is 4 months later, and SEP11 MR2 with the latest defs and auto-protect enabled is still not detecting this.  The phone support is useless and say they don't know of anyone with this problem.  I guess this would be a good time to download some demos of different products.

joshfrombrooklyn's picture

Seriously.

It would appear that Symantec has gotten complacent, and is all about developing new products to sell, rather than keeping up their existing products.

My firm has been using this product for ages, oh well, time to start looking around for something better.

Abhishek Pradhan's picture

I fail to understand why everyone wants to blame Symantec. Here are my reasons for the same.

 

1. The XP antivirus thingy will come and reside on the systems ONLY in case the end user goes to some unwanted, downloads unwanted stuff, and does a lot of unwanted things.

 

2. Another vector is because of Torrents / P2P applications which ideally should be blocked by the company's IT / SOC Policies.

 

3. There are many variants out there. Those that we have detected, we have the signatures for them. For the undetected variants, we have to wait until a new submission comes to us / we catch a new variant. Only in this case would it be possible for us to make signatures for the new variants.

 

4. Another vector is if the end user sees a banner floating on some site for a FREE ANTIVIRUS, or some banner pops u saying that your system is infected, download free AV to scan it.

 

I've seen a case with one of the support teams wherein the customer had conciously downloaded XP AV 2008, and had logged a case with support saying that "A free AV I have is detecting viruses on my system, and SEP is not ! May I know how this is possible?" When the TSE asked him how he knew that his system was infected, the customer showed him what he had done, by ONCE AGAIN downloading the XP AV on ANOTHER good system, and executing it !!!!! And this incident was less than 2 weeks ago.....

Message Edited by Abhishek Pradhan on 08-29-2008 07:57 AM

Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org

Auusie's picture

Hi first of all everyone should go and read this article http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/... they been changing this virus almost everyday so thats why AV sometimes fail to detects it.

 

Well ppl need to know that AV is a scanner which scan and alert about the stuff it knows abt through definition.. it might know abt the new viruses through its behavior but not always..

 

If you are using SEP and using its HIPS protection then use it.. get the signatures and put it in your SEP if you dont know how it works then ask ... and i am sure Symantec will respond to it.

 

Having said... this signature should have been on its way by now from Symantec.. so can you kindly look at it ?

And i know Symantec  employees feel offended because everyone expect that your AV can detect everything :) but you ppl need to have a proactive approach rather then reactive approach... go and search for viruses make new defs before they get to customers :)

 

 

 

 

 

joshfrombrooklyn's picture

Dear Symantec Employee:

 

Seriously?  That's your answer?  "Don't blame us"?

 

You said:  The XP antivirus thingy will come and reside on the systems ONLY in case the end user goes to some unwanted, downloads unwanted stuff, and does a lot of unwanted things.

 

What is the definition of a virus?  What is Symantecs software made to do?

The "antivirus thingy" is sent to users in the form of an e-mail from UPS or Fedex.  If users click on a false link contained therein, they download the software.  Then Pop-ups appear.  Many of the pop-up windows are disguised, convincingly, as false Windows Security Alerts.  Many users have been fooled by these.

 

You Said:  Another vector is because of Torrents / P2P applications which ideally should be blocked by the company's IT / SOC Policies.

 

While this is surely possible, I have not seen this situation at all.   I have seen 10 different cases of this VIRUS, and all of them were from e-mail based infections.

 

You Said:  There are many variants out there.

 

Which is why your software is designed to update automatically... 

 

You Said:  Those that we have detected, we have the signatures for them.

 

I have not seen even one variant that was caught and then removed by Symantec AV.  Perhaps you could list which files/registry entries Symantec actually DOES remove/change?

 

You Said:  Another vector is if the end user sees a banner floating on some site for a FREE ANTIVIRUS, or some banner pops u saying that your system is infected, download free AV to scan it.

 

While it is a good point that if someone were trying to download another AV program, it is not Symantec's repsponsibility to stop said user from using that program...

Users would not be even clicking on these for the most part if they did not show up incessantly, along with apparent windows security alerts.

Meaning, that if your program WORKED, and cleaned the virus, the users would not feel any necessity to install any additional software.

 

You said:  by ONCE AGAIN downloading the XP AV on ANOTHER good system, and executing it

 

Of course.  Users should be assumed to have no idea what they are doing.  That is the basis for all IT customer service.

Abhishek Pradhan's picture

@ Josh, no offense, but here are some points to ponder.

 

Definition of a Virus - A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. :smileyhappy:

 

The AV software is made to protect from known threats. No AV software in the world will ever catch a virus that has never been caught before. Also, no AV software would on it own accord go ahead and create AV signatures to catch viruses. It's eventually for the end user / IT engineer of any concerned company, to report / submit the suspect files to Security Response in the event of a suspected virus outbreak.

