Are virusscanners really this bad? shocking results

Recently I was downloading a file from a nontrusted website. The file is infected with some virusses and trojans. No problem I thought, I have good security installed. Not so. When starting up the .exe file the virusscanners notice the infected file, they can not stop the system being infected.

I tested:
Antivir Personal Edition
Avast Home Edition
NOD32
Spybot Search & Destroy
Trend Micro Housecall Online (HouseCall did not find any potential threats on your computer.)
McAfee VirusScan Plus 2007
Norton Internet Security
AVG Free
Spyware terminator
Spybot Search & Destroy

Even though they noticed the threat, they all failed to stop the infection.

For anyone who wants to try this infected .exe file send me a PM.

What did protect me was: setting my account to limited rights user account instead of normal admin account (credits to swarmer). This setting survived the attack of the infected file.

I also tested Kaspersky Antivirus. Of all the programs I've put to the test, Kaspersky performed best. It effectively blocked 7 out of 8 attacks. the one that got trhough did not seem to do much harm.

 

Update:

Tested with AVG Free + Spyware terminator. Result: infection.

 

so how did u recover?

cheers ...

 

I made an image of a clean install with Acronis True Image. Recovery takes about 15 minutes. Great application!

 

have u tested this on a mac also? is it really safer?

cheers ...

 

so recover = re.install
ok, time to dig out my old comp and use this opportunity for a clean install

cheers ...

 

no. i did not reinstall.

I just put back an image file. If you know what i mean.

I have an image on external harddrive, that i put back on my C: partition.

 

gotcha - thx

cheers ...

 

I might try this on a VMware.

 

You just a little crazy, huh?

 

Update

Norton Internet Security. Result: Infected.
McAfee Antivirus Plus. Result: Infected.

Got to respect the makers of this virus/trojan though. Sofar they managed to bypass AND disable every scanner I tested.

Anymore suggestions? What is the best Virus protection?

 

This sounds like someone found a common open backdoor through most anti-virus programs. It could lead to serious problems if the software engineers can not find a fix!

Have you reported this to any of these manufacturers yet PhilFlow?

Thanks for bringing this issue up and sent you a good "rep" for it!!

 

Don't go to dodgy sites. Antivirus software is reactionary software... it only works if the programmers have seen the virus before, and even then, some of the mechanisms that the AV software employs aren't that robust. The best bet when trying to open anything dodgy is to use a vmware session (separated from your main install) or use Wine under Linux like I do.

Edit: I just ran it under Wine: it tried to install a copy of PowerISO after trying to access all kinds of system memory and DLL's that don't exist on Linux, and then crashed

 

Only through normal reporting funstions sofar. Maybe I should report it more. Anyone know where?

True ofcourse. But still I'd like to be safe for this kind of infection. I have never used VMware before, maybe I should learn it.

 

I do not know if there is a general contact for all anti-virus software makers. If there is, I will post and let you know. The more people that report this, the better chance of getting a fast response!

 

LOL, Yup. I shouldn't have much to worry about as long as take a snapshot first.

 

One person on a dutch website says that McAfee Enterprise edition succesfully stopped his PC from being infected by this file.

I have not tested this myself. I'd have to download it of a tracker

 

I really don't want to tempt fate, even by opening the link to the virus download!

>.<

Whats the name of the virus file?

 

I just got off of the phone with US-CERT and they said that they will get their team working on this issue immediately! From there, it will go out to all of the anti-virus manufacturers to update their software and fix the problem.

US-CERT is the United States Computer Emergency Readiness Team and part of our beloved Homeland Security Department.

I spoke with their Senior Watch Officer on duty and they are investigating it as I type!

 

The .exe filcontains several virusses, trojan and backdoors. one of them is called Virut or something like that.

 

Thanks for doing that!

 

Completely out of interest, what OS are you running?

 

It is for all of our betterment and protection. Anytime I can help, I will!

US-Cert will keep me updated on the situation and said for me to expect a call. If it becomes a criminal issue, law enforcement will take over and I will not be able to get information beyond that point; however, I will be notified if that becomes the case.

