PDA

View Full Version : My PC was just infected, follow along



Phil Thien
08-24-2010, 3:14 PM
I recently received a pretty typical phishing E-Mail, including a bogus link. I knew it was bogus. I clicked on it anyhow.

Within seconds I had a fake antivirus product running on my machine. No big deal, my machine is locked down so tight I can easily isolate the virus, kill the process, and grab the executable it uses. I wanted the virus to conduct a little experiment for you guys.

Off to Virustotal.com to upload the infected file and see which antivirus products can currently identify the virus. Here are the not-too-surprising results:


AhnLab-V3 2010.08.24.00 2010.08.23 -
AntiVir 8.2.4.38 2010.08.24 -
Antiy-AVL 2.0.3.7 2010.08.23 -
Authentium 5.2.0.5 2010.08.24 -
Avast 4.8.1351.0 2010.08.24 -
Avast5 5.0.594.0 2010.08.24 -
AVG 9.0.0.851 2010.08.24 -
BitDefender 7.2 2010.08.24 -
CAT-QuickHeal 11.00 2010.08.24 -
ClamAV 0.96.2.0-git 2010.08.24 -
Comodo 5845 2010.08.24 -
DrWeb 5.0.2.03300 2010.08.24 -
Emsisoft 5.0.0.37 2010.08.24 -
eSafe 7.0.17.0 2010.08.24 -
eTrust-Vet 36.1.7810 2010.08.23 -
F-Prot 4.6.1.107 2010.08.24 -
F-Secure 9.0.15370.0 2010.08.24 -
Fortinet 4.1.143.0 2010.08.24 -
GData 21 2010.08.24 -
Ikarus T3.1.1.88.0 2010.08.24 -
Jiangmin 13.0.900 2010.08.23 -
Kaspersky 7.0.0.125 2010.08.24 -
McAfee 5.400.0.1158 2010.08.24 -
McAfee-GW-Edition 2010.1B 2010.08.24 -
Microsoft 1.6103 2010.08.24 -
NOD32 5394 2010.08.24 -
Norman 6.05.11 2010.08.24 -
nProtect 2010-08-24.01 2010.08.24 -
Panda 10.0.2.7 2010.08.24 -
PCTools 7.0.3.5 2010.08.24 -
Prevx 3.0 2010.08.24 -
Rising 22.62.01.04 2010.08.24 -
Sophos 4.56.0 2010.08.24 -
Sunbelt 6785 2010.08.24 FraudTool.Win32.SecurityTool (v)
SUPERAntiSpyware 4.40.0.1006 2010.08.24 -
Symantec 20101.1.1.7 2010.08.24 -
TheHacker 6.5.2.1.355 2010.08.24 -
TrendMicro 9.120.0.1004 2010.08.24 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.24 -
VBA32 3.12.14.0 2010.08.24 -
ViRobot 2010.8.24.4005 2010.08.24 -
VirusBuster 5.0.27.0 2010.08.24 -

That's right, only ONE antivirus product was able to identify the virus contained in the file. Something from Sunbelt.

I'll follow-up a few times over the next couple of days by running the analysis again. Some of you may be surprised how your antivirus products stack up against the competition.

David Weaver
08-24-2010, 3:34 PM
What was the name of the fake program it tried to sell you or the name of the executable?

I had a creative one a couple of weeks ago - it popped up, looked exactly like AVG (my security program), blocked me out of opening task manager and ran all of my internet stuff through a proxy server.

I had to restart in safe mode to nail it. It was the best one I've seen in a while.

I think it was antivir.

What's annoying is when I logged onto the internet to find information about it, there were plenty of other scumbag places who wanted to sell you a "tool" to remove it. So if you were not computer savvy, you find secondary scumbags who make tools that do very basic functions and you end up giving your money to a peripheral scumbag instead of the primary scumbag.

(I don't do that, actually, i've still not had a virus that I couldn't remove manually after looking up the cause on a second PC - having the second PC is the key).

I have yet to see an internet program that blocks everything. That turdbag program took over on my computer with spybot S&D and AVG both running.

I actually got the virus searching for woodworking videos. :confused:

Van Huskey
08-24-2010, 4:02 PM
Very interesting info. Thanks

Pat Germain
08-24-2010, 4:23 PM
I used to run Symantec Antivirus. I paid for the upgrades. Every time I got a virus, Symantec didn't block it, couldn't find it and couldn't clean it. I got rid of Symantec. What's the point if it doesn't do its job?

