Fake Anti-Virus Programs

I’m work for an IT consulting company and we use Avast exclusively with our customers. However in the past month or so, we have been getting call after call about these new fake antivirus viruses…so far I have seen “Microsoft Anti-Virus”, “XP Antivirus”, “MS Antivirus 2008”, “MS Antivirus 2009”, and “Vista Antivirus”.

We have been able to remove them successfully for the most part, but what concerns me is that avast doesn’t catch them. For a test I intentionally infected a system and found that while avast did pop up a warning, the virus (or spyware or malware or whatever we want to call these programs) just forced itself past.

From a search I see that there are many others that have this same problem, and I am just wondering if an update is coming that will close this hole? Do we know why it’s showing up as a legitimate program?

I guess I just want to let the devs, and users alike know that this is really starting to be a problem virus, and that so far avast isn’t stopping it.

Thanks,

Casey

Hi caseyv,

These Fake Anti-Virus Programs are actually spyware/scumware/malware, the site bestantivirus2009DOTcom is still being advertised through Google Adwords and uses browser exploits like setslice and AOL IM exploits to secretly install this fakeware/malware. SAS and MBAM are anti-spyware programs that will do a reliable removal of these annoying fake av rogues.

To easily set a killbit for setslice-0-day use ZProtector from: http://www.isotf.org/zert/patch/ZProtector.zip
To test if the browser is vulnerable (IE6 is):
http://www.isotf.org/zert/tests/testSetSlice.html Test IE browser & if vulnerable will crash.
For the AOL IM exploit see: http://www.w00w00.org/advisories/aim.html

People have a good protection against this if they use Firefox 3 with the NoScript extension installed.
Normal users should be taught that not all pop-ups or message prompts come from M$ or their machine and are therefore to be trusted. Another thing is that there are users that click at anything not hindered by any knowledge what they are doing. Those are beyond help, and form the greatest threat for themselves and other Internet users,

polonus

Sleepy me wasn’t paying attention to what I was doing today and infected myself with with antivirus 2009. I installed avast today and it recognizes it, just doesn’t seem to be able to banish it. :-\

I would like to concur with Casey’s comments. I too work for an IT company that recommends Avast. Antivirus 2008, 2009, XP 2008, XP Security Center are all SCAM ‘Malware’ that also infect other computers, send spam emails and install backdoor trojans. Avast only seems to get them after they’re installed and have caused all the damage.

We have had to clean 6 computers in the last 2 weeks - with varying degrees of success. AVAST should pick up these viruses. As far as I can work out they are being installed from the ‘UPS Delivery failure’ and ‘Airline ticket confimation’ spam emails. The attachment comes in a zip format.

I know I could install other 3rd party applications across the 600 computers we look after, but we brag to our clients how good Avast is! Plus they’ve paid for it already.

Hope you guys can come up with a solution soon.
Hoges

I ran the setslice program given by Polonus on my IE6 and got
WebView object was not scriptable for some reason.
This means you are likely immune to the vulnerability given your current configuration.
So IE6 can be tweeked to safety for this infection

are there any instructions for ZProtector.exe?
there are two exe files in the folder
ZProtector
and
ZGprotector

I ran the Z version ang got the message that my ActiveX was protected already
Thank you Spywareblaster , spyware doctor also blocks

XP Antivirus detection will be updated soon (probably tomorrow)

I absolutely agree…unfortunately it just isn’t always that cut and dry.

Avast is still an excellent product, and we will continue to use it, I just wanted to raise a bit of awareness as to how big of a problem this is becoming.

That is great. I look forward to the update.

Casey

This is a comment for those who are looking for a little easy help, I am not a geek nor Guru… just some comments about how I removed this from my computer.

I downloaded the fake-ant virus win32 with the netbooster worm when I was looking for some keno programs. It took me several hours to get rid of it. I have great regard for Avast and still use it but it could not get rid of this virus. I downloaded the free version of StopZilla 5.5 which would only quarantine the 82 objects, to completely remove the files Zilla wants you to buy the paid version, but once you know all the criteria you should be able to remove most of the files yourself, then use one of the several free removal tools which are available online.
This is an ugly way to spend your days off!!! Good luck

Well I have never heard of StopZilla prior to your post (I guess I lead a sheltered life ;D), but I get a distinctly bad feeling when it comes to a free scan reporting multiple infections only to ask me to pay for their removal.

There are many such rogue applications that use this tactic but StopZilla doesn’t seem to be one of these.

StopZilla.com
OrgName: Performance Systems International Inc.

RogueRemover is a utility that can remove various rogue antispyware, antivirus and hard drive cleaning utilities. Rogue applications are applications that rather than remove spyware, provide false positives, distribute malware or spyware, advertise, or provide useless uninstallers. The main point is that rogue applications are useless and eat up system resources.

Check http://www.malwarebytes.org/rogueremover.php

I also suggest:

  1. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  2. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

hi tech used ur link and had a look at spyware terminator it says it is free to home usesrs is it safe to download the free version

All of the suggested applications have free options and it wouldn’t be suggested if it wasn’t safe/compatible with avast.

Just check my signature ;D

David has answered :wink:
Yes, it’s safe and all have free versions.

cheers im going download spyware terminator and give it a try just wasnt sure on the free version thanks again

hi downloaded spyware teminator running full scan will post results here

Personally I think both of the other two have better detections, but spyware terminator free also offers resident protection, where the free versions of the others don’t.

Note: Having installed ST, I hope you don’t install the toolbar or crawler or the anti-virus module that also comes with it.

ok spyware terminator good program it warned me about svchost:exe and gave me the option to block it

why should i not have have insalled the toolbar or crawleror anti virus module as i did plz let me know if its wrong

Crawler has a bit of history about being adware, collecting info to deliver adverts that might be relevant based on your browsing. It isn’t a good idea to have two resident AVs though this one they say isn’t resident, but I’m not sure. It has processes running on boot, though that may just be to enable you to do right click scans on single files.

Avoid installing the toolbar… you can live very good without it…
Yeah, Crawler has a ‘bad past’… right now I think they’ve learned the lesson.