I will keep this thread updated on this issue when the information becomes available to me!

 

Sorry to bump. I am running XP Pro SP2.

 

Me too XP Pro SP2.

 

Time to install this on a Virtual PC 2007 XP install and see what happens. Thanks for the link.

 

Just goes to show ... If you go looking for trouble, trouble will find you.

 

New test today:

I installed Antivir PE (supposedly the best of the free scanners http://wiki.castlecops.com/AntiVirus_Comparison) with the updates from today.

Plus I did what swarmer told me:

I am now running in a user account with limited rights, not as admin.

It now seems my system is not affected. (not 100% sure).

Too bad i am not sure if it was the update in antivir or the account setting! I guess the latter was vital.

 

I'm not too sure the above could be considered a good long term fix. Surely at some point the administrator account would need to be accessed and then the possibility of infection arises again. I guess the next test is to try using an admin account once the virus has been downloaded into the user system.

 

I was able to do one more test: Avast with todays definitions, in admin account.

Result: got infected.


I will be running Avira PE with limited user account. No more testing for now.

I think it works for me.

When using the limited account, one can install software. As soon as the program tries to make any bigger changes the password of the admin account will be asked.

So for non trusted software I will not be giving the admin password.

 

A dumb question PhilFlow....If I set System Restore checkpoint before I download the file will I be able to recover afterwards??

Thanks

 

Interesting. I'll be reading this topic frequently. Keep us updated guys and good job.

 

Not sure. I would not trust it. The combination of virusses changes about ten .exe files and disables virussscanners to never work again. Also when the virus has infected the PC, it is impossible to install any virus scanner.

If you want to be safe I recommend making a image of your harddrive. That's what I did. I use Acronis Tru Image. I love it.

 

As far as I know, some viruses affect the Windows System Restore. I wouldn't trust it as a backup for this.

 

i would be interested to see how Kaspersky Internet Security 7 would handle it, maybe you could give that a go?

 

Hi PhilFlow

Try it for me buddy. You have Tru Image. Check it out and let me know. (System Restore checkpoint). You have nothing to loose.

Cheers and thanks,
Theo

 

Not sure, but since I've tested 6 mayor virusscanners, that all failed, I assume Kaspersky would not do it different.

These are the ones I've tested sofar:
Antivir Personal Edition, Avast Home Edition, NOD32, Spybot Search & Destroy, McAfee VirusScan Plus 2007, Norton Internet Security, AVG Free, Spyware terminator,
Spybot Search & Destroy.

 

I make a complete image of C drive. Not just a system restore point.

And for now, I'm done testing. I am happy with Avira PE + running in limited user account.

 

Now we will never know. Thanks anyway

 

Ahh you misunderstood what I meant. Basically, if the Admin account were to be used (i.e. opened and used to run programs etc) and the virus is on the User account, does the Admin account become infected?

 

As far as I can estimate, I would say yes. It will not only infect one account. Either the whole system is infected or the system is not infected.

This is because once the system is infected, about 10 important .exe system files become infected. I don't think it would make a difference from what account you're running these files system .exe files.

 

erm...You 'Do' know that Kaspersky is one of the top antivirus companies - don't you?

Kaspersky Internet Security also takes a 'layered' approach at software protection - which is what most security experts recommened.

I.E. 1st - would be their virus web scanner, 2nd - would be their firewall, 3rd would be the Proactive Defence mechanism (Registry Guards, Application modification analyzer, etc.) and last but not least - the Anti Virus Portion of the software (note: all of the above and more is contained in Kaspersky Internet Security and to a lesser extent the regular Anti Virus).

Though I'm not too ecstatic about their firewall, it does seem to do a good job, especially when coupled with the built-in banner (ad) blocker - it filters the ads before it reaches your browser - LoL, I only noticed this by accident when I was testing the full package and noticed that one of the ad infested news website I usually visit was missing all the wonderful ads


In any case, Kaspersky, with all or most of it's protection features running DOES catch modifications to your programs/or windows.


