Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

New FAKE AV "MS REMOVAL TOOL"

  • 1.  New FAKE AV "MS REMOVAL TOOL"

    Posted Apr 07, 2011 10:15 AM
      |   view attached

     

    Lately I'm facing a new malware which calls itself "MS REMOVAL TOOL" (see attached pic) and tries to sell "fake" AV protection to the user.

     

    The Trojan is able to infect user’s PC even if it runs SEP11 with PTP enabled and latest defs.

    So far, I've found (and submitted to Security Response) 3 variants for this same Trojan :

    Contry

    Filename

    Date

    Tracking #

    MD5

    Germany

    hCa06504ePaDa06504.exe

    4/4/2011

    19747815

    AD6CB4A1880EA89DE0AB2F0D275C6088

    Chech Republic

    eMd27500lKfNd27500.exe

    5/4/2011

    19785919

    04AACF354B964A4E6FBAF83A94D2024B

    Germany

    bOe27500oEmFn27500.exe

    7/4/2011

    19786295

    3B9BF61AD5B902E879DCBF744A2C7496

     

    But this reactive work makes no sense !! It seems that the Trojan writers are releasing a new variant each day.

    Proactive Threat Protection is useless , since it cannot detect the Trojan.

    SEP11 Tamper Protection protects itself when the Trojan tries to stop it but this is not enough.

    MalwareBytes and similar tools also do not detect it.

    So, what we should do ?

    I really expect Symantec to go deep on this in order to find and stop the distributing source (which seems to be some several websites with IFRAME exploits).

     

    And if you also saw this Trojan before leave a comment…



  • 2.  RE: New FAKE AV "MS REMOVAL TOOL"

    Posted Apr 07, 2011 10:18 AM

    Are you running SEP with the recommended AV Security settings?

    Security Response recommends the following Scan Settings

     

    Antivirus Security Setting Default Setting High Security Policy Security Response Recommendation
    Lock settings Some Some All
    Remediation: terminate processes No No Yes
    Remediation: terminate services No No Yes
    Auto-Protect action taken for security risks Quarantine/Log Quarantine/Log Quarantine/Delete
    Network Auto-Protect Disabled Enabled Enabled
    Bloodhound Level Default (2) Default (2) Default (3)
    SEP Startup System Start System Start System Start
    Auto-Protect Scan Modify and access Modify and access Modify and access

    Security Response recommends the following setting changes to Truscan for best protection

     

    Truscan Default Setting Security Response Recommendation
    Scan Sensitivity 9/Low 100
    Action on Detection Log Terminate
    Scan Frequency 1:00 00:15

    http://www.symantec.com/business/support/index?page=content&id=TECH122943&locale=en_US

     

    Also follow the Security Best Practices - http://www.symantec.com/business/theme.jsp?themeid=stopping_malware&inid=us_sr_carousel_panel7_best_practices



  • 3.  RE: New FAKE AV "MS REMOVAL TOOL"

    Posted Apr 07, 2011 10:25 AM

    I've already posted on this in a previous thread. I don't remember the name of the thread though. Probably 2 months ago. It is easy to remove.

    The problem is the authors of it don't change the code only once per day but multiple times per day, so trying to keep up with signatures is nearly impossible. FakeAV is not a worm or trojan so I wouldn't expect PTP to catch it.

    Until SEP 12.1 comes out with its file reputation, I would suggest using an application control policy to stop this.



  • 4.  RE: New FAKE AV "MS REMOVAL TOOL"

    Posted Apr 07, 2011 10:29 AM

    Yes, I'm using exactly these settings except for the Bloodhound which um' using on level 2 .

     

     

     



  • 5.  RE: New FAKE AV "MS REMOVAL TOOL"

    Trusted Advisor
    Posted Apr 07, 2011 10:49 AM

    Hello,

    Try Following,

     

    Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. 
     
    https://www-secure.symantec.com/connect/articles/using-symantec-support-tool-how-do-we-collect-suspicious-files-and-submit-same-symantec-sec
     
    Also, Try Running the Power Eraser.

    About Symantec Power Eraser

    http://www.symantec.com/business/support/index?page=content&id=TECH134803

     

    Hope that works for you.

     



  • 6.  RE: New FAKE AV "MS REMOVAL TOOL"

    Posted Apr 07, 2011 12:54 PM

    Not only Windows and IE, but update Adobe Reader / Flash, Quicktime, Java to the most current version. A good deal of these things sneak in through website advertising, usually through third party ad servers.