I agree you need a combination of apps. But I've never seen an infection MalwareBytes couldn't find and clean.

Phil Thien
08-24-2010, 4:27 PM
What was the name of the fake program it tried to sell you or the name of the executable?

This time it is called "SecurityTool," but really it is the same old Fake Anti-virus type app. They're all probably from a few forks of the same code. They're updated multiple times each day to avoid detection by antivirus products.


I had a creative one a couple of weeks ago - it popped up, looked exactly like AVG (my security program), blocked me out of opening task manager and ran all of my internet stuff through a proxy server.

I had to restart in safe mode to nail it. It was the best one I've seen in a while.

I think it was antivir.


If you run as a limited user and remove your limited-user permission to write to Run and RunOnce, then rebooting your machine should be all that is necessary to get rid of the virus. The executables will still litter your drive until you go remove them, but they won't be running. If you run anti-virus software, it will eventually do the clean-up for you.


I have yet to see an internet program that blocks everything. That turdbag program took over on my computer with spybot S&D and AVG both running.


That is why running as a limited user is the only way to fly.

Phil Thien
08-24-2010, 4:29 PM
But I've never seen an infection MalwareBytes couldn't find and clean.

Oh I have, a bunch of times.

But this is what I do for a living.

Brian Ashton
08-24-2010, 5:36 PM
Would it be possible for those who have "locked" their computers down maybe post what they've done. I'm pretty computer savvy but I can always learn much more - especially when you consider how fast the computer world changes.

It would be good to have an non-confrontational exchange of information. I.e. Let people say what they do without someone trying to dispute it... Computers, like sharpening, are one of those subjects where there is no perfect single answer.

David Weaver
08-24-2010, 5:43 PM
I would like to see an easiest approach for the moderately inclined, too.

What I can find on the internet about streamlining running usually turns into an argument on a forum about what is the best way to handle a corporate pool of 200 users, even though someone wants to know the easiest way to do something as a single user.

The world of computers has passed me by since about 1998 or so, and I still operate in virus fix mode the same way I did then, except back then there were a lot fewer executables on a PC and you could usually find the offender very quickly without having to go to the internet for information.

Viruses were malicious for the purpose of being malicious back then, too. I guess the people who wrote them figured out that it's better to leave the computer marginally functional and try to bilk money out of someone since leaving it a paperweight may make money for someone, but never the virus writer.

Anyway, there is a lot of stuff out there about running limited permission, but the arguments seem to be centered around whether to run it on select apps where it's most useful vs. running it on all apps and giving additional permissions to select apps only when needed. Not much focus on a simple way to do it but to be able to still get back into the system as admin.

Presumably set up a second user away from the admin account and use that one unless functionality is needed?

Phil Thien
08-24-2010, 5:57 PM
"Locking down" for the novice really just involves running as a limited-user, rather than a user with Administrator rights.

(1) Create a new user called "Admin." Set a password on this account. Don't share it with anyone else in the family.

(2) If you're running XP, run regedit and change
HKLM:Software:Microsoft:Windows NT:CurrentVersion:Winlogin:allocatecdroms to 1. This allows non-admins to burn CD's/DVD's.

(3) Change all the other users on the machine to limited-user.

(4) For each user on the machine, run regedit and change these key permissions so the logged-in user may not modify them:

HKCU:Software:Microsoft:Windows:CurrentVersion:Run
HKCU:Software:Microsoft:Windows:CurrentVersion:Run Once

Once you've done this, a virus on your PC will NOT be able to make any changes to the Windows folder (or subfolders), nor \Program Files, nor any critical parts of the registry. IOW, it won't be able to make the changes necessary so that each time the machine boots, the virus can be loaded.

IF you are using Vista/Win7, you have to be vigilant w/ UAC. This is the feature that asks you to "Click Okay to Continue." Once you've followed my instructions above, it will instead ask you for the password for the Admin account when a program is likely to make important changes to your system. So if you do get a virus, you may be asked for the password for the Admin account so the virus can install itself. Don't type the password unless you know WHY you're being asked for it.

That is about it. I have some additional software I use on my machine to play with viruses, but you don't need that. If you see evidence of a virus running on your machine, and you've made the changes I've suggested above, all that should be necessary to get rid of the virus is to restart your machine.