 

The 10 different cases that you saw had the same vector - E-Mail. There are always different vectors for payload delivery, and this is just 1 of them. When a new threat is detected and a security advisory mailed to all customers, it is ideally the work of the IT engineers of the concerned to draft and circulate a threat advisory to all internal users to apprise them of the situation.

 

Just because the software is designed to update automatically does not guarantee that it will catch a previously UNDETECTED variant.

 

You said -

Users would not be even clicking on these for the most part if they did not show up incessantly, along with apparent windows security alerts.

Meaning, that if your program WORKED, and cleaned the virus, the users would not feel any necessity to install any additional software.

 

==> The working program has nothing to do with content being pulled off the web. How in gods name is an AntiVirus component, going to go ahead and block pop-ups? Furthermore, if the end user is visiting unwanted sites, is it the responsibility of the AV program to block that? It's not. It's the responsibility of the IT admin to set policies blocking the access to such sites in the first place.

 

You also quoted - Users should be assumed to have no idea what they are doing => I would not call the IT admin of a respectable company an end user. :smileyhappy:

 

My entire point here is not to get into any debates, but to highlight that several small things that are normally overlooked due to sheer administrative oversight, or just because the IT chap thinks its too small thing to control, and lets such small things pass, is actually leaving the door into the company wide open.

 

All I'm aiming at here is that though the threat is being cleaned, with a new variant, you never know. Just yesterday we saw a case where the load points for another variant of the XP AV were changed frpm c:\windows\system32, to c:\windows, and c:\program files.....

Thats why we rely mailny on submissions by end users / IT Admins like yourself to isolate, and submit the new suspect variants to us, hence enabling us to make more effective signatures to combat the threats. As a user / admin of SEP / SAV, you are a very important part of the entire process of effectively combating threats.

 

Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org

joshfrombrooklyn's picture

Consider your own points when you make them:

 

A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user.

 

If a user clicks on a link in an e-mail that indicates it is for something else, and it installs unwanted software, then that is "without the permission or knowledge of the user".  Therefore, by your own definition, the initial software installation is in fact a virus.

 

The AV software is made to protect from known threats.

 

Look at when this thread was started.  How is this not a "known threat" after this virus has been out for six months?  The variants I have worked on have been infecting computers for at least a month, and is VERY widespread.  Just Google "AntiVirus 2008" and you'll see hundreds of hits.  How long does it take before something becomes a known threat?

 

Just because the software is designed to update automatically does not guarantee that it will catch a previously UNDETECTED variant.

 

Your software detects maybe one variant, and does not successfully remove ANY variants.

 

How in gods name is an AntiVirus component, going to go ahead and block pop-ups?

 

Really?  You're seriously asking me this?

 

Listen, I am not happy that Symantec has not caught this highly contagious virus with all the time alotted to it.  I was offended because your response was not to do research and get back to us, but to say "it's not our fault".  This is not a proper response.

I am not happy because the software that we pay lots of money for did not catch it, but some random freeware called "Malwarebytes" caught it and got rid of it without a problem.

 

If you would like me to record everything I've done to manually remove the viruses in question, which I have in fact done now in several cases, I will be happy to do so, and will expect a paycheck in return for my services.  :smileyhappy:

Ted G.'s picture

Regardless, the reality of the situation is this;

 

Hundreds, if not thousands of variants of these types of malare/threats are created every day. The creators of this malware make money off of it and do not want any antivirus programs to be able to detect, or remove it. You will never find an AV software that can keep up with that even if they worked 24/7/365 creating virus definitions. It's simply not possible.

 

Funny thing is, (and I'm telling this story as a end user and not a Symantec employee, for the record) when my roommate decided that downloading AV 2008 on my home computer was a good idea. I was not able, by doing a Google search to find any tools or instructions that could remove it completely. Let alone even detect it on my system. And yes, I found Malwarebytes and RogueRemover Pro and tried them both to no avail. (Both made by the same company and both are not freeware by the way. They cost $24.95 and $14.95 each respectively). I used the trial version of each.

 

Anyway, I had to run our Loadpoint diagnostic tool and locate all the files by hand and remove them myself. And since this threat installs downloaders on the system which in turn download and install backdoors, trojans, etc. I also decided to back up my data and reformat the hard drive, as I had no clue how my system had been compromised at that point. SEP did not catch AV 2008 as it was a new variant, it did catch some of the trojans it downloaded though, as they were old and we had definitions for them.

 

We can sit here and argue about this all day, but the fact remains that you will never find an AV software that will catch every variant of every virus and malware out there in the world. There's simply too many of them created every day for anyone to stay ahead of the curve. Also as with real viruses, someone has to get infected before the cure can be created. It's the sad reality that we all must deal with.

