eEye Digital Security

I had to use a free malware remover to get it uninstalled. Why would Blink! 4.04 with all patches up to date not pick this up. Took some explaining to do to the client after they purchased 12 copies of this, that I had to come in and install a freeware program to remove it...

Argghhh! ... I had to do this for the Antivirus2008 when I came across it.  I will go get Antivirus2009 and send it to eEye via my customer portal for you and have them send it to Norman.  Thanks!

This is the malware website for the fake product your talking about

http://antivirus2009-scanner.com/2009/1/_freescan.php?aid=77016701

 This is another "similar" version of this program

http://antivirus2009professional.com/

Now if you download this one, Blink will pick it up as follows:

Event ID:	BLINK-ENG-202
Severity:	Medium
Description:	Blink has disinfected the system after malware was detected
Quarantine Location:	01C8E759-F61BE32C-0-W32/DLoader.HYPU
Action:	Quarantined
Item Found:	G:\VMWare\Live Malware (Warning!)\AV2009Install.exe
Alert:	No
Name:	W32/DLoader.HYPU

File has been sent to eEye via trouble ticket, we shall wait and see now.

----------------------------------------------------------------------------------------------------------

-->

Ticket ID:	TK032028	Created On:	7/16/2008 8:54:20 AM
Status:	New	Closed On:
Priority:	Normal	Last Communication:	7/16/2008 8:54:36 AM
Product:	Blink
Subject:	Files for Norman - "Antivirus2009Install_.exe"

Communication History

On 7/16/2008 8:54:21 AM you wrote:

In accordance with this post:

http://forums.eeye.com/forums/p/682/2888.aspx#2888

I went out and found this fake malware program with my VM and found the executable in question. I have attached it in the attached zip file named "AV2009Install_". The password is "Blink". Can you please send this to Norman please? Thanks again!

-----------------------------------------------------------------------------------------------------------

Thank you very much...we will see...:-)

Alright, results are in from eEye!:

---

On 7/16/2008 9:01:19 AM eEye Digital Security wrote:

Hello Jeffrey,

I've submitted this suspicious file for analysis to Norman. Pending their response and notification I will relay their findings to you immediately.

Thanks,
Dennis A.

---

On 7/16/2008 9:15:49 AM eEye Digital Security wrote:

Hello Jeffrey,

Excellent work on this new piece of Malware! This has been added by NAD as DLoader.IJXT.

Thanks,
Dennis A.

---

 

I will have to verify this when I get home and check the executable and see if it is detected now.

KILL ALL Malware producers....

 

Annnnnnnnd it has been confirmed by myself, the second variant of Antivirus2009 is detected now.  I have closed my ticket to eEye.

Event ID:	BLINK-MAL-205
Severity:	High
Description:	Blink has found a malware application
Virus found:	W32/DLoader.IJXT
Item found:	G:\VMWare\Live Malware (Warning!)\AV2009Install_.exe
Action:	Quarantine
Alert:	Yes
Name:	W32/DLoader.IJXT
Second Action:	Log Only
Category:	Trojan

 Thank you sir! I appreciate your time on this

Not a problem, you should encourage your users to try to get the program now and see if it works.  Heh heh heh, j/k. 

Here is another fake one being pushed around recently:

http://power-antivirus-2009.com/

The installer ("Install.exe") has been given to eEye to send to Norman.

 

 

Blue1978:

Here is another fake one being pushed around recently:

http://power-antivirus-2009.com/

The installer ("Install.exe") has been given to eEye to send to Norman.

 

Have not heard a difinative answer back from eEye yet on this, but I did get this alert (Looks like this a great example of eEye's use of

Norman's Sandboxing Technology catching a threat because of its actions.)!:

 

 

Event ID:	BLINK-MAL-205
Severity:	High
Description:	Blink has found a malware application
Virus found:	W32/Renos.AEB.dropper
Item found:	H:\Install.exe
Action:	Repair
Alert:	Yes
Detected by:	Sandbox
Name:	W32/Renos.AEB.dropper
Behavior:	* Accesses executable file from resource section. * File length: 846256 bytes. [ Changes to filesystem ] * Creates directory C:\PROGRA~1\Power-Antivirus-2009\. * Creates file C:\PROGRA~1\Power-Antivirus-2009\ID.dat. * Creates fil
Second Action:	Quarantine
Category:	Trojan

 

 I just had 2 clients hit.  One with AV09, and one with AV XP 2008 - both using Blink..

 I booted from a PE bootdisk, ran Trend's Hijackthis, disabled everything, then rebooted and Blink cleaned it up, but how did it get through in the first place?!

 FWIW, one is using Blink Pro, and one Blink Perso

Using Blink Pro (it's on auto-update, not sure current version - probably still 3.x, when do they autoupdate to 4?) infection occurred via Outlook 2007's reading pane with an infected email supposedly from UPS.

Didn't open attachment, didn't even "open" the email, just selected it to delete it, and Outlook parsed it for the viewing pane, and thus ran the virus.

Can we get protection from this?  I sold them on using Blink because of its hardened security (I know it's a cat-and-mouse game) but we're pretty smart cats!

Can we get the email to analyze it? If not, can you describe the nature of the attachement?

This one was very nasty - took hours to clean, not as simple as the others I've done..  In the end, I'm running a Windows repair install..

Once it's reinstalled, I'll see if I can get the emails and send them to malware@eeye.com..