Rogue malware now calling itself "AVG"!!!

Discussion in 'The Lounge' started by dlb, Feb 7, 2011.

  1. dlb

    dlb MajorGeek

    I am working on a PC infected with a rogue, but I didn't realize it was rogue at first (a "rogue" is a fake anti-virus or fake system optimizer program; they are designed to trick/scare the user into giving up a credit card number to "fix" the "problems" being reported by the rogue; the problems don't really exist). At first I thought it was a legit install of the trial version of the paid AVG full anti-virus. This rogue is called "AVG Antivirus 2011" and looks exactly like the real AVG. It has the same colored box logo. However, the easiest way to tell if it's real or not is to check your "Program Files\AVG" folder. A legit install will have numerous files and folders, the rogue will only have a single file: "avg.exe", and in Vista/Win7, the Windows UAC will try to block it. I tried to grab a screen shot to post, but the rogue blocked almost everything I was trying to do. I did find a short blurb about this on the web: http://www.spamfighter.com/FakeXPA-...VG-Antivirus-2011-Reports-MMPC-15745-News.htm, but no screen shots. I have seen many, MANY rogues in my time, but I think this is the first to completely 100% steal a legit program's identity, name, logo, and everything (the first one I've personally dealt with). Crazy.
     
    dlb, Feb 7, 2011
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I think BleepingComputer reported this a week or so ago. Hope you were able to remove it.
     
    TimW, Feb 7, 2011
    #2
  3. dlb

    dlb MajorGeek

    Oh yeah - I've become pretty adept at removing these rogues via PE. This at least "pulls the stinger out of the bee" so I can then reboot to the desktop and work normally, run scans, etc. Plus the UBCD4Win has remote registry access so I can edit the reg w/o having to be in the infected Windows environment. Also, I really like "TDSSkiller" from Kaspersky which works GREAT at removing orphaned evil files that some of the other scanners either miss or they say it's been quarantined/removed but it comes back; TDSSkiller gets it.
     
    dlb, Feb 7, 2011
    #3
  4. dlb

    dlb MajorGeek

    I just found that this virus also drops a file in C:\Windows\System32 with the AVG colored box logo, the file is called iesafemode.exe and in this scenario it was dated the day after the rogue avg.exe that I found in C:\Program Files\AVG Antivirus 2011.
     
    dlb, Feb 7, 2011
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds