XP Antivirus 2009, XP Antispyware 2009, et all

How can this new iterateraition of an old threat get by up to date real-time
anti virus scanners? I've now seen it infect systems running up to date
Avast and also Micro Trend Officescan. I would image it has passed through
others.

From what I understand, this is the same crap as XP Antivirus 2007 and 2008.
Also have read that it morphs into Antivirus VIP. Anyway, I'm mainly
confused as to how it it bypassing scanners? I suspect (because I was not
present when the infection occurred) that when an infected web page popped
up a message to click on a link to download a repair for the poor users
infected system, that they clicked on it and {purposely} installed the
virus. But still, it seems to disable resident scanners.

-Frank

On Tue, 28 Oct 2008 08:17:57 -0600, "Frankster" <frank@SPAM2TRASH.com>
wrote:

>How can this new iterateraition of an old threat get by up to date real-time
>anti virus scanners?


Because it is not a virus, but spy/adware.

First programs able to "handle" this malware were:
- Malwarebytes'Anti-Malware
http://www.malwarebytes.org/mbam.php
- SuperAntiSpyware
http://www.superantispyware.com/download.html

But more and more programs (antivirus, antispy-/ad-/malware) recognize
this threat.

--
Fred W. (NL)

FredW wrote:
> On Tue, 28 Oct 2008 08:17:57 -0600, "Frankster" <frank@SPAM2TRASH.com>
> wrote:
>

>
> But more and more programs (antivirus, antispy-/ad-/malware) recognize
> this threat.

And are mostly able to do **** all about it.

Gaz

"Frankster" <frank@SPAM2TRASH.com> wrote in
news:eJOdnT9oUNOKgprUnZ2dnUVZ_rXinZ2d@giganews.com:

> How can this new iterateraition of an old threat get by up to date
> real-time anti virus scanners? I've now seen it infect systems running
> up to date Avast and also Micro Trend Officescan. I would image it has
> passed through others.

It will continue to do so, for sometime.

> From what I understand, this is the same crap as XP Antivirus 2007 and
> 2008. Also have read that it morphs into Antivirus VIP. Anyway, I'm
> mainly confused as to how it it bypassing scanners? I suspect (because

It's an application which morphs alot. Not completely mind you, but
enough to fool most programs out there. We have spent alot of time
researching the software, so Malwarebytes tends to get almost all
versions on the first try. I am aware of some new variant that's floating
around, but It's just a matter of time before we nail it's ass to the
wall too.

> I was not present when the infection occurred) that when an infected
> web page popped up a message to click on a link to download a repair
> for the poor users infected system, that they clicked on it and
> {purposely} installed the virus. But still, it seems to disable
> resident scanners.

The user was probably tricked into downloading this to "fix" his/her pc
from some bogus errors the website told them they had. And yes, one
particular variant is pretty harsh on symantec and a few others.


https://forums.symantec.com/syment/board/message?
board.id=endpoint_protection11&message.id=15665&jump=true#M15665

My newsclient might have borked this.. But, if you can follow the url you
can read an interesting thread.

--
Regards,
Dustin Cook, Author of BugHunter
BugHunter - http://bughunter.it-mate.co.uk
MalwareBytes - http://www.malwarebytes.org

"Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
news:Xns9B46E9533C675HHI2948AJD832@69.16.185.247...
> "Frankster" <frank@SPAM2TRASH.com> wrote in
> news:eJOdnT9oUNOKgprUnZ2dnUVZ_rXinZ2d@giganews.com:
>
>> How can this new iterateraition of an old threat get by up to date
>> real-time anti virus scanners? I've now seen it infect systems running
>> up to date Avast and also Micro Trend Officescan. I would image it has
>> passed through others.
>
> It will continue to do so, for sometime.
>
>> From what I understand, this is the same crap as XP Antivirus 2007 and
>> 2008. Also have read that it morphs into Antivirus VIP. Anyway, I'm
>> mainly confused as to how it it bypassing scanners? I suspect (because
>
> It's an application which morphs alot. Not completely mind you, but
> enough to fool most programs out there. We have spent alot of time
> researching the software, so Malwarebytes tends to get almost all
> versions on the first try. I am aware of some new variant that's floating
> around, but It's just a matter of time before we nail it's ass to the
> wall too.
>
>> I was not present when the infection occurred) that when an infected
>> web page popped up a message to click on a link to download a repair
>> for the poor users infected system, that they clicked on it and
>> {purposely} installed the virus. But still, it seems to disable
>> resident scanners.
>
> The user was probably tricked into downloading this to "fix" his/her pc
> from some bogus errors the website told them they had. And yes, one
> particular variant is pretty harsh on symantec and a few others.
>
>
> https://forums.symantec.com/syment/board/message?
> board.id=endpoint_protection11&message.id=15665&jump=true#M15665
>
> My newsclient might have borked this.. But, if you can follow the url you
> can read an interesting thread.
>
> --
> Regards,
> Dustin Cook, Author of BugHunter
> BugHunter - http://bughunter.it-mate.co.uk
> MalwareBytes - http://www.malwarebytes.org

Thanks Dustin. I appreciate the feedback. Sure enough, I ran Malware byte's
Anti-Malware on three infected machines and it cleaned this infection off of
every one without hassle. Thank you!

