I have two customers with Untangle boxes and they have workstations that have gotten infected with the infamous "XP AntiVirus 2009" spyware. Anyone know of anyway to block this with Untangle?

Welcome to the forums..

The installers are detected on download.

That does nothing for an active infection, so you still have to clean the boxes.

We placed Untangle in this customer environment two weeks ago and a workstation became infected today.....

I've found the best removal tool for this is malwarebytes anti malware.
Works every time for this particular threat.

It's very possible that the virus has come in via someones usb flash drive or the like?

We placed Untangle in this customer environment two weeks ago and a workstation became infected today.....



Are you running Clam or Kaspersky? I would run Kaspersky locally on the infected machines to clean them. A gateway AV is a great idea, but you still need local AV.

For Windows, Kaspersky is arguably the best AV. There is another good one out there, but ones like Norton, McAfee etc.. are total garbage.

Agreed. You know the cooties got there, but you don't know how. It could always have come in with a USB drive.

Actually, there is a new form of this injection, hitting emails. The emails are saying in the subject, something like Milan cannot afford Ronaldinho, with a link to a news report.
However, if the victim clicks on the link they will be taken to a page with a message encouraging them to install a Flash Player to watch a video with the information. And, that is what loads XP Antivirus 2008. Does Untangle stop this new form yet???
Not certain.
But, now you have more information to look for to see if this is how the infection came in.

I got the same "XP Antivirus 2009" infection about a month ago by drive-by download (I followed a Google link and *zap* there she was ...). Luckily this was only in a VM - but still behind UT (a stable config I've had for many months now). It definitely came from the web, through UT. This VM is "reset to snapshot" after every use, so the infection could only arrive during a session and there's nothing else this VM communicates with - it's a "browser appliance".

:twocents:

Since you know you got it from the web this means UT failed to detect and remove it. Quite disappointing.

Not really disappointing. That's just the nature of security appliances and applications. The malicious code writers are almost always one step ahead in coming out with new ways to infect computers. One way to combat that is to submit samples of new infections as well as the links they came from. This allows the security application developers narrow the time frame of new, undetected threat to new, detected threat.

Send the information to the Untangle crew as well so they can close the holes.

Not really disappointing. That's just the nature of security appliances and applications. The malicious code writers are almost always one step ahead in coming out with new ways to infect computers. One way to combat that is to submit samples of new infections as well as the links they came from. This allows the security application developers narrow the time frame of new, undetected threat to new, detected threat.

Send the information to the Untangle crew as well so they can close the holes.


Actually it is very disappointing assuming that the person who became infected recently also became infected through the net past UT box. I am well aware of the AV community and speeds of new definitions. If this virus was around a month ago, the virus engine of clam or kaspersky would be updated to detect it by now. Could there be a variant of it that wasn't detected? Possible. But Kaspersky updates it's definitions up to once an hour. Either way, this doesn't sound like a hyer-morphed-super-sneaky-need-highend-heuristics to catch virus.

Actually it is very disappointing assuming that the person who became infected recently also became infected through the net past UT box. I am well aware of the AV community and speeds of new definitions. If this virus was around a month ago, the virus engine of clam or kaspersky would be updated to detect it by now. Could there be a variant of it that wasn't detected? Possible. But Kaspersky updates it's definitions up to once an hour. Either way, this doesn't sound like a hyer-morphed-super-sneaky-need-highend-heuristics to catch virus.

Yes, it is indeed, a new variant.

Yes, it is indeed, a new variant.

All the more reason to use Kaspersky. Fast updates.

Thanks to Untangle My Network has remained clean and stable My only problem in the customers using foreign Flash drives which sometimes bring different types of virus witch are generally picked up by the local PC's AV app

When I first installed Untangle into a VM, and used a XP VM for testing, I actually specifically hunted that one down. UT never blocked it. I haven't tried it lately, but I think maybe I will and see what my results are..

This malware is based on a continuously updated trojan family, which is VERY agressively updated with as much as SEVERAL new variants being release each_day! Seriously...4, 5, even 6 new variants are sometimes released each day.

ZLOB. Of which many variants are based on, Smitfraud/Virtuomonde (many different spellings and nicknames such as Vundo/Vundu).

The best of the best of antivirus programs....AntiVir, NOD32, Kaspersky....the new ZLob variants keep ahead of them frequently.

There are soooooo many variants out there, Untangle is most likely stopped quite a few of them from hitting the computers behind it..but just like with the antivirus products themselves...sometimes you will come across a new variant that your antivirus definitions do not have the info on..and you'll get zapped. Even if you have the optional Kaspersky engine in your Untangle rack.

So....you can't really say "Untangle didn't stop if for me"..or "Untangle stopped it for me"...because which of the hundreds (if not thousands) of ZLob variants are you specifically talking about?

Removing it....we're using a shotgun approach.

CCleaner first to clear temp files.
SuperAntispyware (free)
Spybot Search and Destroy..update, immunize too (free)
MalwareBytes (free)

AntiVir free edition antivirus

TCP/Winsock repair utility.

The above clear up over 90% of the infected PCs. Most of our clients have NOD32 installed locally, which often blocks most of the trojan from fully installing, so a few quick scans with the above tools and PC is healthy again.

The worse of the worse infections...the big hammer..."SDFix.exe"...which is a special tool that targets this trojan, Google it and download from BleepingComputers.

The same is said for spyware, and malware. People have gotten smarter by the day, so now they disguise the dna to get past defenses. That is why it is important to constantly keep definitions up to date, and also to post these attacks so that developers can be aware, and hence come up with ways to counteract. I tell my clients all the time when they complain about them still getting spam or a virus "there is no full proof way to stop every virus or piece of spam from getting thru" all we can do is keep trying to find ways to stop or prevent the ones that got in, from coming back (that is, until they find another way to get past). Just my 1 1/2 pennies.

We have had three systems infected with this Antivirus 2009 in the past month, all are behind Untangle. I went to MSN.COM the other day, and it tried to load on my computer, I am guessing it was through one of their third-party ads that had the virus embeded in the Flash. What are some things we can try to make sure this is blocked via Untangle?

I saw it last week as well. Eset on the desktop stopped it cold.

We have had three systems infected with this Antivirus 2009 in the past month, all are behind Untangle. I went to MSN.COM the other day, and it tried to load on my computer, I am guessing it was through one of their third-party ads that had the virus embeded in the Flash. What are some things we can try to make sure this is blocked via Untangle?

Another good thing is educate the users. We've had a few users who actually got the download page. But since we sent out an info about a bogus anti-virus they informed us and they saved a few hours cleaning their system. :worship: I'm proud of these users, I would have thought they are the first one who's gonna get it. lol

the xp antivirus leverages the flawed designs of ie for most of it's infections. My residential clients are on avg free and FF and none of them have contracted this malware. My business clients who cling to IE i have to run Astaro (have not tested the 6.0 untangle yet) with trend micro on the desktops. That's stopped xp a/v dead cold(nothing's gotten past the astaro boxes..<G>..but i have seen xp a/v try to come in on flash drives..hence the trend).

If avg does not fix the problem or any other anti virus package try avast free or pro this works a treat

there's only two ways to really fix a system with this malware..take the hard disk out of the machine and hook it up to another one and run your a'v off another system that's NOT infected or reformat. Since some variants of xp(and other trojans) also have rootkits sothere's no way you can really clean the system. Once a system is rooted there's no way you can be sure it's actually cleaned anymore.