 

Not to be a jerk but you said and I quote:

I am not happy because the software that we pay lots of money for did not catch it, but some random freeware called "Malwarebytes" caught it and got rid of it without a problem.

 

If you would like me to record everything I've done to manually remove the viruses in question, which I have in fact done now in several cases, I will be happy to do so, and will expect a paycheck in return for my services.  :smileyhappy:

If Malwarebytes worked so well removing this threat, why then did you have to manually remove it? Why not use that program to remove it from all computers? :)

 

 

 

 

 

 

joshfrombrooklyn's picture

If Malwarebytes worked so well removing this threat, why then did you have to manually remove it?

 

Because I only founud out about Malwarebytes on this very thread a few posts ago, as you can see if you scroll back a bit...

 

Before that I was going through the laborious task of manually removing and/or changing registry entries and files.

Paul Murgatroyd's picture

I'd need to take a look at Malwarebytes to see why it is apparently so good at cleaning up this particular threat, but I'd be willing to bet its because they are concentrating on specific threats and I imagine they have far less than the 2 million AV/AS signatures we have in our definitions.  To give you an idea of the explosion of variants we have seen recently, 70% of those 2 million signatures were added to our definitions in the last year.  At this current moment in time we are adding on average 7500 signatures PER DAY to our definitions.  That number is increasing and we are starting to reach the tippingpoint where malware now outnumbers the "goodware"

 

This is one of the reasons that we created SEP - there is a general recognition from all vendors that signature based detection is no longer effective enough and that further levels of protection are required.  With IPS enabled and an up to date IPS signature list, you should see that attempts to contact the website for these applications are blocked.  In addition, features such as System Lockdown enable you to completely lockdown the machine and prevent any unauthorised executable from running.

 

You will start to see reputation based whitelisting appear in the Norton 2009 product line, this in turn will make it into the enterprise product in the coming year, the reason for this is that we are at the point where it is now pointless looking at the bad as there is simply far too much of it - instead we look at the good, and work at blocking everything else.

 

I agree that for those people being hit by these threats this is of little consolation, but please do submit them to security response - this is the way signature based detection has to work.  To give you an idea of the investment we make in our security response and managed services organisations:

 

We have over 40000 network sensors in over 70 monitored countries 

We monitor over 3 million mailboxes purely there for spam and threats (and over 40% of the worlds email flows through our network in some way or another)

We protect over 120 million endpoints

We have over 80 million LiveUpdate sessions per day

We have the largest honeypot of all security vendors

 

BUT, threats still get through BECAUSE they are changing so often.

 

Only a year ago, a piece of malware would be written and would target millions of machines, now malware is much more targetted - a single variant will hit perhaps 50 - 500 machines at most before it changes and mutates to evade detection.  We, like all the security vendors are working hard to combat this, but nobody is going to be able to guarantee a 100% detection ratio using purely signature based detection (check out the independent malware reviews if you don't believe me).

 

Lastly, I note that Malwarebytes is specifically a removal tool, NOT a protection tool - it is far easier to identify and remove something that is running on a PC than it is to prevent it from getting there in the first place - which is our goal.

 

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

nosirrah's picture

Hello everyone

 

My name is Bruce Harrison (most people know me as nosirrah) and I am the lead researcher for Malwarebytes' Anti-malware . Reading through this thread I feel obligated to clear a few things up . First and foremost :

 

 "And yes, I found Malwarebytes and RogueRemover Pro and tried them both to no avail. (Both made by the same company and both are not freeware by the way. They cost $24.95 and $14.95 each respectively). I used the trial version of each."

 

The version of MBAM that is helping people with this particular infection is free to scan , update and remove malware forever and will forever stay that way . Every MBAM employee (currently 3 but soon to be 5) is from the same commulity that has helped millions of  people fix their PCs for free across many HJT forums .

 

"when my roommate decided that downloading AV 2008 on my home computer was a good idea. I was not able, by doing a Google search to find any tools or instructions that could remove it completely. Let alone even detect it on my system."

 

http://www.google.com/search?hl=en&q=MBAM+%22XP+antivirus+2008%22&btnG=Search

 

I did not have the same trouble .

 

"A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user."

 

Correct , and so is the fact that the exploit that drops win32.exe installs this rogue , no clicking required . If anyone is interested in the static links to win32.exe please let me know through PM , the malware is way to dangerous to post as this is FAR from the only fallout .

 

 As far as why MBAM is very good at dealing with this infection ,that is simple . MBAM is designed to be very good at dealing with malware that the AVs seem to be having problems with . I do not spend my time making MBAM detect millions of infections that any decent AV already detects as MBAM is DESIGNED to work alongside antivirus software , not replace it . A huge chunk of the research that goes into MBAM revolves around what we see making it into HJT threads as the vast majority of these threads involve antivirus software that was in some way bypassed .

