Author Topic: Why is Avast not blocking XP Antivirus 2010 trojan?  (Read 29896 times)

0 Members and 2 Guests are viewing this topic.

Riverviewfan

  • Guest
Why is Avast not blocking XP Antivirus 2010 trojan?
« on: March 05, 2010, 02:13:50 AM »
This trojan has been around for a few weeks now and I've picked it up twice.  Both times my Avast 4.8 has been up to date.  Why is there no blocking of this trojan yet?  Yes, I know Malwarebytes gets rid of it, and supposedly the Pro version will block it from getting on your PC.  Why is Avast not doing the same?    ???

Riverviewfan

Offline jkorman

  • Newbie
  • *
  • Posts: 1
Re: Why is Avast not blocking XP Antivirus 2010 trojan?
« Reply #1 on: March 05, 2010, 06:16:35 AM »
I'm going to add my "me too". I got it tonight, was able to remove it all. At least I'm fairly certain I did.

But when I found posts that this thing has been known about for over a month and Avast didn't even
blink, I'm more than a little upset.  >:(

BTW : I followed the most common instructions for removing av.exe from my machine.

1. In the manual removal instructions nobody bothered to say, remove the program. On my
    Vista machine it was marked as a System file under \Users\username\AppData\Local\av.exe
    So to go searching for it you need to be able to see System files.

2. Do a search of the entire registry, I found two more locations where that damn thing
    had set itself up to run. No, I forgot to copy the registry keys.

Jim

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37649
  • F-Secure user
Re: Why is Avast not blocking XP Antivirus 2010 trojan?
« Reply #2 on: March 05, 2010, 07:55:23 AM »
How to remove XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010

Automated Removal Instructions using Malwarebytes' Anti-Malware:
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010

What this programs does:

Antivirus Vista 2010, Win 7 Antispyware 2010, and XP Internet Security 2010 are new rogues that are exactly the same program, but are shown with different names and interfaces depending on the version of Windows that it is run on. After I wrote this guide, I was told that this rogue goes under quite a few different names, which I have listed below:

•Antivirus Vista 2010
•Vista Antispyware 2010
•Vista Guardian
•Vista Antivirus Pro
•Vista Internet Security
•Vista Internet Security 2010
•XP Guardian
•XP Antivirus Pro
•XP AntiSpyware 2010
•XP Internet Security
•XP Internet Security 2010
•Antivirus XP 2010
•Antivirus Win 7 2010
•Win7 Guardian
•Win 7 Antivirus Pro
•Win 7 Antispyware 2010
•Win 7 Internet Security
•Win 7 Internet Security 2010

When installed, this rogue pretends to be an update for Windows installed via Automatic Updates. It will then install itself as a single executable called AV.exe that uses very aggressive techniques to make it so that you cannot remove it. First, it makes it so that if you launch any executable it instead launches Antivirus Vista 2010, Win 7 Antispyware 2010, or XP Internet Security 2010. If the original program that you wanted to launch is deemed safe by the rogue, it will then launch it as well. This allows the rogue to determine what executables it wants to allow you to run in order to protect itself. It will also modify certain keys so that when you launch FireFox or Internet Explorer it will launch the rogue instead and display a fake firewall warning. Last, but not least, when try to browse to a web site, it will hijack your browser and state that the site is a security risk and not allow you to visit it.

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Why is Avast not blocking XP Antivirus 2010 trojan?
« Reply #3 on: March 05, 2010, 09:54:54 AM »
there are tons of rogues changing every day... even though we're trying to watch (and detect) them all, there's still a probability of missing some (new) of them.. malware authors are always checking their new creations against mostly used AV engines (including us) to carry a non-detection in first hours of a new variant emision...

