Wed 06-Oct-2010 15:26
I'm just curious if anybody else is getting hit pretty hard by this one? For us it's showing up as mstsc.exe and hotfix.exe. Sophos takes care of it but the delay between detection and cleanup allows the Fake Microsoft Security Essentials window to pop up.
Thu 07-Oct-2010 10:18
first of all, please always use the exact name for a detection.
the delay between detection and cleanup allows the Fake Microsoft Security Essentials window to pop up
If it's detected it shouldn't be allowed to run - is it again detected after cleanup? Are you using runtime HIPS (suspicious behaviour detection)? Did you use a full scan? I've had some encounters with FakeAVs recently. If they are not removed completely there's a chance that something not yet detected is involved.
I'd try to find out which process pops up the window (I suggest using Process Explorer) and from where it is started. In some cases using a more aggressive scanning policy (scan on write/rename and runtime HIPS) lead to the identification of suspicious files which I then sent to the Labs. Once they were analyzed and new/updated identities had been issued a subsequent full scan and reboot removed the remaining items. If you do not know where the threat came from it might be wise to continue to use the aggressive policy for a few days as sometimes the threats are updated.
Please keep us informed
Thu 07-Oct-2010 12:08
Our organization just got the same virus/trojan on a laptop, seemingly after visiting rouge website in IE8... however, on further investigation, there may even have been a previous issue with a fake windows update. The concern here is that sophos did not stop the virus/trojan from running and the virus/trojan was able to turn sophos protection off and shut it down. We are in the process of cleaning the machine as the virus seems specific to a user account, so running sophos in safe mode under the admin account is working.
Since sophos did not catch this upfront, are there additional manual steps that need to be taken to ensure the virus is completely removed?
Thu 07-Oct-2010 12:58
the More Information tab in the analysis for the detected item might contain information on registry keys and files/shortcuts created or modified. Sometimes the modifications can prevent a user from completely logging on.
Since sophos did not catch this upfront, are there additional manual steps that need to be taken
Even with HIPS turned on unknown threats can sneak in. Once an IDE is issued (and the threat detected) usually no additional steps (other than the full scan and if needed in safe mode) are required to remove all known components. As I said, additional items could be present and as deeper analysis is performed and/or customers are sending in more samples identities might be updated and additional items detected following the identification of a new threat. So running a scheduled scan once or twice a day for the next few days is a good idea.
If you observe any anomalies or are unsure about removal do not hesitate to contact Support. Also if you notice any suspect files (if a threat has been detected look in the user's %TEMP% and CONTENT.IE5 directories look for files with a similar creation date) use the Sample submission form to send them to Sophos.