 

 

The long and short ?

 

Is MBAM the best thing ever that can replace all of your security software , no .  Will MBAM be a solid addition to any antivius software and continue to do a great job against threats like this , absolutely .

Message Edited by nosirrah on 08-30-2008 06:59 PM
Maver's picture

nosirrah wrote:

...A huge chunk of the research that goes into MBAM revolves around what we see making it into HJT threads as the vast majority of these threads involve antivirus software that was in some way bypassed .

 

I would be interested to see how many Symantec researchers spend time in those forums. Many of those posters who cannot gid rid of XP AV2008, Vundo, Winfix, etc, etc, etc are all likely running AV software that is doing an unacceptable job removing said malware.

nosirrah's picture

The more I read the more I see misinformation going on here :

 

 "Lastly, I note that Malwarebytes is specifically a removal tool, NOT a protection tool "

 

I have a feeling that everyone here knows that MBAM has a pro version that provides active protection against the threats it can remove in the free version . HIPS and IP blocking are both on the way for MBAM pro as well as system file backup and restore so we are far from a free removal tool . All of our protection is designed to avoid conflicting with your existing firewall and HIPS software because we do not want to replace them, only fill in the gaps .

 

If we were not for real we would not have had multiple offers from 4 big name security companies to either add us to them or to buy us out outright . We have also had offers to add a toolbar to our app and offers to buy our source code . Multiple malware authors are directly engineering against us (vundo guy , rustock guy , zlob guy and many others) but our direct disk acces read and file header breaker backed up by our boot load delete on reboot driver does not give them many options . Our lead driver coder is swandog (avanger guy) and we are in talks to pick up several leading specialized tool authors (one of them already has his contract in the mail) .

 

Lets settle this now and avoid any further misinformation . MBAM is now a very good backup to any antivirus software and will only get better in the future . MBAM will NEVER add antivirus abilities to its core app and is always advised to be used WITH antivirus software . We actually get this question a lot in the forums and I assure you that we always say :

 

"No , MBAM cant replace your existing antivirus software and is not designed to ."

reza akhlaghy's picture

Paul Murgatroyd wrote:

I'd need to take a look at Malwarebytes to see why it is apparently so good at cleaning up this particular threat, but I'd be willing to bet its because they are concentrating on specific threats and I imagine they have far less than the 2 million AV/AS signatures we have in our definitions.  To give you an idea of the explosion of variants we have seen recently, 70% of those 2 million signatures were added to our definitions in the last year.  At this current moment in time we are adding on average 7500 signatures PER DAY to our definitions.  That number is increasing and we are starting to reach the tippingpoint where malware now outnumbers the "goodware"

 

 

Paul,

 

No one did (or will) ever say that symantec didnt perform good in fighting malware, the point is Anti-Malware software meant to remove EVERY trace (or modification made by malware) properly. I wonder why Symantec products (home or network) do not remove malware modifications to system completely or correctly while the knowledge exists in Symantec site. In the other hand removing a malware cannot be performed by just deleting its EXE file.

 

The other important issue is Symantec's signatures for malware is far too restrictive, I know this will help eliminating false-positive but as you correctly mention the speed of creating malware is enourmous and maybe Symantec can revise those signature to be more relax and let their software detect slightly modified versions of malware properly.

 

Me and my team do have a constant habbit of submitting malware to Symantec, but with this rate nobody can help.

 

Regards,

Reza Akhlaghy

Ted G.'s picture

nosirrah wrote: 

 

"when my roommate decided that downloading AV 2008 on my home computer was a good idea. I was not able, by doing a Google search to find any tools or instructions that could remove it completely. Let alone even detect it on my system."

 

http://www.google.com/search?hl=en&q=MBAM+%22XP+antivirus+2008%22&btnG=Search

 

I did not have the same trouble .

So basically you are saying you purposly infected a computer with "AV 2008", then did a Google search and followed the removal instructions/tools you found online and got a complete, successful removal?

 

Unfortunately, simply doing a google search does not qualify as finding complete and accurate removal instructions and/or tools to remove AV 2008. One can search google and post his findings all day long. That does not make the findings accurate or usable.

 

When I did the same, I found no instructions that would asssist me in completely removing the threat: "AV 2008" from my computer. The instructions I did find were either inaccurate or incomplete. As I said, no tool I found removed it either, not completely. I had to reply on my past training as a virus removal technician to remove the threat. And I was still not convinced with the results so I reformatted. This was over 6 months ago by the way. Maybe things have changed since then. However, I have no reaon to fabricate my experience with this threat. I gain nothing from doing so.

