How can an infection like Antivirus XP 2008 happen?

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

Avast Home edition (free) has a web scanner that checks content in real time as the webpage loads. It doesn't try to judge the website itself as good or bad but it tries to make sure that nothing bad gets executed as a result of viewing the website.

But any anti-virus can only be as good as its virus definition. I have put mine on automatic update. Avast updates several times a day.

It is not enough to have a good up to date anti-virus but one must also have an anti spyware program. I prefer spybot search & destroy because of its ability to block known spyware/adware and it user friendliness.

I'm the person who asked this question. Without trying to start a flame war over which antivirus, or antispyware, or firewall is the best, let me just say that my combination of Computer Associates Antivirus, Microsoft Windows Defender, and ZoneAlarm Firewall have served me well. I've used this combination ever since Defender was still being called Microsoft AntiSpyware and CA Antivirus was called eTrust EZ Antivirus back in 2005. In fact, if you check a previous Ask-Leo article (Article 12056 | posted December 1, 2007 | How do I pick the right tools to protect my system?), he validated my use of CA AV and Defender as the same products he uses.

Be that as it may, Leo's response (for which I thank him) raises another question: "...always make sure that all anti-malware software is updating its database regularly..." In the case of CA AV, it updates at least once every 8 hours and I always get a pop-up when "latest updates have successfully installed". If I open the CA AV it always says, "Your Anti-Virus is up to date and fully functional. Your computer is protected from the latest virus threats." If I do a manual update I'll get the message "Your security software is up to date."

Windows Defender updates on average twice a day and I always have the latest updates when I visit that update site. So this still leaves the question of "Why didn't my CA AV and/or Windows Defender stop this attack?" I would have expected either product to automatically quarantine the threat until I decided what action to take. The fact that neither product did so and allowed my machine to become infected is troubling.

If anyone has any thoughts please share.

Leo... any additional comments about the lack of quarantine?

And as a follow-up reminder, neither product detected the infection when I ran full scans in Safe Mode. These scans were after the damage had been done; ie: my desktop wallpaper had been changed to the Antivirus XP 2008 "warning", the Desktop Tab had been deleted from the Display dialog box, etc.

Don't feel alone in this scenario.

I run the IT side of things for a restaurant company and we also run Defender, Windows Firewall as well as the corporate version of Trend Micro on every workstation. We have seen this virus slip through all those layers as well as our Exchange AV solution and still infect machines that are locked down with no program install rights to the users on the machines at the time of infection. Looking at our exchange logs I see nothing to indicate that was the source of infection.

We are still not 100% sure how it infected, but I would suspect from a scripted website that was hacked or malicious to begin with. Our definitions on Defender and AV are automatically updated, and daily with respect to our AV so I would beg to differ with Leo's assumption that it was a result of your AV being out of date if you say it was current.

Thankfully it was removed fairly easily and it appears no harm was done, but as Leo has said before, you can never be 100% sure unless you reformat. We will likely do just that with any machine hit that is used for sensitive data and/or networked to the corporate office. But for the few road warriors that never connect to the network, the priority isn't as high for a total wipe and load.

I hope that allays your misgivings a bit.

In my experience, Spybot Search and Destroy does a good job of removing Antivirus 2008 and Antivirus 2009. I do think, however, that I had to boot in Safe Mode to completely remove the 2009 version.

5 of my company's computers became infected with AntiVirus 2008 on August 12th. We use CA also and it passed through without being detected. I went to the CA site and it only noted that it was a trojan but didn't offer any updates or fixes to remove it.

Thankyou for this interesting article Leo. I have come across this particular infection several times over the last few months, and I could not see anobvious way that it got into the systems. Antivirus programs were up to date in all cases. There is an interesting article that was published recently (UK magazine) "http://www.pcpro.co.uk/features/218199/is-the-virus-threat-real.html?searchString=is+the+virus+threat+real" Which explorers the current threats.

Use Firefox with the "no script" add in. Prevents all scripts from running unless you give them permission to do so.

A couple of weeks back now I had the same thing happen to me also. Fortunately I knew something was wrong and never downloaded the file. At the time I had up to date definitions for Kaspersky AV. I check Manually on the hour and every hour. My other Bells & Whistles never alerted me to it either.

To post a comment on "How can an infection like Antivirus XP 2008 happen?", please return to that article's main page.