    Are you using Network Threat Protection for Intrusion Prevention?

    Best practices regarding Intrusion Prevention System technology
    http://www.symantec.com/docs/TECH95347

    sandra



  • 7.  RE: New FAKE AV "MS REMOVAL TOOL"

    Posted Apr 07, 2011 01:32 PM

    Well , my advise to you would be to check if there is any anything at the start up

     

    start > run > msconfig > startup

     

    check fpr suspicious file then check the location of suspicious threat and submit it to symantec security response.

     

    and as far as I have experiece that fake av is always  in user profile . To get rid of it change the user profile if that still exils create a new user and scan the machine . It  would take care of it.

    also please make sure you delete all files from user profile that is C:\Documents and Settings\%USER NAME% \Local Settings\TEMP

     

     

    and c:\windows\temp



  • 8.  RE: New FAKE AV "MS REMOVAL TOOL"

    Posted Apr 07, 2011 04:03 PM

    I know how to remove the threat manually, that's not the problem
    I want to know how to avoid new clients get infected, since Realtime or PTP cannot detect it.
    Symantec Power Eraser do not detect it either.
    The PC's have the latest MS,  Adobe and IE updates.

    So far, I didn't try NTP+IDS or app&device control......



  • 9.  RE: New FAKE AV "MS REMOVAL TOOL"

    Posted Apr 07, 2011 04:33 PM

    Since the code on those change so frequently, you will definitely want to install NTP and enable IPS--it is more proactive than reactive. This document will give you a good idea of what the IPS Signatures are capable of detecting:

    SEP and Norton Network Threat Protection/IPS Signature Naming Improvements
    http://www.symantec.com/docs/TECH152794

    May want to increase heuristic sensitivity too, if you haven't.

    How to enable, disable, or configure Bloodhound (TM) heuristic virus detection in Endpoint Protection.
    http://www.symantec.com/docs/TECH92424

    Also recommend:

    https://www-secure.symantec.com/connect/forums/turning-settings-sep-deal-fakeav

    https://www-secure.symantec.com/connect/articles/how-use-sep-protect-against-rogue-browser-helpers

    sandra



  • 10.  RE: New FAKE AV "MS REMOVAL TOOL"

    Posted Apr 09, 2011 03:49 PM

    The golden rule is that security is only as strong as the weakest link in your company - end users who invite malicious code by clicking on dubious links on the internet - for example,clicking ok to install xyz screensaver,free software to get music/porn.

    Your IT personel should educate and sensitise end users to act responsibly on the internet.I hardly doubt there is a security software which will give you 100% protection against malware if your employees consistently click OK on everything on the internet without thinking about consequences.

    You could also consider using Application and Device control policies to prevent creation of exe files in C:\Documents and Settings\%USER NAME% \Local Settings\ and  c:\windows\temp

    Document yourself on

    http://www.symantec.com/avcenter/security/ADC/Configuring_Application_Control_1.1.pdf

    Also,note that enabling IPS and NTP should help protect against network borne threats/exploits including FAKE AV's.

    Ideally,I would suggest you apply Application and device control policies and IPS/NTP on a few workstations for testing purposes to guard against issues.

    You should understand that finding the best possible configuration will take time and result in possible issues ranging in severity in the beginning.But in the long run,it's you who will derive maximum benefit.



  • 11.  RE: New FAKE AV "MS REMOVAL TOOL"

    Posted Apr 11, 2011 02:13 AM

    I am annoyed that Norton Internet Security allowed this malware to infect my main computer when Symantec has clearly been aware of it for several days.  

     

    I will try to figure out what all the fixes in the preceding messages are telling me to do, but come on, Symantec!  I paid good money for your protection, and you have let me down, badly.



  • 12.  RE: New FAKE AV "MS REMOVAL TOOL"

    Posted Apr 11, 2011 07:36 AM

    Everyone is aware of it. As mentioned many times, the code changes hundreds of times a day staying one step of the virus definitions. Other methods are now needed to stop this junk. It is a fun new era that is upon us...



  • 13.  RE: New FAKE AV "MS REMOVAL TOOL"

    Posted Apr 11, 2011 08:11 AM

    I also faced same problem .I just started my system in safe mode.and i restored back . It is working fine now.



  • 14.  RE: New FAKE AV "MS REMOVAL TOOL"
    Best Answer

    Posted Sep 19, 2011 03:09 PM

    Best solution found so far :

    https://www-secure.symantec.com/connect/articles/how-use-sep-protect-against-rogue-browser-helpers