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33999
  • malware fighter
Re: Why is Avast not blocking XP Antivirus 2010 trojan?
« Reply #4 on: March 05, 2010, 03:53:59 PM »
Hi Riverviewfan,

What you have to remember that the users that are troubled by this have been installing this rogue av software themselves by clicking on everything indiscriminately.
If you are aware of the danger of the social engineering you won't fall for these scams.
If you use the proper in-browser protection like surfing Firefox with the additional extensions ABP Plus, NoScript, RequestPolicy, you will never even see the malicious pop-ups, because the malcode won't run and the rogue cannot be installed - not a rogue from the past, the present or the foreseeable future.
A resident av solution (and you only can have one!) cannot find all malware. That is why people use additional non-resident anti-spyware like MBAM and/or SAS and clean the crap from their machines using ATF Cleaner, also very impo5rtant to keep your third party software fully updated and patched using Secunia PSI to be protected against the exploits these malicious fake av programs use to try and get your attention and an eventual install that you will regret. As always malcreants speculate on the unawareness and fear of their potential victims,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

asd

  • Guest
Re: Why is Avast not blocking XP Antivirus 2010 trojan?
« Reply #5 on: March 05, 2010, 06:46:59 PM »
i got this last night! what a pain!  it went right by avast. although it blocked a rootkit it said. but the computer was going crazy. AND I didn't click on any window or pop up or anything.. it just loaded itself as soon as i visited a site.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Why is Avast not blocking XP Antivirus 2010 trojan?
« Reply #6 on: March 05, 2010, 08:32:22 PM »
That was a drive by - there is an item on the blog about it.  This malware changes on a daily basis and AV's are always playing catch up

See http://blog.avast.com/2010/02/18/ads-poisoning-%e2%80%93-jsprontexi/

Riverviewfan

  • Guest
Re: Why is Avast not blocking XP Antivirus 2010 trojan?
« Reply #7 on: March 05, 2010, 08:51:29 PM »
Hi Riverviewfan,

What you have to remember that the users that are troubled by this have been installing this rogue av software themselves by clicking on everything indiscriminately.
If you are aware of the danger of the social engineering you won't fall for these scams.
If you use the proper in-browser protection like surfing Firefox with the additional extensions ABP Plus, NoScript, RequestPolicy, you will never even see the malicious pop-ups, because the malcode won't run and the rogue cannot be installed - not a rogue from the past, the present or the foreseeable future.
A resident av solution (and you only can have one!) cannot find all malware. That is why people use additional non-resident anti-spyware like MBAM and/or SAS and clean the crap from their machines using ATF Cleaner, also very impo5rtant to keep your third party software fully updated and patched using Secunia PSI to be protected against the exploits these malicious fake av programs use to try and get your attention and an eventual install that you will regret. As always malcreants speculate on the unawareness and fear of their potential victims,

polonus

Your assumptions are completely bogus.  There was no "indiscriminate clicking" involved once I clicked on the URL.  Avast gave a warning that it blocked a Javascript attack, but then the trojan just came right on through.  I didn't have to click on anything else after reaching the infected website and I didn't install it.  I was using a fully patched XP machine and IE8 at the time.  I do have Firefox installed, but the website in question wasn't one I'd suspect to be infected, so I was using IE8.

Posting instructions as to how to remove it is helpful once you get the infection, but the question remains - why after one month is Avast NOT BLOCKING this dangerous trojan?  I understand no AV is going to catch everything on the first day - but a month later??  That's complete BS!  This should be in a definition file by now.

From what I've seen on the net, none of major AV solutions are doing a good job stopping this trojan.  I'd be furious if I'd paid for a license from Avast, or Symantec, or Kaspersky etc. only to discover they couldn't stop it either.  Only MBAM Pro seems capable of stopping it before it gets on your system.  I guess I'm going to have buy an MBAM Pro license tonight if Avast is going to sit on their ass for a few more weeks before updating their definition file to include it and it's behavior.

