How to protect yourself against Antivirus 2009

[Droiyan3]

Good morning all,

I have about 100 machines in the domain. Most of them XPSP3 with about 54 of MS critical updates. One of them has been infected with Antivirus 2009 ( http://www.bleepingcomputer.com/viru...antivirus-2009) after that it started to jump over the network to other users . I can remove it , but then it pops out in another PC. After a while the PC that i have cleaned get it again.

How do i protect the PC actually against it ?

Anti-virus software is McAfee 8.5 to 8.7 which detects the virus but cant remove it.

please let me know if you need any more information .

Thanks a lot

Diego

[Siginet]

In my opinion mcafee is one of the worst av's on the market. But every AV has it's flaws. Antivirus 2009 is a very tricky virus. I didn't know it could replicate across the network though.

That makes me wonder if there is an infected executable being shared around the network? Or a website a lot of the users are going to that may be infected? A company email everyone is sharing? Or maybe someone is using an infected flash drive?

I have also seen a virus that actually will change your dns settings on a router which uses the default password. It then will send all the computers to a site which will download tons of viruses. So be sure to check the routers settings.

Once you get a computer cleaned up I would install K9 Web Protection on it. This will allow you to control what types of websites the users can go to.

Malwarebytes Antimalware and Combofix are the programs I usually use to clean up this virus. This virus can be very tricky though. Sometimes you will think you have completely gotten rid of it but it creeps back up on you out of nowhere. So be sure to reboot and run scans multiple times to be sure it is completely gone from the system.

You should send a company wide email letting everyone know there is a horrible virus going around and each system should be checked for this risk.

Good luck to you. I hope you get this resolved.

[rwycuff]

you cant relaly protect yourself against it unless you stop using stuff like IE that can use active X controls oh and the users stop clicking on stuff they dont have any idea what the pop up is there

you could also look into just not using windows sytem restore a few variants like to hide in there

[Droiyan3]

ahm, being honest i know that there is no such a thing as total protection, but i just want to able to protect the users pc from this virus .

as for turning off system restore thats a good idea ( i have at 3 % )

so far i've managed to remove it without letting it coming back to the infected PC , but new ones get infected. Its very strange . i just dont understaтв why some PC are affected and others are not

[rwycuff]

Droiyan3 these can be inside root kits so they can be getting cleaned and auto reinfecting.

To be hones thy all infect the systems from domains or the stupid pop ups if you want to prevent it restrict your uses so thier profiles will not allow them to install anytthing and get something with a web content scanner as a BHO and see if that does it

[mau-yong]

My computer was infected last year with this specific virus because I ran peer to peer application without an antivirus, I learned my lesson

My personal analysis with this virus is:

• it infects ALL executables (exe, com, dll, ocx, etc) on ALL drives
  
• after initial infection, it downloads its main program from total-secure2009.com
  

What I did was:

1. deleted ALL executables on ALL drives (I was left with only image files (jpg, bmp, etc) docs (doc, xls, mdb, pub), and mp3s :angrym:)
   
2. install from uninfected CD installer
   
3. and placed this on my HOSTS file "127.0.0.1 total-secure2009.com", this prevented accidental infection again in which I did, really, this time it tried to download from total-secure2009.com but now can't download its main prog from there
   

Edited October 8, 2009 by mau-yong