 

 

nosirrah's picture

As the lead researcher for MBAM I intentionally infect my test machine many hundreds of times a day , this malware included . What I was saying is that google is loaded with working removal guides for this , most of them using our software .I am also saying that because this malware has so many install vectors (exploits/codecs/spam/fake web scanner/P2P malware....) that I see it every day multiple times and MBAM has had it owned for a long time .

 

http://www.bleepingcomputer.com/malware-removal/page/3/

 

"Posted by Grinler on July 23, 2008 · Views: 2,383"

 

This is the first one that I know of but their might be older ones .

 

When this rogue came out we were quickly able to get it fully detected with our IPH technology , malware like this in no toruble at all for us . I have not needed to add a single def for this rogue in more than 6 weeks because IPH eats it alive . The people that do malware removal guides saw the results and made guides based on MBAM 

 

I dont know why everyone here is getting bent out of shape here . If anything MBAM is making far less customer support work for a lot of AVs on all malware of this type and will continue to do so . Having a free tool like MBAM that with a quick scan (usually 5 minutes or less , 55 seconds on my machine) can rip through infections of this type with ease is a GOOD thing for everyone .

joshfrombrooklyn's picture

Having a free tool like MBAM that with a quick scan (usually 5 minutes or less , 55 seconds on my machine) can rip through infections of this type with ease is a GOOD thing for everyone .

 

Agreed.  And I will see what our firms technology committee says about implementation of this product, at least for the short term.

As far as Symantec goes, I hope that the next version of the enterprise product does all the things mentioned earlier, as the improvements mentioned sound useful.

Ted G.'s picture

nosirrah wrote: 

 

I dont know why everyone here is getting bent out of shape here . If anything MBAM is making far less customer support work for a lot of AVs on all malware of this type and will continue to do so . Having a free tool like MBAM that with a quick scan (usually 5 minutes or less , 55 seconds on my machine) can rip through infections of this type with ease is a GOOD thing for everyone .

I for one am not bent out of shape. I'm simply reporting my experience with this threat. I wish the tools/removal instructions I found worked as well as claimed for me, but at that time they didn't. Believe me, I was hoping they would. Maybe my case is an exception to the rule, who knows? But for me, the only way I completely got rid of this thing and all the other threats it downloads and installs was to reformat my HDD. The removal article you linked was from Jul. 22 2008, by the way. Please keep in mind my incident, as stated previously was 6 or more months ago. :) I think it's obvious things have changd since then.

 

skipdog's picture

I do IT work for multiple hospitals and I work for a contracting company that also has repair shop. We have seen this infection everywhere. All hospitals, tons of PCs coming in to the shop and even many of my personal friends have obtained this infection. How is it possible that Endpoint Protection does not prevent it? Thanks to Malwarebytes, we have been able to remove it relatively easily. I find it disheartening that you are trying to discredit Malwarebytes or claim that "you can't do a google search for a good removal guide" We have removed this infection(and variants) so many times, flawlessly with Malwarebytes and it worked every single time. They are one of the few software developers out there who have provided a solution to this infection. I just cannot understand why Symantec has not made it a PRIORITY to prevent this infection. Symantec rarely even detects any sort of infections on the 500+ PCs we service(not to mention the ones that do pop up are so old that ANY ANTI-VIRUS would stop it) so at the first sign of a very widespread infection, your product fails in every way. You fail to offer the simple solution of "download malwarebytes and do a quick scan in normal mode" because of reasons beyond me. You fail to update your software after-the-fact to ENSURE that this piece of malware cannot be installed on PCs protected by Endpoint Protection. You even fail to fully endorse the one software developer(with THREE EMPLOYEES) who has saved so many of us IT folk countless hours of frustration caused by an insufficient security product. Symantec should have had an easy removal tool available very quickly or at least included malwarebytes' solution.

 

Just answer me this one question: Why are you unable to prevent this piece of malware from protecting computers?

 

We are really starting to wonder why we spent thousands of dollars for a program that fails to stop malware and offers no solutions on making their product prevent the KNOWN malware that is hitting IT departments everywhere.

 

Also, I have a hunch that Ted cannot read removal instructions properly. He probably went into safemode and tried to use Malwarebytes. That is the only thing I can guess as to why you want to claim "well I tried malwarebytes and it didn't work". We have used Malwarebytes to removal infections on every single PC without a hitch and so have all of the IT contacts I know of in my state. The ONLY thing we have had to do otherwise is change a couple registry keys to restore 'desktop' and 'screensaver' tabs in the desktop properties.

 

Your dismissive attitude towards your customer's concerns really bothers me. Unless something changes soon, I'll be doing what I can to spread the word to as many IT contacts in my state as I can about your stance on this issue.

