Re: Fake.AV[ Edited ]
12-07-2008 01:45 PM - edited 12-07-2008 02:20 PM
First of all, my apologies for coming so late to this thread. The file spyprotector_install_4173.exe (21ad8edb7a3437e37600f37d91f1e25c) is now detected as "AntiVirus2008".
This is a relatively new variant of this misleading application and isn't too widespread, hence it managed to fly under our radar. We've invested a lot of work in the past few months into better detecting these misleading AV programs and their associated malware, but this sample managed to evade these detections. The generic and heuristic detections we create tend to have a limited lifespan before the authors determine how to evade our detections. An unfortunate side-effect of VirusTotal and similar tools is that they allow the authors of these applications to verify whether their handiwork is detected before releasing it to the wild. We're looking at our detections now to see what changes can be made to ensure that any new releases of this misleading AV are proactively detected.
If you run LiveUpdate later today you'll get the updated detection. You should have already received an email with this information.
Symantec Security Response
- I went to the link I posted in the first post. I downloaded the file again. I scanned with NAV09. Nothing.
- The file name is exactly the same; spyprotector_install_4173.exe
- The MD5, however is different. It is a8ad8adeb5e5153173e9cccbbf3bcdeb
I would suspect that the site realized that there was a detection for the file by Norton, which has over 65 million users, and hence altered the file slightly to escape heruistic detection.
I would appreicate if you could add the MD5 of the modified/altered file to the AntiVirus2008 detections.
And I believe you should create a Intrusion Prevention detection; it is a rouge, fake, online virus scanner.
For the file I mentioned above, there is the ThreatExpert Report:
The file creates a file called scrmss.exe, which Symantec detects as malicious =\. That raises questions about just how deep Bloodhound scans...
I am planning on executing the file with NAV09 enabled to see what happens ... hopefully it flags it =\
On my Virtual PC .. of course! I learned my lesson last time!