[G13net]

Recently McAfee released an update that crippled many Windows XP machines running SP3.  The update caused svchost.exe to be flagged as a virus.  I am just in shock that such a large company didn’t do thorough enough testing to stop this from happening.

I’m glad I stayed away from McAfee’s products.

http://www.betanews.com/article/One-very-false-positive-McAfee-in-full-damage-control-mode/1272040662

Malware, Security, Windows

I am increasingly seeing cases of infection from Rogue AV software.  My company is currently working on phasing out our old Symantec 10 and replacing it with Kaspersky, but in the mean time we keep getting these infections.

Luckily the infections have not been very destructive.  They are only in one user profile and are usually just an EXE in either Application Data or Local Settings/Application data.

Kaspersky’s viruslist.com has a good article talking about why these are so prevalent and how they are getting past some AV products.  The article can be found here.

Malware, Security, Windows

I was correct in that the malware was previously unknown.  Here is the response from Kaspersky’s Lab:

From:    <newvirus@kaspersky.com>
To:    <xxx@xxx.com>
Date:    01/13/2010 02:32 PM
Subject:    RE: Malware sample [KLAN-57074893]

Hello,

pkdpsysguard.exe – not-a-virus:FraudTool.Win32.WinSpywareProtect.caf

New potentially risk software was found in this file. It’s detection will be included in the next update. Thank you for your help.

——————————————-
Best wishes, Pavel Firsov.
Virus analyst , Kaspersky Lab.
_____________________________

newvirus@kaspersky.com
http://www.kaspersky.com  http://www.viruslist.com

Score a win!

-G13

Malware, Security, Windows

We recently came across a piece of Fraudware on one of our client PCs.  This one is your typical faux anti-virus application which makes repeated attempts to get you to purchase itself.

The good news is that this was not a case of Vundo; it appears that the malware was only specific to one user profile.

Only one EXE was found; once it was deleted the issue went away.  We quarantined a sample and I submitted a copy to Anubis as well as Offensive Computing.  Neither of these sites could identify what kind of malware it was.

The report from Anubis can be found here.  The sample can also be found on Offensive Computing by searching for the md5sum: 6b833d23ddfae069883a3b562e0435ba

The malware seems to have created its own proxy server and modified the settings in Internet Explorer.  This prevented us from visiting any sites besides their created one.

I submitted a sample to Kaspersky’s Virus Labs for further analysis.

-G13

Malware, Security, Windows