Message Edited by skipdog on 09-05-2008 01:43 PM
NetUser's picture

Symantec should have been able to block this by now.

 

However, you have to train your users to stop willy nilly clicking on attachments and links they didn't ask for.

There will be something new even if Endpoint starts working for this malware tomorrow and it will be the same thing over again with another cleanup tool to remove something they had no business opening in the first place.

David-Z's picture

Although mostly everything has already been addressed earlier in this thread I'm going to go ahead and respond.

 

Two new heuristic definitions were added that specifically are aiming at the XP AV flavor of threats last Friday. We have already started seeing hits on them so it sounds like they are doing their job as well. It took a bit of testing before they were given the green light, but they are out and in effect now.

 

They are:

Packed.Generic.183 - http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-082915-4436-99&tabid=1

-and-

Packed.Generic.184 - http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-082915-5219-99

 

Packed.Generic.xxx is a heuristic detection for files that may have been obfuscated or encrypted in order to conceal them from antivirus software. 

 

A packer is a tool that compresses, encrypts or obfuscates executable files. Malware authors often use packers to conceal threats from detection by antivirus software.

 

So hopefully that will help those of you fighting these threats. I do my part every couple days and google for malicious sites hosting XP AV and purposefully click the links on my "thrashing" machine to see if we block the install or if it installs, if we are able to remove the threat. Anytime I run across one that we don't catch I submit the files and the site to our Security Response Team (https://submit.symantec.com/gold)

 

Obviously I do this on my own time and one person doing this doesn't really make a huge impact but, hey I try to help where/when I can. Well anyway...

 

Hope that helps! =)

Message Edited by David-Z on 09-05-2008 02:21 PM
SOLUTION
skipdog's picture

NetUser wrote:

Symantec should have been able to block this by now.

 

However, you have to train your users to stop willy nilly clicking on attachments and links they didn't ask for.

There will be something new even if Endpoint starts working for this malware tomorrow and it will be the same thing over again with another cleanup tool to remove something they had no business opening in the first place.

 

Training is always good and something we keep up on. The entire point of spending thousands of dollars on this product is to stop infections. The POINT OF THE PRODUCT is to stop infections that are caused by users clicking on attachments and links they didn't ask for. This infection is VERY VERY widespread. It has been really showing up in MASSIVE numbers in the past month. There is absolutely no excuse for Endpoint Protection to be unable to prevent this. I'm not sure why you had to point out the whole "there are new infections all the time!" part as I am assuming that we ALL know this simple fact of life. The problem is that this piece of malware is VERY widespread. EVERY HOSPITAL we service has received this infection on at least one PC. Our repair shop has never seen such a sudden influx of PCs with a particular infection EVER. This should be on the top of their priority list. This isn't some small-scale isolated incident. PCs are getting infected with this malware at a very very high rate.

skipdog's picture

David-Z wrote:

So hopefully that will help those of you fighting these threats. I do my part every couple days and google for malicious sites hosting XP AV and purposefully click the links on my "thrashing" machine to see if we block the install or if it installs, if we are able to remove the threat. Anytime I run across one that we don't catch I submit the files and the site to our Security Response Team (https://submit.symantec.com/gold)

 

Obviously I do this on my own time and one person doing this doesn't really make a huge impact but, hey I try to help where/when I can. Well anyway...

 

Hope that helps! =)

Message Edited by David-Z on 09-05-2008 02:21 PM

 

I am glad to see that an update has been released. Although it frightens me that it takes a Symantec employee working off the clock to analyze and submit these infections for testing. It is hard to have any confidence in the product when it takes an employee working off the clock to improve the detection rate of the product. I think your post has proven to me that we should be avoiding Symantec products in the future as it is clear that Symantec is not doing enough to prevent these types of infections.

 

This piece of malware is so popular that removal guides for it are showing up at social bookmarking sites. I have "stumbled" upon removal guides multiple times in the last few weeks. It completely boggles my mind how Symantec could be unaware of this piece of malware and taken so long to release an update.

David-Z's picture

Hello there Skipdog,

 

I feel like you may have misunderstood my response. The "off-the-clock" submissions I do are just me being helpful to everyone out there. We have employees and for that matter whole teams that are dedicated to finding and creating detections for the threats you guys face out there. =) The 2 heuristic detections I mentioned are there to help with the ones we aren't able to get with normal definitions. Tons of normal definitions for these threats go out multiple times a day. I was only trying to ease some of your concern as you obviously are very frustrated with this specific threat. The part I take in the whole system of things is very very very small I assure you. I just like to help. Hmm... well I hope that clarifies a little more. Either way I assure you that Symantec takes this threat (as with any) very seriously and is always working our best to help you as best we can. If you happen to run across something that we haven't detected do your part and submit them (https://submit.symantec.com/gold) to us so we can help others as well.

