This malware did succeed to install itself on the following configuration:
- Win7 64 bits, fully-patched
- KAV 2011
- user account not administrator (account switch using UAC)
- Opera 11.52 up-to-date
I was just surfing... Therefore I do believe it is a kindda drive-by-download.
Once installed, it will:
- kill all programs running (yes!), including a lot of services (sometimes KAV's service too)
- prevent you from launching new/other programs
- display a fake shield within the taskbar...
Here is how it starts itself at the beginning of the user's session:
The Sysinternals tool "autoruns" does not show it, AFAIK.
According to VirusTotal, only 3 AV engines out of 43 (command line versions) do detect it !
(link: http://www.virustotal.com/file-scan/report.html?id=c6d83ab1348c548b7581153100b8b7eb7c1b89b3e753151594828c2ac78f2c12-1320798644# )
Kaspersky Antivirus 2011 does not detect anything.
MalwareByte does detect something, but the problem is you can't start it once the malware is being run...
As you can see, the malware stores a file in %appdata%, so that's the Appdata\roaming for the current user.
One hour after my first scan, VT says 3 new engines detect it:
Antivirus Version Last Update Result
AhnLab-V3 2011.11.08.01 2011.11.08 -
AntiVir 7.11.17.87 2011.11.08 -
Antiy-AVL 2.0.3.7 2011.11.08 -
Avast 6.0.1289.0 2011.11.08 -
AVG 10.0.0.1190 2011.11.08 -
BitDefender 7.2 2011.11.09 -
ByteHero 1.0.0.1 2011.11.04 -
CAT-QuickHeal 11.00 2011.11.08 -
ClamAV 0.97.3.0 2011.11.08 -
Commtouch 5.3.2.6 2011.11.08 -
Comodo 10714 2011.11.08 -
DrWeb 5.0.2.03300 2011.11.09 -
Emsisoft 5.1.0.11 2011.11.09 Trojan.Win32.Agent.AMN!A2
eSafe 7.0.17.0 2011.11.08 -
eTrust-Vet 36.1.8663 2011.11.08 -
F-Prot 4.6.5.141 2011.11.08 -
F-Secure 9.0.16440.0 2011.11.09 -
Fortinet 4.3.370.0 2011.11.08 -
GData 22 2011.11.09 -
Ikarus T3.1.1.109.0 2011.11.08 -
Jiangmin 13.0.900 2011.11.08 -
K7AntiVirus 9.117.5413 2011.11.08 -
Kaspersky 9.0.0.837 2011.11.09 -
McAfee 5.400.0.1158 2011.11.09 Artemis!61E2511F79EF
McAfee-GW-Edition 2010.1D 2011.11.08 Artemis!61E2511F79EF
Microsoft 1.7801 2011.11.08 -
NOD32 6612 2011.11.08 a variant of Win32/Kryptik.SES
Norman 6.07.13 2011.11.08 W32/Krypt.BD
nProtect 2011-11-08.01 2011.11.08 -
Panda 10.0.3.5 2011.11.08 -
PCTools 8.0.0.5 2011.11.09 -
Prevx 3.0 2011.11.09 -
Rising 23.83.01.01 2011.11.08 -
Sophos 4.71.0 2011.11.09 Mal/FakeAV-PG
SUPERAntiSpyware 4.40.0.1006 2011.11.09 -
Symantec 20111.2.0.82 2011.11.09 -
TheHacker 6.7.0.1.339 2011.11.08 -
TrendMicro 9.500.0.1008 2011.11.08 -
TrendMicro-HouseCall 9.500.0.1008 2011.11.09 -
VBA32 3.12.16.4 2011.11.08 -
VIPRE 11001 2011.11.09 -
ViRobot 2011.11.8.4761 2011.11.08 -
VirusBuster 14.1.53.1 2011.11.08 -
Additional information
Show all
MD5 : 61e2511f79ef738d73d766c0ab8c8c1a
Most of these detections are heuristic/generic ones!
I've submitted a sample to ClamAV.
About the file:
There even is a Copyright for it...