Hi,
Anyone else noticed that the Mal/FakeAV variants are really going hammer and tong at the moment? I think I've cleaned up about 15 or so in the last week, all new variations on the same thing. One client caught the virus while browsing the Orange.co.uk home page in it seems these are exploiting vulnerabilities in the Java engine as far as I can tell. There are a few basic versions of this but for the most part, these change the wallpaper to a blue background displaying WARNING! You are in danger; your computer is infected with Spyware. After this, a popup window appears seemingly scanning and finding many viruses on your machine called 'System Tool'. Eventually if you follow the somewhat broken english, you're persuaded to hand over payment to clean up the infection.
The above is relatively easy to find and cleanup, the virus seems to deposit a randomly named folder with executable in the c:\documents and settings\all users\application data folder on XP/2000 and c:\users\xxx\appdata\local for vista and 7 (have seem various other locations but these are the most common). Easy enough to search for exe files modified around the time the infection was first noticed (minus a day). The exe can simply be renamed in a dos prompt and then the machine rebooted, Sophos springs back into life, can then be updated to the latest protection and a scan can then be run which almost always detects and alows it to be cleaned up.
Problem is though that on a few systems I've seen the FakeAV variant introduce a new version of TDSS onto systems and it bolts itself directly into the MBR of the machine and we all know just how good the TDSS system is at hiding itself away. Neither the Sophos AV or rootkit scanner were able to find the Troj/TDLMBR-B variant found on a machine infected by the Mal/FakeAV-IU virus until I physically removed the HD from an infected machine and scanned it externally after seeing suspicious web redirections following a successful cleanup of the FakeAV variant. This trojan sits in the master boot record and randomly redirects websites, terminates AV products (mostly unsuccessfully) but very successfully hides itself.
The only cure I've found so far is to rebuild the MBR (with a vista/7 repair or recovery console, fixmbr on XP/2000) or the TDSS killer from rivals Kaspersky seems to work very well too.
Why can't Sophos create a tool like Kaspersky to deal with rootkits properly or a decent bootable standalone package that can actually cleanup rootkits or MBR infections?
Matt
This thread was automatically locked due to age.
