Quote:
Originally Posted by jrm
once you go to install the fake update, will the anti virus catch it or is it too late.
|
When you see the prompt for the fake update you're already infected. What happens is a bug in Java or Flash is used to siliently install the rootkit. Once the rootkit is up and running, it launches its first payload, which is the fake update thing. It will keep launching that, redirecting your browser, stealing your usernames and passwords, and other fantastic stuff until the rootkit is removed. When I caught it, the antivirus software was catching and preventing the payload launches... but did not recognize the rootkit or see that it was installed and running. Neither did McAfee's rootkit removal util, neither did Kapersky's TDSSKiller. Combofix did find and remove it.
-E