Jump to content

On Access Scanner - MS Removal Tool

Mike_136
 Share

Recommended Posts

Mike_136

Mike_136

Posted
Posted

Hi,

I am a reseller for MB and yesterday I fixed a PC which was infected with the 'MS Removal Tool' malware (which was already active with it's fake scanner and process blocker running in Windows XP normal mode). However, I was interested to know how the file got onto my client's PC, since it was running MB Pro (database 6350) at the time.

When I scanned it with MB in "safe mode" (with database 6350) the .exe and registry key value were not detected, I therefore found the infected key and file manually and removed the threat. In subsequent testing I noticed that database 6351 does in fact detect the threat.

Q1. Was this a new threat that got on the PC ahead of your database 6350?

Q2. Now that database protects against this malware, will the on-access scanner (in MB Pro) stop the file/code downloading onto the PC?

I was testing the system out subsequently, by copyng the folder with the infected .exe file back onto the PC (now running database 6351) and the file happily got copied to the hard drive. When I opened the folder, MB seemed to flag the infection when I hovered over the .exe with the mouse.

Q3. Is this the way the on access scanner works, i.e. an infection can be copied but not executed?

I have the infected .exe if you want to inspect it, let me know.

Look forward to your answers and gaining more knowledge on how things really work.

Regards

Mike

Link to post
Share on other sites
exile360

exile360

Posted
Posted

Greetings :)

Q1. Was this a new threat that got on the PC ahead of your database 6350?

Correct, it was a new variant that we didn't have detection for yet.

Q2. Now that database protects against this malware, will the on-access scanner (in MB Pro) stop the file/code downloading onto the PC?

It would have blocked the threat as soon as the threat attempted to execute.

I was testing the system out subsequently, by copyng the folder with the infected .exe file back onto the PC (now running database 6351) and the file happily got copied to the hard drive. When I opened the folder, MB seemed to flag the infection when I hovered over the .exe with the mouse.

Q3. Is this the way the on access scanner works, i.e. an infection can be copied but not executed?

Yes, that is correct, the reason being, anti-virus software scans files as they are downloaded/copied and if we tried to do the same at the same time, it would degrade system performance and likely cause conflicts and freezing so we wait until an item attempts to execute and then check it, and if it is in our database, it then gets detected before it actually enters memory.
Link to post
Share on other sites
Mike_136

Mike_136

Posted
  • Author
Posted

Hi Samuel,

Many thanks for your prompt, clear answers.

Two final question related to this "MS Removal Tool" .exe infection, which probably relates to other similar 'rogues':

Q1. Could this infection have copied itself to the PC without user input, e.g. by browsing an infected website?

Q2. Could it have also executed itself, even if only to the extent of adding the registry value in the 'Run once' Windows key, without user input?

I only ask because when I returned the PC and asked the client, he said he didn't click on any attachment or knowingly download any .exe before the 'MS Removal Tool' fake scanner first appeared. Perhaps you could also point me to technical references on how certain infections get onto PCs, so that I can gain more knowledge in this area?

Many thanks

Mike

Link to post
Share on other sites
exile360

exile360

Posted
Posted
Q1. Could this infection have copied itself to the PC without user input, e.g. by browsing an infected website?
Potentially yes, but this one in particular I believe shows up when you browse to an infected website and then agree to run a file that it tries to load on your system (it needs permission to download and run the file), though sometimes these rogues do come on board with other malware that is more crafty and gets around that.
Q2. Could it have also executed itself, even if only to the extent of adding the registry value in the 'Run once' Windows key, without user input?
Again, not likely, I've played with this rogue myself, it downloads a file to the system and tries to run the file, but allowing the download and running the file are actually up to the user in most cases. The installer that it downloads creates the RunOnce reg entry and the file for the infection itself, in a temp location as I recall.

Here is a good general reference to what is called a drive-by download, which is when an infection downloads itself without any user knowledge or input. This can be done by many methods, such as malicious scripts etc., which was likely the case for your client. They likely visited an infected page that exploited some scripting vulnerability in their system or internet browser, so the file was able to download and execute without the user's knowledge or permission.

Link to post
Share on other sites
Mike_136

Mike_136

Posted
  • Author
Posted

Hi Samuel,

Again, many thanks for answering my questions and giving the link. I guess the customer may have clicked a file without knowing, perhaps not wanting to admit it! Either way the system is now clean.

I did post a detailed removal method for someone else on the MB forum, link below, in order to be helpful. I hope this was OK, please advise if it was in the wrong forum area.

http://forums.malwarebytes.org/index.php?showtopic=81797

Thanks again

Mike

Link to post
Share on other sites
exile360

exile360

Posted
Posted

It's possible, but like I said, sometimes these buggers do use more clever tactics, so it's possible the user did nothing but visit an infected site.

As for the tutorial/instructions you provided, generally we only allow such advice to be posted here by members of these groups, who are specially trained in malware removal (generally requires attending one of the schools listed in the first post). That being said, the advice you gave was accurate and not too difficult for a fairly novice user to follow, so I chose not to make a big deal out of it, but please do refrain from doing so in the future so that if something unforeseen goes wrong, the user isn't left with a computer that won't run etc.

Thanks :)

Link to post
Share on other sites
Mike_136

Mike_136

Posted
  • Author
Posted

Hi Samuel,

Thanks for the links and sorry for posting those instructions, I was honestly only trying to give something back, having taken such advice in the past. However, I fully understand your policy, it does make sense. I will look into taking a training class in the near future as it will be great experience as well as allow me to post help officially.

All the best.

Mike

Link to post
Share on other sites
exile360

exile360

Posted
Posted

No problem, like I said, in that particular case it wasn't really that big a deal, it's just something that we don't want to encourage. Thank you for trying to help though, and I think it would be great if you joined one of the schools, no matter how much you know, you'll still learn a lot from them :).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.