Phil Thien
08-24-2010, 6:56 PM
It has been about 3.5 hours. Here are the products identifying the files as a virus now:

BitDefender 7.2 2010.08.25 Trojan.Generic.KD.28592
DrWeb 5.0.2.03300 2010.08.25 Trojan.Fakealert.18562
Sunbelt 6786 2010.08.24 FraudTool.Win32.SecurityTool (v)

All others still showing negative.

del schisler
08-24-2010, 8:27 PM
It has been about 3.5 hours. Here are the products identifying the files as a virus now:

BitDefender 7.2 2010.08.25 Trojan.Generic.KD.28592
DrWeb 5.0.2.03300 2010.08.25 Trojan.Fakealert.18562
Sunbelt 6786 2010.08.24 FraudTool.Win32.SecurityTool (v)

All others still showing negative.

Run mallwarebytes program it is free Their are lot's of free virus program . Some load the comp. down so much it isn't worth them being on the comp.

Bryan Morgan
08-25-2010, 1:16 AM
This is not new. The antivirus programs all work a little different and have different criteria as to what is malware. I wouldn't trust any of them any farther than I could throw the programmers. They have a vested interest in not stopping all viruses. :) Some are so crappy they don't even detect eicar.

Brian Ashton
08-25-2010, 1:44 AM
"Locking down" for the novice really just involves running as a limited-user, rather than a user with Administrator rights.

(1) Create a new user called "Admin." Set a password on this account. Don't share it with anyone else in the family.

(2) If you're running XP, run regedit and change
HKLM:Software:Microsoft:Windows NT:CurrentVersion:Winlogin:allocatecdroms to 1. This allows non-admins to burn CD's/DVD's.

(3) Change all the other users on the machine to limited-user.

(4) For each user on the machine, run regedit and change these key permissions so the logged-in user may not modify them:

HKCU:Software:Microsoft:Windows:CurrentVersion:Run
HKCU:Software:Microsoft:Windows:CurrentVersion:Run Once

Once you've done this, a virus on your PC will NOT be able to make any changes to the Windows folder (or subfolders), nor \Program Files, nor any critical parts of the registry. IOW, it won't be able to make the changes necessary so that each time the machine boots, the virus can be loaded.

IF you are using Vista/Win7, you have to be vigilant w/ UAC. This is the feature that asks you to "Click Okay to Continue." Once you've followed my instructions above, it will instead ask you for the password for the Admin account when a program is likely to make important changes to your system. So if you do get a virus, you may be asked for the password for the Admin account so the virus can install itself. Don't type the password unless you know WHY you're being asked for it.

That is about it. I have some additional software I use on my machine to play with viruses, but you don't need that. If you see evidence of a virus running on your machine, and you've made the changes I've suggested above, all that should be necessary to get rid of the virus is to restart your machine.

Thx Phil I was thinking it was going to be a bit of a lesson on alchemy but that is just too simple...

Phil Thien
08-25-2010, 8:42 AM
Just ran a new scan...

BitDefender 7.2 2010.08.25 Trojan.Generic.KD.28592
DrWeb 5.0.2.03300 2010.08.25 Trojan.Fakealert.18562
F-Secure 9.0.15370.0 2010.08.25 Trojan.Generic.KD.28592
GData 21 2010.08.25 Trojan.Generic.KD.28592
NOD32 5396 2010.08.25 Win32/Adware.SecurityTool.AD
nProtect 2010-08-25.02 2010.08.25 Trojan.Generic.KD.28592
PCTools 7.0.3.5 2010.08.25 Trojan.FakeAV
Sunbelt 6788 2010.08.25 FraudTool.Win32.SecurityTool (v)
Symantec 20101.1.1.7 2010.08.25 Trojan.FakeAV!gen37

Phil Thien
08-25-2010, 8:49 AM
This is not new. The antivirus programs all work a little different and have different criteria as to what is malware. I wouldn't trust any of them any farther than I could throw the programmers. They have a vested interest in not stopping all viruses. :) Some are so crappy they don't even detect eicar.

In two weeks, every single program on that list will identify this virus. It just takes time (too much time if you ask me), but they will ultimately all consider it malware.

And I believe any one of the antivirus makers would LOVE to bring a product to market that stops ALL viruses. They'd sure make a lot of money if they could...

Scott Shepherd
08-25-2010, 9:29 AM
Phil, 2 that get rated highly that I don't see on the list are eset and vipre. Can you select those to see if they would have caught it or does it just show what it shows?

I'm an eset user (happy eset user) but my computer guy keeps telling me to switch over to vipre.

Leigh Betsch
08-25-2010, 9:31 AM
Phil have you ever used StopZilla? I found it when I had a virus a couple of years ago that Norton couldn't find. Seems to work well but I can never tell if if works great or if I just haven't ran into any more viruses.

Phil Thien
08-25-2010, 10:52 AM
Phil, 2 that get rated highly that I don't see on the list are eset and vipre. Can you select those to see if they would have caught it or does it just show what it shows?

I'm an eset user (happy eset user) but my computer guy keeps telling me to switch over to vipre.

Scott, Sunbelt is indeed Vipre. It was the only one that provided a positive on the very first test.

"eset" is NOD32, and it is now providing a positive reading, but I think it took until this morning.

Jamie Buxton
08-25-2010, 10:54 AM
Phil, I understand how clicking an email attachment may infect my computer, but another alleged source appears to be "visiting infected web sites". I say "alleged" because I mostly see that claim in ads for virus-shielding programs, or in articles written by inexpert people. Presuming my browser is up-to-date, is surfing around the web dangerous, or are those supposed "infected web sites" just bogeymen used to sell more software?

Phil Thien
08-25-2010, 11:00 AM
Phil have you ever used StopZilla? I found it when I had a virus a couple of years ago that Norton couldn't find. Seems to work well but I can never tell if if works great or if I just haven't ran into any more viruses.

I've used 'em all at one point or another.

None of them catch everything.

The amount of time they take to update definitions in response to a new threat varies. On one new threat, "Product A" may have updated defs within minutes to hours, "Product B" may take days. On the very next threat, that result is often reversed.

This test is by no means scientific. Just for fun.

I might mention, though, that there are some particularly nasty variants going around that install as rootkits. These will actually modify a .sys file in your \windows\system32\drivers folder. Once your machine reboots and the virus is loaded, there is little hope in removing it. At least, I've not seen any product that can clean such a virus without user intervention.

Phil Thien
08-25-2010, 11:08 AM
Presuming my browser is up-to-date, is surfing around the web dangerous, or are those supposed "infected web sites" just bogeymen used to sell more software?

Most of the machines I see were infected when browsing. Especially googling. New security holes are discovered fairly routinely, and the virus writers jump on them.

My machine is current with updates, and yet I can still visit some sites that will figure out a way to deliver a payload.

Scott Shepherd
08-25-2010, 11:16 AM
Scott, Sunbelt is indeed Vipre. It was the only one that provided a positive on the very first test.

"eset" is NOD32, and it is now providing a positive reading, but I think it took until this morning.

Thanks Phil, I missed the NOD32 completely! Sorry about that!

So Vipre is hanging in there well, is it? My computer guru guy swears by it and won't use anything but it. I've not tried it but sounds like it might be worth looking at next time my stuff is up for renewal.

Phil Thien
08-25-2010, 2:10 PM
Just did a fresh scan. Lots of stuff not seeing it yet (AVG, Avast, Kaspersky, McAfee, Microsoft, etc.).

AntiVir 8.2.4.38 2010.08.25 TR/Fakealert.GT.1
BitDefender 7.2 2010.08.25 Trojan.Generic.KD.28592
DrWeb 5.0.2.03300 2010.08.25 Trojan.Fakealert.18562
F-Secure 9.0.15370.0 2010.08.25 Trojan.Generic.KD.28592
GData 21 2010.08.25 Trojan.Generic.KD.28592
NOD32 5397 2010.08.25 Win32/Adware.SecurityTool.AD
nProtect 2010-08-25.02 2010.08.25 Trojan.Generic.KD.28592
PCTools 7.0.3.5 2010.08.25 Trojan.FakeAV
Sunbelt 6791 2010.08.25 FraudTool.Win32.SecurityTool (v)
SUPERAntiSpyware 4.40.0.1006 2010.08.25 Trojan.Agent/Gen-CDesc[Gen]
Symantec 20101.1.1.7 2010.08.25 Trojan.FakeAV!gen37

Brian Ashton
08-25-2010, 6:51 PM
I've used 'em all at one point or another.

None of them catch everything.

The amount of time they take to update definitions in response to a new threat varies. On one new threat, "Product A" may have updated defs within minutes to hours, "Product B" may take days. On the very next threat, that result is often reversed.

This test is by no means scientific. Just for fun.

I might mention, though, that there are some particularly nasty variants going around that install as rootkits. These will actually modify a .sys file in your \windows\system32\drivers folder. Once your machine reboots and the virus is loaded, there is little hope in removing it. At least, I've not seen any product that can clean such a virus without user intervention.