 

Have a great day! :smileywink: 

Message Edited by David-Z on 09-05-2008 03:18 PM
Ted G.'s picture

skipdog wrote:

Also, I have a hunch that Ted cannot read removal instructions properly. He probably went into safemode and tried to use Malwarebytes. That is the only thing I can guess as to why you want to claim "well I tried malwarebytes and it didn't work".


I have one quote from a couple posts that you failed to comprehend: "Please keep in mind my incident, as stated previously was 6 or more months ago."

 

At that time, this was a relatively new threat and there was next to nothing known about, or out on the net regarding the removal of it. As I also stated previously, I'm a trained virus removal technician. I'm pretty confident in my ability to read and comprehend written instructions to the letter, not to mention how to handle the removal of threats from a computer, since that was my job for about two and a half years. Thanks for the vote of confidence though.  :)

rgudmundsson's picture

Friends of mine got this one and I got one named Antivirus 2009 at home. in both cases the computers were protected by Webroot's AntiVirus and AntiSpyware (which I like and respect), which didn't catch either variant and couldn't remove them either. I was able to manually remove it from one computer but had to re-initialize the other after trying everything I could find. It is good to know of tools that can remove this nasty malware, but I'd like to find a software that can prevent the infection of all the variants to begin with.

skipdog's picture

Ted G. wrote:

skipdog wrote:

Also, I have a hunch that Ted cannot read removal instructions properly. He probably went into safemode and tried to use Malwarebytes. That is the only thing I can guess as to why you want to claim "well I tried malwarebytes and it didn't work".


I have one quote from a couple posts that you failed to comprehend: "Please keep in mind my incident, as stated previously was 6 or more months ago."

 

At that time, this was a relatively new threat and there was next to nothing known about, or out on the net regarding the removal of it. As I also stated previously, I'm a trained virus removal technician. I'm pretty confident in my ability to read and comprehend written instructions to the letter, not to mention how to handle the removal of threats from a computer, since that was my job for about two and a half years. Thanks for the vote of confidence though.  :)

Sorry, I didn't catch that part about 6 months ago. I'm not sure why you would even bring up how you couldn't remove some variant 6 months ago. It seems clear in some of the earlier posts that you are attempting to discredit MBAM. At least MBAM had removal tools available before this became very widespread. You can keep trying to defend your product all you want but this was a big outbreak that spread fast and your product failed to do anything about it and was very slow in being able to protect it or provide removal tools. Why is it that 3 guys(I thought that is what I read) with MBAM knew about this malware for so long before Symantec? It still boggles my mind that you work off-the-clock to "contribute" to what sounds like an understaffed team. Even if you are finding a couple that the Symantec Team did not, they are failing in their role, MAJORLY. This infection was plastered like crazy in just about every removal forum so I do not understand how it could POSSIBLY be missed. Maybe I have delusions and somehow this was only VERY widespread in my state(im talking all 3 hospitals my company services(1-3 infections at each location), 10 libraries out of about 15 that we work for and our repair store was OVERLOADED with them and TONS of my IT contacts said the same thing). I still have not seen anything in this thread to restore our confidence in Symantec, just poor excuses and no apologies. How are we supposed to consider Endpoint Protection in the future after this recent issue and slow response time?

Paul Murgatroyd's picture

So (at the risk of being flamed) let me try and clarify some points raised in this thread:

 

1: Symantec was too slow to respond to this threat: Perhaps - we released the signatures as soon as we possibly could, and have continued to enhance them since - the more generic detections that we have added recently should really help in detecting the variants of these threats - thats the main problem, by the time vendors have signatures out to combat a specific threat that threat has evolved and is now slightly different meaning it can evade signature based detection technologies - the two signatures above look for specific packer types, which are used to hide the threat itself.  Because they are more generic we have to take time to test them thoroughly - believe it or not, we have one of the lowest false positive ratio's in the business, less than 0.04% and for many of our enterprise customers that is a big factor (in some cases more important than our detection ratio or speed of signature release).  Other vendors may release signatures quicker, but at the expense of false positives (which many comparitive tests unfortunately never take into account - they are purely interested in detection)

 

2: Understaffed team: we have a huge number of people in Support and Response, in most cases more than our competitors have in their entire company, response is not understaffed by any means - in addition to that our automated systems process thousands of submissions per day without any requirement for human intervention, analysing code and writing signatures on the fly leaving our engineers to concentrate on the more complicated aspects of threat analysis

 

We are well aware of this threat and its many variants, but as I stated previously, because it is evolving and changing so quickly that makes it very difficult to write targeted signatures because they are ineffective and will only block one variant (which is unlikely to exist for more than a couple of days before it morphs again).  While cleanup of this threat is fairly generic, detecting the many slightly differing variants and their delivery mechanisms is more complicated and takes time to work out signatures that are generic enough to detect the threat but not to create false positives.