Yes, it disabled Micro Trend Officescan until after it was cleaned. Also, I
did get a user to admit that he did in fact download the program and install
it by mistake. He was tricked. I counseled him on making sure any malware
messages come from his own Antivirus software and not some apparent third
party or web page.

I also noticed, on one machine (maybe more, didn't check) it disabled the
registry editor (message says it has been protected by the "Administrator"
when you try to run regedt32). In one case (didn't check the others) it
remained this way after cleaning with Malwarebyte's Anti-Malware. How to
fix?

BTW, yes, I now see that Trend Micro Officescan signatures do recognize this
malware. I guess we got it about two days before their sig file was
released. And yes, Malwarebyte's seems to have been about the first.

Again, Thanks,

-Frank

"Frankster" <frank@SPAM2TRASH.com> wrote in
news:oaudnWsNcImFK5TUnZ2dnUVZ_hadnZ2d@giganews.com:

> "Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
> news:Xns9B46E9533C675HHI2948AJD832@69.16.185.247...
>> "Frankster" <frank@SPAM2TRASH.com> wrote in
>> news:eJOdnT9oUNOKgprUnZ2dnUVZ_rXinZ2d@giganews.com:
>>
>>> How can this new iterateraition of an old threat get by up to date
>>> real-time anti virus scanners? I've now seen it infect systems
>>> running up to date Avast and also Micro Trend Officescan. I would
>>> image it has passed through others.
>>
>> It will continue to do so, for sometime.
>>
>>> From what I understand, this is the same crap as XP Antivirus 2007
>>> and 2008. Also have read that it morphs into Antivirus VIP. Anyway,
>>> I'm mainly confused as to how it it bypassing scanners? I suspect
>>> (because
>>
>> It's an application which morphs alot. Not completely mind you, but
>> enough to fool most programs out there. We have spent alot of time
>> researching the software, so Malwarebytes tends to get almost all
>> versions on the first try. I am aware of some new variant that's
>> floating around, but It's just a matter of time before we nail it's
>> ass to the wall too.
>>
>>> I was not present when the infection occurred) that when an infected
>>> web page popped up a message to click on a link to download a repair
>>> for the poor users infected system, that they clicked on it and
>>> {purposely} installed the virus. But still, it seems to disable
>>> resident scanners.
>>
>> The user was probably tricked into downloading this to "fix" his/her
>> pc from some bogus errors the website told them they had. And yes,
>> one particular variant is pretty harsh on symantec and a few others.
>>
>>
>> https://forums.symantec.com/syment/board/message?
>> board.id=endpoint_protection11&message.id=15665&jump=true#M15665
>>
>> My newsclient might have borked this.. But, if you can follow the url
>> you can read an interesting thread.
>>
>> --
>> Regards,
>> Dustin Cook, Author of BugHunter
>> BugHunter - http://bughunter.it-mate.co.uk
>> MalwareBytes - http://www.malwarebytes.org
>
> Thanks Dustin. I appreciate the feedback. Sure enough, I ran Malware
> byte's Anti-Malware on three infected machines and it cleaned this
> infection off of every one without hassle. Thank you!

No problem. Glad we could help.

> Yes, it disabled Micro Trend Officescan until after it was cleaned.
> Also, I did get a user to admit that he did in fact download the
> program and install it by mistake. He was tricked. I counseled him on
> making sure any malware messages come from his own Antivirus software
> and not some apparent third party or web page.

Very wise decisions on your part. Never trust a 3rd party "warning"
message.

> I also noticed, on one machine (maybe more, didn't check) it disabled
> the registry editor (message says it has been protected by the
> "Administrator" when you try to run regedt32). In one case (didn't
> check the others) it remained this way after cleaning with
> Malwarebyte's Anti-Malware. How to fix?

Ahh, they've disabled the registry editor via a policy key. We already
detect this in most cases... Lets see...

http://downloads.malwareremoval.com/...ixPolicies.exe

Double click on FixPolicies.exe to run it.
Click on Install. It will create a folder named FixPolicies on your
desktop. Open the FixPolicies folder. Double click on Fix_policies.cmd to
run it. Command Prompt will open and close quickly this is normal.
Reboot your computer after it runs



Let me know if that doesn't clear up your issue.


--
Regards,
Dustin Cook, Author of BugHunter
BugHunter - http://bughunter.it-mate.co.uk
MalwareBytes - http://www.malwarebytes.org

>> I also noticed, on one machine (maybe more, didn't check) it disabled
>> the registry editor (message says it has been protected by the
>> "Administrator" when you try to run regedt32). In one case (didn't
>> check the others) it remained this way after cleaning with
>> Malwarebyte's Anti-Malware. How to fix?
>
> Ahh, they've disabled the registry editor via a policy key. We already
> detect this in most cases... Lets see...
>
> http://downloads.malwareremoval.com/...ixPolicies.exe
>
> Double click on FixPolicies.exe to run it.
> Click on Install. It will create a folder named FixPolicies on your
> desktop. Open the FixPolicies folder. Double click on Fix_policies.cmd to
> run it. Command Prompt will open and close quickly this is normal.
> Reboot your computer after it runs

Thank you. I'm confident it will repair the policies. However I won't be
returning to that branch office for a couple of weeks. I'll do it then.
Again, thanks.

