Jump to content
House Price Crash Forum

Archived

This topic is now archived and is closed to further replies.

loginandtonic

Avfake Js:avfake Trojan, Tries To Attack System Protection &

Recommended Posts

http://209.85.229.132/search?q=cache:koRTi...=en&ct=clnk

VBS.AVFake (Alias: Trojan.VBS.Carewmr): This Trojan is written in Visual Basic Script and attempts to delete registry values for several antiviral and firewall products. VBS.AVFake attempts to fool you intothinking that it is an antiviral program. On September 1 it displays the message, “Mr.Carew vuelve otra vez!!, jaja.†The destructive portion of the payload attempts to delete C:\Windows. This is hard-coded and not dependent on system variables. It attempts to delete these values: â—SystemTrayâ—AVPCCâ—NAVW32â—TrueVector â—ZoneAlarm Profrom the registry key:â—HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunThe script creates the following folders:

â—C:\Symantec

â—C:\KasperskyLabs

â—C:\PandaSoftwareâ—C:\TrendMicro

â—C:\Eset-Nod-f---ed (Censored for this write-up) :)

It also drops a variety of files in the root of drive C.

Just detected and I hope removed it from my system with free Avast (latest update). 2 lots of it on mine. (?!)

Share this post


Link to post
Share on other sites
http://209.85.229.132/search?q=cache:koRTi...=en&ct=clnk

VBS.AVFake (Alias: Trojan.VBS.Carewmr): This Trojan is written in Visual Basic Script and attempts to delete registry values for several antiviral and firewall products. VBS.AVFake attempts to fool you intothinking that it is an antiviral program. On September 1 it displays the message, “Mr.Carew vuelve otra vez!!, jaja.†The destructive portion of the payload attempts to delete C:\Windows. This is hard-coded and not dependent on system variables. It attempts to delete these values: â—SystemTrayâ—AVPCCâ—NAVW32â—TrueVector â—ZoneAlarm Profrom the registry key:â—HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunThe script creates the following folders:

â—C:\Symantec

â—C:\KasperskyLabs

â—C:\PandaSoftwareâ—C:\TrendMicro

â—C:\Eset-Nod-f---ed (Censored for this write-up) :)

It also drops a variety of files in the root of drive C.

Just detected and I hope removed it from my system with free Avast (latest update). 2 lots of it on mine. (?!)

Had a quick look at Symantec's page on this trojan, seems like it has been around for a while, Link below if needed

http://www.symantec.com/security_response/...-99&tabid=1

Share this post


Link to post
Share on other sites
Had a quick look at Symantec's page on this trojan, seems like it has been around for a while, Link below if needed

http://www.symantec.com/security_response/...-99&tabid=1

it has probably in various guises maybe now changing to avoid detection? but anyway september's edging nearer :)

btw i luv the name the malicious programmer gave it - sheer genius isnt he :lol: "Fake" - you couldnt make it up, perhaps on the next release he'll include a photo and his post code?

Share this post


Link to post
Share on other sites
http://209.85.229.132/search?q=cache:koRTi...=en&ct=clnk

VBS.AVFake (Alias: Trojan.VBS.Carewmr): This Trojan is written in Visual Basic Script and attempts to delete registry values for several antiviral and firewall products. VBS.AVFake attempts to fool you intothinking that it is an antiviral program. On September 1 it displays the message, “Mr.Carew vuelve otra vez!!, jaja.†The destructive portion of the payload attempts to delete C:\Windows. This is hard-coded and not dependent on system variables. It attempts to delete these values: â—SystemTrayâ—AVPCCâ—NAVW32â—TrueVector â—ZoneAlarm Profrom the registry key:â—HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunThe script creates the following folders:

â—C:\Symantec

â—C:\KasperskyLabs

â—C:\PandaSoftwareâ—C:\TrendMicro

â—C:\Eset-Nod-f---ed (Censored for this write-up) :)

It also drops a variety of files in the root of drive C.

Just detected and I hope removed it from my system with free Avast (latest update). 2 lots of it on mine. (?!)

To be on the safe side, turn off system restore and boot into safe mode by pressing F8 at boot time. Then run your anti-virus software again.

Share this post


Link to post
Share on other sites
To be on the safe side, turn off system restore and boot into safe mode by pressing F8 at boot time. Then run your anti-virus software again.

thx but why turn off system restore, to not restore a virus if i need to rollback? drive D has the recovery files, i'm sure the trojan will be in the archive there

Share this post


Link to post
Share on other sites
thx but why turn off system restore, to not restore a virus if i need to rollback? drive D has the recovery files, i'm sure the trojan will be in the archive there

Also, you AV software cannot remove them from a system restore point (i think), but will continue to detect them.

Share this post


Link to post
Share on other sites
Thanks for warning us of a threat that was discovered October 2002. Better late then never.

http://www.symantec.com/security_response/...-99&tabid=2

VBS.AVFakeRisk Level 1: Very Low

WildWild Level: Low

Number of Infections: 0 - 49

Number of Sites: 0 - 2

Geographical Distribution: Low

Threat Containment: Easy

Removal: Easy

but still around isnt it, HIV was discovered in the 1980s, do we all disregard it now, no one ever gets it any more?

thanks for your stupid sarcasm

Share this post


Link to post
Share on other sites
but still around isnt it, HIV was discovered in the 1980s, do we all disregard it now, no one ever gets it any more?

thanks for your stupid sarcasm

:lol:

Share this post


Link to post
Share on other sites
but still around isnt it, HIV was discovered in the 1980s, do we all disregard it now, no one ever gets it any more?

thanks for your stupid sarcasm

I wasnt being sarcastic noob. Virus scanners are updated daily, to be infected by something from 2002 can only be sheer ignorance or incompetence. Give your computer away now as you certaintly cannot be trusted with one.

