I have certainly seen my share of missed detections with McAfee, but McAfee has always proven to quickly and accurately review/include submitted samples, and generally respond the same day with an Extra.DAT. That type of turn around with other vendors is, um, well -- let's be nice -- not always as prompt.
I quick spin through http://vil.nai.com gives me more than a 1000 results for FakeAV malware. I would suggest that you focus you're efforts on collecting a sample and submitting it either to McAfee, or to a community site like VirusTotal.com that will submit it to many vendors in a single shot.
Thanks for the info, but did you see my statement about how one goes about submitting a sample to McAfee, when they REQUIRE the actual "file" to send to them? In this case, it doesn't seem to be an easily identifiable file on the actual workstation (seems to be something that gets loaded into memory rather than written to the hard drive and THEN loaded into memory).
Let me share my thoughts on this. I personally caught twice FakeAV on my computer and twice needed to fully reinstall. On second infection I realized that this is what Access Protection may be for in the first place and when my computer was still infected I engaged some Access Protection rules and I could see live what is being done by this malware by looking at the access Protection log. I could identify the root .DLL and one other file that worked within Internet Explorer. Both were rewriting certain registry branches with their values every 3 seconds.
I even could cripple the IE-related file with AP rules, but the root DLL was so deep in registered device drivers (CLSID) that it loaded always before VirusScan device drivers so even an AP rules was active, the file just got loaded before the McAfee AP device driver would have loaded. Therefore I decided to reinstall on second occasion, too.(I should mention that I tried disinfecting with NOD32, which identified the file and said that it'd be deleted on reboot, but that never happened on reboot).
so I strongly suggest you use Access Protection in the future and try to engage some of them to see which is doing what and maybe you could identify the root file. On uninfected systems this can prevent embedding of the malware entirely or to great extent.
I consider such a trojan an ever changing blended one, so do not expect that you'd be protected just because you have all the latest signatures and even Artemis, please use also Access Protection and please harden it also by ticking "Prevent McAfee Services from being stopped" .
Upon investigation for any suspicious malware I recommend using (psst) ESET's Sysinspector, I found this more handy over other tools.
Message was edited by: apoling on 18/02/11 09:28:55 CET
Thanks for the info. We already use Access Protection and we do already prevent McAfee services from being stopped (if you look at another thread in this forum you will see that even that setting can be circumvented).
It seems there are so many variations of Fake AV that the signature changes at a pace far to rapidly to deploy successful signatures. The problem can be cirvumvented via other methods blocking webtraffic to certain domain extensions, once you have an affected PC take a look at their browsing history, somewhere in there you will see that they were inadvertantly re-directed via scripting to some foreign domain. once we started implementing blocking of various domains ie. *.cc we saw the number of incidents go down dramaticallys, from minimum of 5 a week to maybe 1 every two weeks if at all. Don't just mitigate the problem, figure out where it is coming from. That is half the battle.... ALSO ensure your PC's are patched regularly, JS vulnerabilities are exploited regularly.