The AVE.EXE Internet Security virus - still running wild!

[Deanodarlo]

I had to remove this from one of my friends Vista computers and it was a pain (takes over EXE file calls, wasn't recognised by anti-virus and maleware bytes, had registry hooks to relaunch, placed a security centre icon in the taskbar etc) but I thought "oh he must have clicked on something or done something stupid" as I've never caught a virus in Firefox by just surfing.

Well, today I visited some random website from Google and a Java runtime splash screen popped up - without clicking a single thing! Straight away I thought "Oh No" and sure enough a package had been delivered into my Docs/App Data and Local Settings folders as I was terminating the browser.

Luckily, I surf in limited account mode with a Defense+ HIPS system, which meant it couldn't do anything to my registry. I simply checked my Defense+ and Firewall logs to find the offending files, then removed them. Also did a search for any modified/created files at that exact time of infection, and removed those (Some files with random names and the actual AVE.EXE).

Also I knew where to look, as I've dealt with it in the past. All cleaned up. This happened in a split second - I reacted the moment I saw the splash screen so those without things like Noscript, HIPS etc would be screwed.

Now here is the interesting part. Virus checker missed this file again! Plus it can install still, after all these months, using a flyby method past the latest Firefox (without noscript) and the latest Java runtime I have installed for open office.

I'm seriously considering removing Java runtime, I'm not sure without it if Firefox would have done any better but it seems like an attack vector when linked to a browser. Worrying, that this virus when on a compromised website, can install and run so easily!

Be warned! It's a nasty little thing, and seems very widespread!

 

[OILFIELDTRASH]

Why are the antivirus companies not catching this thing? What did you do to clean this thing up to infected computer?

 

[StormSide]

Hackers exploit new Java zero-day bug

http://www.computerworld.com/s/article/917549/Hackers_exploit_new_Java_zero_day_bug

 

[mechBgon]

I'm seriously considering removing Java runtime, I'm not sure without it if Firefox would have done any better but it seems like an attact vector when linked to a browser. Worrying, that this virus when on a compromised website, can install and run so easily!

1) Definitely uninstall JRE and any other software you don't have an actual need for.

2) Check the remaining software with the Secunia PSI utility to ensure it's patched. http://secunia.com/vulnerability_scanning/personal You sound security-aware, so you may have already done that

3) On Vista or Win7, enable SEHOP using the FixIt on this page: http://support.microsoft.com/kb/956607

4) and of course, enable DEP completely, if you didn't already do so: http://www.mechbgon.com/build/enable_DEP.gif


Another option in the HIPS/execution-prevention vein: enable a disallowed-by-default Software Restriction Policy; or for the Home variants of Win7 or Vista that cannot use SRP, enable Parental Controls and only permit your existing programs to execute.

 

[Deanodarlo]

Thanks for the advice mechNgon. Very useful.

Stormside, that link didn't work but I imagine it's this exploit: http://www.theregister.co.uk/2010/04/09/critical_java_vulnerability/

same again: http://secunia.com/blog/95

What I've done is remove any link Java runtime has to browsers in its settings, uninstalling any Java plugins too, so it's only used for open office now. I can't think of any site that uses it, except ironically online virus scanners!

OILFIELDTRASH, if you search Google there are many instructions on how to get rid of it, but a few months ago it was pretty hard to find easy removal info. On my machine it was easy, as I was in a limited account and had a HIPS system to protect the registry plus I removed any files created at the same time of the attack as shown from my security logs. No registry damage occurred.

On my friends Vista machine, it was quite long winded and took a bit of research as I couldn't find an auto removal tool. I had to boot into safe mode and run a program that kills all startup programs called rkill.exe (this AVE.EXE virus takes over program shortcuts so you can't run things like maleware bytes or antivirus software through filetypes in the registry), then a script to return control of executable files to the OS.

Finally I booted into Vista and removed AVE.EXE (or AV.EXE) from the registry manually and from the hard drive. I also searched for files created at the same time as AVE.EXE and removed those (random named files, probably Java temp files used as the dropper programs for AVE). I had to do this manually as maleware bytes and some others detected nothing. That variant may have been added since.

It's a right pain, and could be more sinister if it chose to be. It must be easy to change its signature, or it does so automatically, as Virus and maleware scanners keep missing it.

 

[mechBgon]

Thanks for the advice mechNgon. Very useful.

Stormside, that link didn't work but I imagine it's this exploit: http://www.theregister.co.uk/2010/04/09/critical_java_vulnerability/

same again: http://secunia.com/blog/95

What I've done is remove any link Java runtime has to browsers in its settings, uninstalling any Java plugins too, so it's only used for open office now. I can't think of any site that uses it, except ironically online virus scanners!

OILFIELDTRASH, if you search Google there are many instructions on how to get rid of it, but a few months ago it was pretty hard to find easy removal info. On my machine it was easy, as I was in a limited account and had a HIPS system to protect the registry plus I removed any files created at the same time of the attack as shown from my security logs. No registry damage occurred.

On my friends Vista machine, it was quite long winded and took a bit of research as I couldn't find an auto removal tool. I had to boot into safe mode and run a program that kills all startup programs called rkill.exe (this AVE.EXE virus takes over program shortcuts so you can't run things like maleware bytes or antivirus software through filetypes in the registry), then a script to return control of executable files to the OS.

Finally I booted into Vista and removed AVE.EXE (or AV.EXE) from the registry manually and from the hard drive. I also searched for files created at the same time as AVE.EXE and removed those (random named files, probably Java temp files used as the dropper programs for AVE). I had to do this manually as maleware bytes and some others detected nothing. That variant may have been added since.

It's a right pain, and could be more sinister if it chose to be. It must be easy to change its signature, or it does so automatically, as Virus and maleware scanners keep missing it.

From the description, I believe it's the same stuff we had going on here at AnandTech a couple weeks ago. Internet Explorer 8 was stopping the initial attack at this phase, thanks to Protected Mode:

If you prefer FireFox, running it in a sandbox like Sandboxie would help. If you want Protected Mode on IE, remember that it requires UAC to be enabled.

 

[Deanodarlo]

Just heard - Java has been updated today to combat this exploit. They've repaired many recently - don't trust it anywhere near my browsers at the moment!

 

[jkroeder]

Why are the antivirus companies not catching this thing? What did you do to clean this thing up to infected computer?

This is why I don't trust anti-virus programs or anything that relies on signatures as an only means of security. You get much more reliable protection in the form of sandboxes whether by virtualization or policy.