As you may have heard by now there is a lot of malware around acting as antivirus. A client emailed me and told me that she was infected with “Advanced Virus Remover” and she noticed that when she was using store locator page at acmoore.com, which is an Arts and Crafts store. First I didn’t think that was possible. Usually you get infected from a site that is not known or popular. I had to check it myself, and what do you know, she was right!
McAfee Enterprise edition detects it as Exploit-PDF.q.gen!stream. A pdf file temporary files is detected and deleted. I tried visiting the same link with my netbook which has Microsoft Security Essentials installed, free antivirus software from MS that I am testing, but nothing was detected. Now I am not sure if MSE silently killed the trojan, because if I run Malwarebytes, which is very powerful for removing this kind of crap, didn’t find anything. I even went through the temp files to see if the file is there but couldn’t find it.
I tried another PC with McAfee Antivirus Plus installed (not the enterprise version), and that didn’t detect anything at all. This is what I get when I visit the site:
When this page is loaded it downloads a blank pdf file from this link http://chinghachook.cn/cp/spl/files/info.php and I believe if your Acrobat Reader is not up to date you will get infected.
You are the only one who can know where the virus/trojan is coming from, so don’t ask your IT guy that question. My client knew and she was right.