Derek

CharleyO

  • Guest
Re: Why is Avast not blocking XP Antivirus 2010 trojan?
« Reply #8 on: March 06, 2010, 07:02:18 PM »
***

Maxx supplied the answer to your question.

there are tons of rogues changing every day... even though we're trying to watch (and detect) them all, there's still a probability of missing some (new) of them.. malware authors are always checking their new creations against mostly used AV engines (including us) to carry a non-detection in first hours of a new variant emision...[/b]

I added the bold to highlight the answer. In other words, XP Antivirus 2010 trojan gets code changes very often.


***
« Last Edit: March 06, 2010, 07:05:06 PM by CharleyO »

Riverviewfan

  • Guest
Re: Why is Avast not blocking XP Antivirus 2010 trojan?
« Reply #9 on: March 06, 2010, 08:46:33 PM »
***

Maxx supplied the answer to your question.

there are tons of rogues changing every day... even though we're trying to watch (and detect) them all, there's still a probability of missing some (new) of them.. malware authors are always checking their new creations against mostly used AV engines (including us) to carry a non-detection in first hours of a new variant emision...[/b]

I added the bold to highlight the answer. In other words, XP Antivirus 2010 trojan gets code changes very often.


***

Frankly, I doubt this is being altered everyday.  If it was, the Trojan's authors would have likely found a way to disable the removal procedure that has been posted in many places over the last month or so. 

Why is Malwarebytes able to remove it, but not Avast?  Avast isn't even capable of removing it, let alone blocking it before it gets on your system.  It certainly doesn't say much for the "Avast Evangelists" if your solution is to use someone elses product!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Why is Avast not blocking XP Antivirus 2010 trojan?
« Reply #10 on: March 06, 2010, 09:02:30 PM »
In the 50 or so case I have removed the trigger files are always slightly different

AV's Used whilst being infected are :

Norton
Kaspersky
AVG
Avira
Nod32
Avast
et al

Basically no antivirus as of today, when I started the latest case has yet been able to stop it.   

There are some cases where the only way to kill it was through a PE environment

So you can complain and decide to use another av to block it - but which one ?

Did you pass the files to Avast for analysis and inclusion ?

yawetage

  • Guest
Re: Why is Avast not blocking XP Antivirus 2010 trojan?
« Reply #11 on: March 06, 2010, 09:20:31 PM »
I have read that most rogues are server-side polymorphic these days which means the packaging of the file can change multiple times while on your machine and thus get around whatever AV you are using. This has apparently initiated the steep rise in scareware in the past two years (not to mention that the bad guys are all organized now).

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4871
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Why is Avast not blocking XP Antivirus 2010 trojan?
« Reply #12 on: March 06, 2010, 09:33:39 PM »
AND I didn't click on any window or pop up or anything.. it just loaded itself as soon as i visited a site.

  There was no "indiscriminate clicking" involved once I clicked on the URL.  Avast gave a warning that it blocked a Javascript attack, but then the trojan just came right on through. 

You both have an insecure web-facing application that is allowing a drive-by download.

Scan for out of date and insecure software and update.

Secunia Online Software Inspector (OSI)
Secunia Personal Software Inspector (PSI)
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline Chim

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1151
Re: Why is Avast not blocking XP Antivirus 2010 trojan?
« Reply #13 on: March 06, 2010, 10:38:16 PM »
Is that PSI going to do its thing without attempting to install Java or whatever the OSI attempted to do when I briefly started to try this Secunia?

Whatever Drivers it finds out of date, will Secunia give you the option of updating them there?
Or is it up to us to go who knows where to find the appropriate latest Drivers?
Dell Optiplex 780 / Core 2 Duo E8400 3.00 GHz / 4 Gig RAM / Windows XP Pro 32-Bit SP3 / Panda Dome  Free 18.07.00 / MBAM / SAS / NetZero Dial Up / Maxthon MX5 5.2.5.4000

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37649
  • F-Secure user
Re: Why is Avast not blocking XP Antivirus 2010 trojan?
« Reply #14 on: March 06, 2010, 10:45:01 PM »
Secunia will not look for drivers, it looks for programs that is a security risk / out of date

Try the oline scan, very quick