SystemTool infection beat Avast

[sys-eng]

I have several customers running the free home edition of Avast who have been infected with SystemTool in the last few months.  Real-time scanning was running and everything was up to date but Avast failed to stop it.  Their computers were completely useless until I added Malwarebytes and scanned in safe mode to clean them.

Any ideas why Avast is not stopping this?

[computerfreaker]

Do you mean the rogue AV, or is there another SystemTool malware you're referring to? (I'm asking because a quick Google turned up several pieces of malware, all apparently related to SystemTool)
From all accounts, that's a bad one - it disables a lot of things. It's probably either being constantly updated or perhaps changing itself to avoid detection; either way, you should have your customers (or you should) upload the malware to the Avast! team for analysis. Then they can add appropriate signatures to the detection databases, and hopefully that will stop it (or a particular variant of it).

[sys-eng]

You identified it correctly.  SystemTools is malware fake antivirus security tool propagated via pop-ups, web page advertisements, and perhaps hacked web pages.  Once installed, it constantly gives pop-ups with imitated scan results showing many system-critical files corrupted.  Deleting any of these files will make Windows OS inoperable.  The program also appears to neuter Avast.  Most programs like this are frequently modified with new names so SystemTools may be the same infection as many others with different names.

I have several customers infected with this who were running Avast Home Edition.  None of my customers running Kapersky or Symantec 2010 or Malwarebytes Pro have been infected.

I have been a big fan of Avast but now I have doubts.  Why did Avast not stop this?

[superhacker]

Why did Avast not stop this?

may be because you dont send the files to the virus lab

[polonus]

Hi sys-eng,

Here is removal instruction for this rogue and fake malicious program: http://www.softsailor.com/how-to/8723-how-to-remove-security-tool-virus-malware-removal-guide.html

There is not a av solution or anti-malware solution in the world that is a panacea to all malware, you have to have a combination of a resident av solution like avast and additional scanning with free tools like MBAM and/or SAS, also a in the cloud additional av like ImmunetProtect is available for your complete protection. By the way no anti-malware program will protect you against a zero day exploit or a directed personal attack or a persistent threat (a backdoor only known to several insiders), then SafeHex is your only protection and script blocking inside a browser = Fx with NoScript),

polonus

[sys-eng]

polonus:

Apparantly, the infection has become smarter.  It would not allow the user to install anything or even launch a web browser.  Installed Malwarebytes (free) could not be launched to begin a scan.   I was fortunate that a Malwarebytes scan in Safe Mode worked.  Of course, I followed up with a reboot and scan in Normal Mode.

I fully understand that no anti-malware program is flawless; however, this threat is not particularly new.  If it was a few hours old, I would understand - - but that is not the case here.

[superhacker]

do you try this?:http://forum.avast.com/index.php?topic=55588.0

[triliana]

This happened to me as well.
I had clicked a bad link in a facebook message. (yes, stupid me - but it was from a friend and I assumed it was for real... now I always check with my friends before clicking ANYTHING!)

I got the sirens and the message that Avast had found a virus on the page I was going to, and was quite happy for this. But about 1 minute later, the evil that is SystemTool took over my computer. We fixed it same way - MBAM in safe mode - but it took about 2 hours.

The log for that day reads as follows (URL delinked with hxxp of course):
1/9/2010 2:06:09 PM   SYSTEM   1716   Sign of "JS:FakeCodec-W [Trj]" has been found in "hxxp://69.207.205.78/d=e-autosystem.gr/0x3E8/view/console=yes/?go" file.

So basically, Avast detected it, told me it stopped it, but it slipped through.

I have gotten two warnings since then - once going to an infected Wordpress site I used to visit daily, and the other time clicking a link from Google - and run a full system scan afterwards just to make sure.

Just wanted to provide more information for you on this and see if you knew why it was able to get through, even though detected.

[polonus]

Hi triliana,

 2010-01-19.
Malicious software includes 146 trojans, 37 worms.

This site was hosted on 1 network(s) including AS11351 (RR).

It seems that 69.207.205.0 has been functioning to redirect to infect 4 sites, e.g. hundpangpang.blogspot.com/, kharisbravoco.blogspot.com/, hafishafiskochavi.blogspot.com/.

The site has been hosting malware?
Yes, the site has been hosting malicious software and this has infested 297 domains,e.g. hafishafiskochavi.blogspot.com/, anthoneychiz.blogspot.com/, hundpangpang.blogspot.com/,

polonus