I had to remove this from one of my friends Vista computers and it was a pain (takes over EXE file calls, wasn’t recognised by anti-virus and maleware bytes, had registry hooks to relaunch, placed a security centre icon in the taskbar etc) but I thought “oh he must have clicked on something or done something stupid” as I’ve never caught a virus in Firefox by just surfing.
Well, today I visited some random website from Google and a Java runtime splash screen popped up - without clicking a single thing! Straight away I thought “Oh No” and sure enough a package had been delivered into my Docs/App Data and Local Settings folders as I was terminating the browser.
Luckily, I surf in limited account mode with the Defense+ HIPS system, which meant it couldn’t do anything to my registry. I simply checked my Defense+ and Firewall logs to find the offending files, then removed them. Also did a search for any modified/created files at that exact time of infection, and removed those (Some files with random names and the actual AVE.EXE).
Also I knew where to look, as I’ve dealt with it in the past. All cleaned up. This happened in a split second - I reacted the moment I saw the splash screen so those without things like Noscript, HIPS etc would be ■■■■■■■.
Now here is the interesting part. Virus checker missed this file again! Plus it can install still, after all these months, using a flyby method past the latest Firefox (without noscript) and the latest Java runtime I have installed for open office.
I’m seriously considering removing Java runtime, but I’m not sure if the Java included with Firefox would have done any better. Worrying, that this virus when on a compromised website, can install and run so easily!
Be warned! It a nasty little thing, and seems very widespread! AVE.EXE and AV.EXE by name should be added to the detection engine, or the dropper program identified somehow. In mosts cases it’s called by that name and in the user data folders. It’s delivered by some randomly named files downloaded and run through Java Runtime.