AntiVirus 2010 – MALWARE

So, I’ve been hearing more and more buzz about this malware floating around on the internet like a piece of shit that won’t flush called AntiVirus 2010. I often recommend, even for tech geeks, to run some sort of AV to avoid worm related items, etc though the last few years I think that message is more or less out there. Lately, my latest kick for AV is that of MSE or Microsoft Security Essentials. I am curious to see this evening, or soon, that if this will actually prevent this software from installing as it can be a bit fucking nasty when it comes to the removal of it.

A personal favorite, Malwarebytes, seems to be completely thwarted by this floater. It will remove parts of it, but not the entire thing. I did find this great mark-up of where AV2010 goes and what it touches here.  One big portion of this is the domain list that it uses to connect on(received from the above link):

best-online-antivirus-scanner.info
av2010pro.com
av1-scanner.info
av1-download.info
download-antivirus2010.info
cleanyourpc-now.info

My main point of curiosity on these items is whether a simple entry into the hosts file redirecting these domains to 127.0.0.1 can be used to help thwart troubleshooting this in normal mode.  I will conduct a few tests as soon as I can in the next few days and see where I get with this.  I am betting that it will work just fine, as those domains try to load, it will simply redirect to local host and not load anything.

A simple test of attempting to just browse to these domains will show only the last 2 resolve to anything useful, typical of malware and 1 landing page.  Now this might be because of AdBlock Plus(FireFox plugin) but I did not see anything in its giant list pertaining to those domains above. So the block, if one, may be an element trying to be loaded on the page – we’ll see on later tests.

Bottom line thus far this site seems to be the best path to get this thing removed.

UPDATE:

But wait! There’s more! So, from my initial poll of folks(Thanks Sean!(Give him money, damnit!!!)), it does look like there is a variant on this as well which is Home AntiVirus 2010. Fantastic! This now totals 9 domains used to redirect:

homeantivirus2010.com
homeantivirus-2010.com
home-antivirus-2010.com

Plus the above 6:

best-online-antivirus-scanner.info
av2010pro.com
av1-scanner.info
av1-download.info
download-antivirus2010.info
cleanyourpc-now.info

Simple redirects on firewalls, ‘rogue’ DNS entries, host file redirects etc should do the trick in disallowing this from getting populated onto machines. This is under the very strong impression that those are the only domains used to get this data and these aren’t mirrored somewhere else.

I would say the easiest way to circumvent this on our parents PCs would be a hosts file entry:

Path: %WINDIR%System32driversetchosts

Modification:

homeantivirus2010.com    127.0.0.1
homeantivirus-2010.com    127.0.0.1
home-antivirus-2010.com    127.0.0.1
best-online-antivirus-scanner.info    127.0.0.1
av2010pro.com    127.0.0.1
av1-scanner.info    127.0.0.1
av1-download.info    127.0.0.1
download-antivirus2010.info    127.0.0.1
cleanyourpc-now.info    127.0.0.1

This redirect can be to google.com and does not have to be to the localhost. This entry can also be made in most firewalls as mentioned above. The biggest issue of it all is our major providers of AV and Malware protection are not actually taking care of the problem by denying the software from installing.  Thinking back they haven’t really been protecting machines of this. I am not sure if we can consider these products malware protection.

I will leave rants for anther post oh and more as it comes….

UPDATE 2: Looks like I’ll be getting a copy of this file to do some testing… finally!

Peace.