My machines have also been fully patched XP. I know of at least one Windows 7 machine where it has occurred. Trying to follow up now to find out if that person was running UAC. Also, I believe in every case, the browser involved was IE.
From: l duynslager [mailto:[log in to unmask]]
Sent: Wednesday, June 01, 2011 4:13 PM
To: Gary Schrock; Jon Galbreath; Al Puzzuoli
Subject: Re: [MSUNAG] Fake Alert malware getting past AV Software?
I am not seeing an uptick in those types of issues. Are you guys keeping Acrobat, Flash, Windows and Office updated on your machines and are most of the machines that have problems running XP?
With Windows XP I create a separate ADMIN level user for the user to install
software. This makes it tougher for malware to be self installed without
some user intervention.
On windows 7 I turn on User Account Controls. This prompts the user 99% of the time before malware gets installed.
There are a few holes in UAC, but it's a big improvement over Windows XP.
> From: Gary Schrock <[log in to unmask]>
> Reply-To: Gary Schrock <[log in to unmask]>
> Date: Wed, 1 Jun 2011 16:08:15 -0400
> To: <[log in to unmask]>
> Subject: Re: [MSUNAG] Fake Alert malware getting past AV Software?
> On 6/1/2011 3:40 PM, Al Puzzuoli wrote:
>> Over the past few months, I have seen a number of instances of
>> machines getting infected with variants of this Fake Alert bug. It
>> has happened to several users in the office; but I have also seen it
>> on friendıs machines as well. Some users were running XP, others were
>> on Windows 7.Some had admin rights, others didnıt. Itıs gotten past
>> Nod32, VIPRE, and Security Essentials. Bottom line is, I have no idea
>> what to do to keep this bloody thing out! Are others having similar
>> problems? If so, why hasnıt there been more of a general outcry to
>> the AV companies? They all seem to be virtually useless when it comes to this sort of attack.
>> If AV isnıt the answer, then what is?
> I've seen a definite uptick in the number of cases I've had in the
> last couple of weeks. The only good news is that I've gotten pretty
> good at removing it these days :).
> I haven't been able to stop it, or figure out any way to do so. My
> understanding is the code is changing enough to make it tough for
> virus software to catch.
> Generally to remove it, I've used a combination of malwarebytes,
> combofix, tdsskiller, and going through fixing the file associations
> in the registry by hand (since these inevitably will change exe,
> internet explorer, and firefox to all run through their executable).
> The registry part is a little annoying, since if I'm not logged in as
> the user in question, I generally have to go back and fix their
> profile too (even things in HKEY_CLASSES_ROOT seem to be different for
> different users). Combofix seems to like to wipe out a particular
> pieces of software that some of my users use (Eprime), so I've gotten
> away from that recently.
> Last couple I've cleaned up after have also disabled the windows
> firewall and screwed up automatic updates, so it's worth looking at
> that too.
> I'll have to try that Standalone Sweeper thing that Matt brought up
> and see how well it does. Somehow I'm pretty sure I'm going to get
> the chance to do that.
>> Totally frustrated,
> I've moved beyond being frustrated and have reached the more resigned state.