So that's pretty much where your suggested register file edits come into play and thwart those attempts to infect?

Phil Thien
08-25-2010, 7:24 PM
So that's pretty much where your suggested register file edits come into play and thwart those attempts to infect?

Right, if you're running as a limited user, then programs you start (including a virus) cannot manipulate critical Windows system files.

paul cottingham
08-25-2010, 8:12 PM
Phil, I understand how clicking an email attachment may infect my computer, but another alleged source appears to be "visiting infected web sites". I say "alleged" because I mostly see that claim in ads for virus-shielding programs, or in articles written by inexpert people. Presuming my browser is up-to-date, is surfing around the web dangerous, or are those supposed "infected web sites" just bogeymen used to sell more software?

Try using firefox as well. It is not a security mess like ie, and generally wont allow spyware and viruses to trigger as easily.

Larry Frank
08-25-2010, 8:30 PM
Yes, I wish that there was a product out there that would be all things to our computers and protect us from it. Unfotrunately there is no such thing and that is why there are so many products with so many claims. If there were one that truely was perfect, everyone would be buying it.

I just have to ask a question. Why would anyone click on a link in a email that looks like phishing? It appears, "We have met the enemy and he is us".

I think that common sense and a good antivirus program is the best that one can do. Having only one of these simply is not good enough to protect your computer.

(Note: The quote is attributed to the cartoon Pogo in 1971 and seems to have a lot of validity)

Phil Thien
08-25-2010, 9:11 PM
Try using firefox as well. It is not a security mess like ie, and generally wont allow spyware and viruses to trigger as easily.

Many of the latest fake-alert viruses attack via both FF and IE.

Phil Thien
08-25-2010, 9:24 PM
I just have to ask a question. Why would anyone click on a link in a email that looks like phishing? It appears, "We have met the enemy and he is us".

Just for demonstration purposes. As I said in my first post, due to the way my machine is configured, I'm not worried about infecting it. I've done this dozens of times.

The information I'm posting here is also being provided to someone writing a story. Otherwise I probably wouldn't bother.


I think that common sense and a good antivirus program is the best that one can do. Having only one of these simply is not good enough to protect your computer.

Common sense and "good antivirus" will get you infected, especially if you routinely use google.


(Note: The quote is attributed to the cartoon Pogo in 1971 and seems to have a lot of validity)

Phil Thien
08-25-2010, 9:28 PM
Latest results...

Still lots of popular anti-virus products not detecting the infection.

AntiVir 8.2.4.38 2010.08.25 TR/Fakealert.GT.1
AVG 9.0.0.851 2010.08.25 FakeAV.CXN
BitDefender 7.2 2010.08.26 Trojan.Generic.KD.28592
DrWeb 5.0.2.03300 2010.08.26 Trojan.Fakealert.18562
F-Secure 9.0.15370.0 2010.08.26 Trojan.Generic.KD.28592
GData 21 2010.08.26 Trojan.Generic.KD.28592
NOD32 5397 2010.08.25 Win32/Adware.SecurityTool.AD
nProtect 2010-08-25.02 2010.08.25 Trojan.Generic.KD.28592
PCTools 7.0.3.5 2010.08.26 Trojan.FakeAV
Sunbelt 6794 2010.08.26 FraudTool.Win32.SecurityTool (v)
SUPERAntiSpyware 4.40.0.1006 2010.08.26 Trojan.Agent/Gen-CDesc[Gen]
Symantec 20101.1.1.7 2010.08.26 Trojan.FakeAV!gen37
TheHacker 6.5.2.1.356 2010.08.26 Trojan/FakeAV.dnv

Phil Thien
08-26-2010, 8:37 AM
Picked up a few more hits over night. Now up to 16. Notably absent: Comodo, the Computer Associates eSafe, f-prot, Kaspersky, McAfee, Microsoft, Norman, Sophos, and Trend. If you're using one of those products, it still can't identify this virus based on signatures. Maybe heuristically, but that is a crap-shoot, as the best heuristic analysis today catches about 40% of emerging viruses. It is critical to get signatures updated very quickly.

It has been almost four days, BTW.

