Malware City/Blog/

Mar
27
Filed Under:
WEEKLY REVIEW

BitDefender weekly review – The marvelous Antivirus 360

27 March 2009
Antivirus 360. If that's not a “genuine” antivirus product name then what is? As “real” as it may sound, we assure you its nothing but a fake. Its sole purpose is to harass users with unreal infections on their PCs in order to make them buy the product, which is supposed to clean the “infections”.

Win32.Worm.Autorun.QR
This worms usually comes inside NSIS (Nullsoft Installer) files pretending to be an installer for QuickWatch, a modal window used for debugging purposes. After this check, the installer will drop a file called QuickWatch.exe into %temp% and execute it.

QuickWatch.exe will then create an autorun.inf file in the root folder of every accessible drive. They contain a lot of garbage characters used to deceive detection of its real purpose, namely the execution of malware hidden in the RECYCLER folder with a random name.

The form of the random name is: S-3-0-68-100021457-100021691-100001035-4746.com, where each number seems to be randomly generated.

Every time the worm is executed, it will try to spread to other drives, including USB sticks and network drives. It will launch msiexec.exe, and keep the process running to mark its presence on the system. Afterwards it will copy msi.dll in %temp% patch it with several instructions which will make it delete the worm if it's manually executed.
Details: http://www.bitdefender.com/VIRUS-1000483-en--Trojan.Injector.CZ.html

Trojan.Downloader.FakeAv.AH
This Trojan is part of a rogue antivirus spreading chain. The “security product” is called Antivirus 360. This downloader will attempt to open a browser window with a malicious website which is either the download page for Antivirus 360 or its “remote scanning” module, which, after the quick scan, will yield many infection on the victims system. All of them are obviously fake, and their sole purpose is to freak out the user which will then attempt to download and install Antivirus 360 and perhaps even buy the product in order to have its computer “cleaned”.

Message displayed after scanning is complete can be one of the following:

"Your computer contains various signs of viruses and malware programs presence.
Your system requires immediate anti viruses check!
Antivirus 360 will perform a quick and free scanning of your PC for viruses and malicious programs."

"Your computer remains infected by viruses!
They can cause data loss and file damages and need to be cured as soon as possible.
Return to Antivirus 360 and download it secure to your PC"

"Your computer remains infected by viruses!
They can cause data loss and file damages and need to be cured as soon as possible.
Return to Antivirus 360 and download it secure to your PC"

Possible fake detections include:
Other fake-malware detected by it may be:
Email-Worm.Win32.Net
Email-Worm.Win32.Myd
Trojan-Downloader.Win

They are accompanied by a message like:

"This program is potentially dangerous for your system. Trojan-Downloader stealing passwords,
credit cards and other personal information from your computer.
Advice:
You need to remove this threat as soon as possible!"

Information in this article is available courtesy of BitDefender virus researchers: Lutas Andrei Vlad





Related

20-03-2009 | Avoiding firewalls - BitDefender weekly review

13-03-2009 | Surfers, Beware – What You See is not What You Get!

06-03-2009 | Weekly Review – More online game threats

02-03-2009 | Weekly Review – Unpatched systems are getting it ...

Comments:

oregonnerd said on Mar-27-2009 10:19

Remember when exiting such pages it is far better to use ALT F4 rather than File-Exit or the "x" that looks like it ends programs. That "x" or any other character accompanied by an "enter" character can execute code you can't see. What's done is placing a carefully formatted fake window over the visible one.
--Glenn
ALT F4 simply means "end program". If you were to get an error about "Are you sure you want to stop this process?" it would be best to go to Start and Restart (that enter character can't get into the main screen at least as yet because it's an integral part of the OS (Windows Explorer, for a PC user)--and the reboot will nullify any attempt to leave files to execute on startup on the desktop, as has been done before.

Bereczki Andrei said on Mar-30-2009 08:14

Well, you can allways use Ctrl F4 to close the active tab instead of the whole program, in order to keep the rest of your pages open.

If nagging Alert windows appear and you can't close the tab because of it, it's best to use task manager to kill the process.

But do this before clicking on anything on that website extept "Cancel"

Asharerr said on Dec-28-2010 20:21

Ctrl F4 to close the active tab instead of the whole program, in order to keep the rest of your pages open.
thanks! BTW, how about Alt+F4?

Tin said on Jan-21-2011 07:17

There are various professional companies and organizations who are only into the lab testing of antivirus programs and they work primarily for IT companies by testing the programs provided to them. So before an organization decides to implement particular antivirus software widely in the organization, they contact the lab and ask them to perform a test on the program. The lab will perform professional test cases with malware and adware programs on the antivirus and give the result to the organization.

manish said on Apr-9-2011 02:04

Despite security improvements of operating systems the internet is not becoming a safer place. Compared to a simple Antivirus, an Internet Security Suite offers comprehensive security protection for your computer. This makes a suite preferable to a simple Antivirus program. For just slightly increased cost, compared to a simple Anti-Virus, you can enjoy a multitude of tighter security

Comment on this

Name:

Email:

Website:

Your email adress will not be published.