 

I've already posted about the new technologies coming this year in our consumer products, you can expect to see similar technology appearing in our enterprise products next year.  The number of threats we are seeing every day is increasing, so we are looking at new and innovative ways of protecting your clients. 

 

 

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

skipdog's picture

I just wanted to post here to state that we have picked up multiple variants since Symantec updated their definitions for protection and since my last post in this thread.

 

You say that you have this huge staff dedicated to being ready for these things, then why is it that the lone author of Malwarebytes is able to know about these infections before Symantec? ONE GUY can find these infections better than the ENTIRE COMPANY. Yet in your last response you seem to think that touting your giant staff is supposed to make us feel better as customers.

 

Every single time we have an infection that gets through Endpoint(all of which are variants of XP Antivirus 2008), we run Malwarebytes and it removes them. You say that "prevention is harder than removal". Well, clearly if one guy can make detection and removal work in his product, Symantec should be capable to have the same capabilities in their product.

 

Just explain to me in simple terms why one lone author can update their software faster than a big company like Symantec. I still don't understand as it is hard to read through the PR fluff. You can keep saying "it is difficult, it is difficult" all you want, but yet, ONE LONE AUTHOR can do exactly what you define as being so impossible to do.

 

I do find it interesting you had to try to sell "future products" that will apparently do the job that Endpoint was expected to do.

 

 

Jimmy Mullen's picture

You know, it's interesting to read this thread because customers and AV vendors tend to forget a couple of things when it comes to AV Management Aspects:

- People

- Process/Procedure

- Technology

- Governance/Control/Education

 

People nowadays are so spoiled that they let the IT Tools (Technology) do everything that needs to be done in an IT environment and forgetting that these are merely tools. Tools that could not operate properly if the handler/wielder doesn't know how to use it (People). Tools also cannot operate properly if there is not a proper handling mechanism (process/procedure) in place. Also tools are meaningless if users are not educated in what these tools are for and what they do and cannot do or suppose not to do (Governance/Control/Education).

 

Especially i'd like to emphasize on the education part. Yeah users don't know what they are doing and the tools should be helping preventing it but tools have shortcomings too and all those aspects mentioned complement each other seamlessly.

 

- People: do you have the right people in place?

- Process/Procedure: do we have policies in place? do we have the right procedures in place?

- Technology: do we have the right technology in place? and is the technology by a vendor with a lot of experience?

- Governance/Control/Education: do we train the users/employees? do we inspect/control our policies whether they are lacking or not?

 

If these are done properly then you will find yourself in a circle that will maximize all of these aspects tremendously.

 

Until now, a lot of companies are including this line in their Security Policy :

"Don't click on a link / attachment carelessly or if you are not sure whether this is safe or not"

 

This line is used since a long time ago and still works wonders if used properly which makes me think, have we degraded our ability to think so tremendously only because of that the tools are getting more richer in features??

 

Also customers organize a lot of trainings where they invite speakers or let their own IT people be the speaker and explains all the risks and the threats that are out there (seminars on IT security).

 

Will this kind of approach eliminate IT Security Risks? Probably not.

 

Will this kind of approach help mitigate IT Security Risks? Absolutely. Definitely

 

So far my 2 cents.

Knottyropes's picture

Maybe they got caught

 

http://www.networkworld.com/community/node/36235

 

 

The Federal Trade Commission today got a court to at least temporarily halt a massive "scareware" scheme, which falsely claimed that scans had detected viruses, spyware, and  pornography on consumers' computers.

According to the FTC, the scheme has tricked more than one million consumers into buying computer security products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. The court also froze the assets of Innovative Marketing, Inc. and ByteHosting Internet Services, LLC to preserve the possibility of providing consumers with monetary redress, the FTC stated.

Abhishek Pradhan's picture

I'm happy for 1 reason. There's a NEW variant of XP AV out THERE, that even the OTHER vendors did not detect, but SEP did. The files that weredetected were scanned by the user using the other products that pronounced them clean, but SEP caught them in a jiffy.

 

We're getting there, slowly but steadily. :)

Abhishek Pradhan, PMP, MCT
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org

David DEZ's picture

My boss had this problem with his home PC, but none of us under SEPM v11 have had a single issue with Antivirus 2008.  As I remember, all I did was turn off the windows restore feature, and ran Spybot Search & Destroy a couple of times.  Once I cleaned it all up, and restarted, and repeated, I turned restore back on and all was well.

David