We’ve had a problem today with Avast 4.8 (Business edition). One of our users opened a pdf, which was Avast detected as containing ‘JS:Pdfka-gen [Expl]’. At the same time, it appears that a file called 21dece.exe was downloaded onto the PC and proceeded to install a fake AV program called ‘Disk Antivirus Professional’. Another file also appeared called 2233979E491DC28000022331750E641.exe which appears to be related to this fake AV program.
What concerns me is that this application managed to bypass Avast even with the latest AV signatures installed (130307-3).
Avast did log a couple of network requests to a malicious site, as below, but it appears that application was already running at this point:
08.03.2013 09:32:23 Network Shield: blocked access to malicious site 175.41.29.181/api/urls/?ts=35fb5bd9b964ad61c09a03c508c230d4c707f55c&affid=47801 [ C:\DOCUME~1\xxxxx\LOCALS~1\Temp\21dece.exe ( 412 ) ]
08.03.2013 09:34:23 Network Shield: blocked access to malicious site 175.41.29.181/api/stats/install/?ts=35fb5bd9b964ad61c09a03c508c230d4c707f55c&token=fya14oiYU&affid=47801&ver=3070025&group=dap [ C:\DOCUME~1\xxxxx\LOCALS~1\Temp\21dece.exe ( 412 ) ]
A full scan, run in safe mode with Avast didn’t find anything, however I installed Malwarebytes temporarily and it found 6 items relating to this fake AV program. Is this application outside of Avast’s remit or have we just been unlucky and caught something very new before Avast can deal with it?