That wasnt sarcasm either.

P.S. Are you going to write to Symantec and ask them to add +1 to their count of infections. You might take it to the 50-100 noob level.

Share this post


Link to post
Share on other sites
I wasnt being sarcastic noob. Virus scanners are updated daily, to be infected by something from 2002 can only be sheer ignorance or incompetence. Give your computer away now as you certaintly cannot be trusted with one.

That wasnt sarcasm either.

P.S. Are you going to write to Symantec and ask them to add +1 to their count of infections. You might take it to the 50-100 noob level.

Fail. Its making the rounds, I got it the other night as well. ESET caught it but the HD boys at work have had quite a few enquiries about it from worried home users. PC's all patched to latest Rev, latest AV defs and the bugger still got on.

Reckon its a rewritten variant. If the AV spots it, a full virus scan will show the system up as clean. I double checked by running Kaspersky from another bootable drive I have against my system and it showed up clean. More annoying than damaging this one.

No need for the abuse, his questioning was fair

Share this post


Link to post
Share on other sites
Fail. Its making the rounds, I got it the other night as well. ESET caught it but the HD boys at work have had quite a few enquiries about it from worried home users. PC's all patched to latest Rev, latest AV defs and the bugger still got on.

Reckon its a rewritten variant. If the AV spots it, a full virus scan will show the system up as clean. I double checked by running Kaspersky from another bootable drive I have against my system and it showed up clean. More annoying than damaging this one.

No need for the abuse, his questioning was fair

unfortunately the new variant doesnt always seem to be caught by anti-virus software.

as for johnny, he just cant help it, he has a crush on me. :lol:

Share this post


Link to post
Share on other sites
unfortunately the new variant doesnt always seem to be caught by anti-virus software.

as for johnny, he just cant help it, he has a crush on me. :lol:

it actually looks like a downloader type virus, my ESET registered 7 different viruses in 1 go sequentially being detected over 5-10 mins. It came from an infected website but not sure which 1 but it was mainstream not er ahem ... pron

Share this post


Link to post
Share on other sites
it actually looks like a downloader type virus, my ESET registered 7 different viruses in 1 go sequentially being detected over 5-10 mins. It came from an infected website but not sure which 1 but it was mainstream not er ahem ... pron

well i've not been to any such sites as they bore me these days, looking at what i cant have - but enough of my personal problems ;)

anyway i can 100% say my computer got the virus at a newspaper website that had google ads on it (whether that makes any difference i dont know, probably not) and if not from there then from my usual surf which is here, yahoo, google mail, ebay, amazon, and some foreign but respectable newspapers in english (the latter being my guess). defo no porno nor anything illicit and yet i still got it on mine.

Share this post


Link to post
Share on other sites
well i've not been to any such sites as they bore me these days, looking at what i cant have - but enough of my personal problems ;)

anyway i can 100% say my computer got the virus at a newspaper website that had google ads on it (whether that makes any difference i dont know, probably not) and if not from there then from my usual surf which is here, yahoo, google mail, ebay, amazon, and some foreign but respectable newspapers in english (the latter being my guess). defo no porno nor anything illicit and yet i still got it on mine.

Mine was the same, i think i know what site it was but would rather not say. However it was very mainstream.

Buggers :angry:

Share this post


Link to post
Share on other sites

well, TG, if we have this on our machines we have to get rid of it by Sept 1 or it activates.

my computer takes about 6 hrs to do a thorough scan with Avast.

i'm going to have to do that and soon.

Share this post


Link to post
Share on other sites
well, TG, if we have this on our machines we have to get rid of it by Sept 1 or it activates.

my computer takes about 6 hrs to do a thorough scan with Avast.

i'm going to have to do that and soon.

Mine is clean now mate, ESET spotted it and I confirmed deletion with a full scan with Kaspersky. Dont trust Avast anymore; download a trial of ESET and scan pc with that. Avira is another goody with a freebie version. Good luck

General

Share this post


Link to post
Share on other sites
Mine is clean now mate, ESET spotted it and I confirmed deletion with a full scan with Kaspersky. Dont trust Avast anymore; download a trial of ESET and scan pc with that. Avira is another goody with a freebie version. Good luck

General

thx for the tips.

if i cant get the computer scanned + clean before the deadline date i'll just have to make sure i dont put it anywhere it can spy a wall calendar,

yes that should work.

ah s perfect plan.

Share this post


Link to post
Share on other sites

Solution if infected with this: Google "Windows Protection Suite" removal

there are manual instructions available or i am GUESSING that superantispyware and similar might remove it if updated

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

  • The Prime Minister stated that there were three Brexit options available to the UK:   295 members have voted

    1. 1. Which of the Prime Minister's options would you choose?


      • Leave with the negotiated deal
      • Remain
      • Leave with no deal

    Please sign in or register to vote in this poll. View topic


×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.