- Jordan

P.S. If you are going to test this or use kaspersky for your security needs - I would HIGHLY Advise that you put in a simple password inside kaspersky to disallow viruses from simply telling kaspersky to exit

 

I'm not too sure even Kaspersky would stand up to the concoction of viruses and trojans that are contained in that file. Seems to be like the AV software is just being Zerged to death.

 

I'd bet that the limited account alone would protect you from this thing without any AV software. Of course, adding AV software doesn't hurt and I'd still recommend it.

I seem to remember that Antivir PE doesn't offer real-time scanning anyway; is that correct? I thought you had to run the scan explicitly.

That's interesting if some programs ask the admin password. I'm also using XP Pro SP2, and most installers I've seen just fail if you're not an admin user. You usually need to go through Windows' switch users process to become an admin user to install software. For smaller programs that don't need an installer (e.g. PuTTY), there's no need to go into the admin account.

A few badly-written programs won't work at all with a limited account. Not many though. The only one I have like this is something that came with my old Toshiba mp3 player. You can just use your admin account to run these programs, if you can't find replacements.

A couple tips: Auto-updaters tend to barf due to the limited account... often with cryptic error messages. I shut off auto-update in Firefox, Yahoo Messenger, etc., and once a month (or so) I switch to my admin account to update those programs. Windows' own auto-update works fine; you don't need to worry about that... but if you run Windows Update explicitly (i.e. for optional updates) you'll need to use your admin account.

Changing most control panel settings or the registry also requires admin privilege. Finally, you can fine-tune the privileges in Control Panel > Administrative Tools > Computer Management > Local Users and Groups. (This is XP Pro only I think.) I added my limited user to the Network Admins group so I can enable and disable my wireless connection. Don't go too nuts here though, or you'll lose the benefit of having a limited user.

Vista should make all of this easier with User Account Control, so you can just key in your password for a specific task that requires admin privileges. (I don't have Vista yet though.)

 

yeah, like you say one of the top. I tested the rest of the top.

Do you have any objective research indicating that Kaspersky is considerably better than McAfee, Norton, Avast and all the rest?

If so I might be tempted to another test. For now I am happy with my new security settings.

 

I think it does offer real time scanning, because when I ran the infected .exe file it noticed 3 or 4 infection attempts.

Yeah only one program did that. I thought it was Acronis True Image.

I have had installed twice. I went back to XP twice.

I like the minimalistic XP interface. I also like the higher performance in 3D and less menu latency. Even though my hardware is very suitable for Vista.

 

I downloaded and ran the file. At least it looks to be the file. The name "VIRUS!!!!!.exe" seems to be a good clue.

What are the signs of infection? I'm using Windows 2000 Professional SP4 and logged in as a restricted user. When I ran the exe file an installation routine for a program called PowerISO38 ran. I received multiple file read errors during that routine. It was attempting to write to 'Program Files/PowerISO' while at the top of the window read a message to rename the files to my user account temp folder after reboot. I clicked retry and then ignore through each of the error messages and then allowed the program to reboot the computer. I haven't noticed anything unusual yet. There are a bunch of new files in my temp folder. There are no new folders in my Program Files folder. The number of running processes in task manager is the same 25 as before.

It's been installed for about 30 minutes. I have no antivirus/spyware software.

Edited:
I've booted a few times and have been internet browsing. I've logged in on a restricted user account and also an administrator account. Still no signs of anything out of the ordinary. About three hours now.

 

Here is what my temp folder looks like after running the exe file:



I've downloaded Nod32. I'm going to delete everything in the temp folder but leave the files along with the original exe download in the recycle bin and then install and run Nod32. I'll let you know.

Looking at the dates I see some of the files were there before the program was run. The ones dated 9/19/2007 are certianly from the program. The folder created today contains a single file named PowerISO38.exe.

 

My Acronis restarts the computer as it should, but then it just sits and waits. Anything I can do to fix that? (Don't mean to hijack your thread, I'd just rather not deal with Acronis support.)

Thanks,
Peter

 

Most people run installers as Administrator Viruses expect that. This isn't a terribly brilliant set of viruses, just a very nasty set.