-Frank

On Oct 28, 4:17*pm, "Frankster" <fr...@SPAM2TRASH.com> wrote:
> How can this new iterateraition of an old threat get by up to date real-time
> anti virus scanners? I've now seen it infect systems running up to date
> Avast and also Micro Trend Officescan. I would image it has passed through
> others.
>
> From what I understand, this is the same crap as XP Antivirus 2007 and 2008.
> Also *have read that it morphs into Antivirus VIP. Anyway, I'm mainly
> confused as to how it it bypassing scanners? I suspect (because I was not
> present when the infection occurred) that when an infected web page popped
> up a message to click on a link to download a repair for the poor users
> infected system, that they clicked on it and {purposely} installed the
> virus. But still, it seems to disable resident scanners.
>
> -Frank

XP Antispyware 2009 or other rogue antispyware softwares Should be
delete as soon as possible Always. And for me best soliution to this
problem was Spyhunter. I I always use this site http://www.pcthreat.com
they are always updating latest spyware.

Dzias wrote:
> On Oct 28, 4:17 pm, "Frankster" <fr...@SPAM2TRASH.com> wrote:
>> How can this new iterateraition of an old threat get by up to date
>> real-time anti virus scanners? I've now seen it infect systems
>> running up to date Avast and also Micro Trend Officescan. I would
>> image it has passed through others.
>>
>> From what I understand, this is the same crap as XP Antivirus 2007
>> and 2008. Also have read that it morphs into Antivirus VIP. Anyway,
>> I'm mainly confused as to how it it bypassing scanners? I suspect
>> (because I was not present when the infection occurred) that when an
>> infected web page popped up a message to click on a link to download
>> a repair for the poor users infected system, that they clicked on it
>> and {purposely} installed the virus. But still, it seems to disable
>> resident scanners.
>>
>> -Frank
>
> XP Antispyware 2009 or other rogue antispyware softwares Should be
> delete as soon as possible Always. And for me best soliution to this
> problem was Spyhunter. I I always use this site
> http://www.pcthreat.com they are always updating latest spyware.

Be aware that this is spam, and just as likely to do harm as the products it
claims to remove.

Gaz

Dzias wrote:
>
> XP Antispyware 2009 or other rogue antispyware softwares Should be
> delete as soon as possible Always. And for me best soliution to this
> problem was Spyhunter.

Malwarebytes' Anti-Malware is free and it does an excellent job of getting
rid of XP Antispyware 2009.
It is ususally updated several times a day.

Buffalo wrote:
> Dzias wrote:
>>
>> XP Antispyware 2009 or other rogue antispyware softwares Should be
>> delete as soon as possible Always. And for me best soliution to this
>> problem was Spyhunter.
>
> Malwarebytes' Anti-Malware is free and it does an excellent job of
> getting rid of XP Antispyware 2009.
> It is ususally updated several times a day.

be careful you need to sort out the rootkit with the newer variants first
though, as malwarebytes will not load or update.

Gaz

"Gaz" <gazter@msn.com> wrote in news:6qdlh5Fbg4ojU1@mid.individual.net:

> Buffalo wrote:
>> Dzias wrote:
>>>
>>> XP Antispyware 2009 or other rogue antispyware softwares Should be
>>> delete as soon as possible Always. And for me best soliution to this
>>> problem was Spyhunter.
>>
>> Malwarebytes' Anti-Malware is free and it does an excellent job of
>> getting rid of XP Antispyware 2009.
>> It is ususally updated several times a day.
>
> be careful you need to sort out the rootkit with the newer variants
> first though, as malwarebytes will not load or update.
>
> Gaz
>
>
>

That rootkit stops more than MBAM. :)


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

From: "Dustin Cook" <bughunter.dustin@gmail.com>


| That rootkit stops more than MBAM. :)


Aye, and its morphing.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:keydnUX39rF69dnUnZ2dnUVZ_q7inZ2d@giganews.com:

> From: "Dustin Cook" <bughunter.dustin@gmail.com>
>
>
>| That rootkit stops more than MBAM. :)
>
>
> Aye, and its morphing.
>

It sure is. Getting rather nasty at this point.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

Dustin Cook wrote:
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
> news:keydnUX39rF69dnUnZ2dnUVZ_q7inZ2d@giganews.com:
>
>> From: "Dustin Cook" <bughunter.dustin@gmail.com>
>>
>>
>>> That rootkit stops more than MBAM. :)
>>
>>
>> Aye, and its morphing.
>>
>
> It sure is. Getting rather nasty at this point.

some more info please, some of us are out at the coalface, any developments
would be helpful... I have to say the trojan describing itself as a driver
and rootkit was pretty smart....

Gaz