AntiVir 8.2.4.46 2010.08.26 TR/Fakealert.GT.1
Avast 4.8.1351.0 2010.08.26 Win32:Malware-gen
Avast5 5.0.594.0 2010.08.26 Win32:Malware-gen
AVG 9.0.0.851 2010.08.26 FakeAV.CXN
BitDefender 7.2 2010.08.26 Trojan.Generic.KD.28592
DrWeb 5.0.2.03300 2010.08.26 Trojan.Fakealert.18562
F-Secure 9.0.15370.0 2010.08.26 Trojan.Generic.KD.28592
GData 21 2010.08.26 Trojan.Generic.KD.28592
NOD32 5399 2010.08.26 Win32/Adware.SecurityTool.AD
nProtect 2010-08-26.01 2010.08.26 Trojan.Generic.KD.28592
Panda 10.0.2.7 2010.08.25 Suspicious file
PCTools 7.0.3.5 2010.08.26 Trojan.FakeAV
Sunbelt 6795 2010.08.26 FraudTool.Win32.SecurityTool (v)
SUPERAntiSpyware 4.40.0.1006 2010.08.26 Trojan.Agent/Gen-CDesc[Gen]
Symantec 20101.1.1.7 2010.08.26 Trojan.FakeAV!gen37
TheHacker 6.5.2.1.356 2010.08.26 Trojan/FakeAV.dnv

Michael MacDonald
08-26-2010, 4:05 PM
phil -- wirustotal didn't check malwarebytes? that is a great program... I bet they would catch it.

Phil Thien
08-26-2010, 6:43 PM
phil -- wirustotal didn't check malwarebytes? that is a great program... I bet they would catch it.

No, they don't include MWB. I've scanned the file w/ MWB several times and it didn't catch it. I haven't scanned w/ MWB today, though.

The thing to remember is, MWB is reactive just like all the other antivirus apps. They take time to add signatures to their definitions.

paul cottingham
08-26-2010, 7:47 PM
How about clamav?

Phil Thien
08-26-2010, 9:19 PM
How about clamav?

Clam is on the list, hasn't found it yet.

John McClanahan
08-26-2010, 11:23 PM
Some of those virus scans can be quite comical. I like the ones that open "my computer", start scanning the C drive and listing all of the infected files. What's funny about it is I'm using a PowerPC based Mac.:D

For those who have never used a Mac, they don't have a "C" drive, "my computer" or the .ini, .dll or other files Windows uses.;)

John

John McClanahan
08-26-2010, 11:28 PM
All joking aside, I would like to thank Phil for the advice on protecting a Windows computer. My wife is a Windows user, and I will use that advice on her computer.

John

Phil Thien
08-27-2010, 9:03 AM
Up to 21 hits as of this morning.

The virus that I used for my experiment has probably morphed several times since Monday. The one I used for my experiment has probably been largely abandoned by the person/people that released it into the wild.

If I had a new version of the virus, I suspect few of the products below would be able to identify it.


AntiVir 8.2.4.46 2010.08.27 TR/Fakealert.GT.1
Avast 4.8.1351.0 2010.08.27 Win32:Malware-gen
Avast5 5.0.594.0 2010.08.27 Win32:Malware-gen
AVG 9.0.0.851 2010.08.27 FakeAV.CXN
BitDefender 7.2 2010.08.27 Trojan.Generic.KD.28592
DrWeb 5.0.2.03300 2010.08.27 Trojan.Fakealert.18562
F-Secure 9.0.15370.0 2010.08.27 Trojan.Generic.KD.28592
GData 21 2010.08.27 Trojan.Generic.KD.28592
Jiangmin 13.0.900 2010.08.27 Trojan/Fakeav.uf
NOD32 5402 2010.08.27 Win32/Adware.SecurityTool.AD
Norman 6.05.11 2010.08.27 W32/FakeAlert.CIKK
nProtect 2010-08-27.01 2010.08.27 Trojan.Generic.KD.28592
Panda 10.0.2.7 2010.08.27 Trj/CI.A
PCTools 7.0.3.5 2010.08.27 Trojan.FakeAV
Rising 22.62.04.04 2010.08.27 Trojan.Win32.Generic.522B31C9
Sunbelt 6801 2010.08.27 FraudTool.Win32.SecurityTool (v)
SUPERAntiSpyware 4.40.0.1006 2010.08.27 Trojan.Agent/Gen-CDesc[Gen]
Symantec 20101.1.1.7 2010.08.27 Trojan.FakeAV!gen37
TheHacker 6.5.2.1.356 2010.08.26 Trojan/FakeAV.dnv
TrendMicro 9.120.0.1004 2010.08.27 TROJ_FAKEAV.SMDM
TrendMicro-HouseCall 9.120.0.1004 2010.08.27 TROJ_FAKEAV.SMDM