AVE.EXE Internet Security virus common and not recognized by CIS

Comodo Internet Security - CIS AV False Positive/Negative Detection Reporting
1

I had to remove this from one of my friends Vista computers and it was a pain (takes over EXE file calls, wasn’t recognised by anti-virus and maleware bytes, had registry hooks to relaunch, placed a security centre icon in the taskbar etc) but I thought “oh he must have clicked on something or done something stupid” as I’ve never caught a virus in Firefox by just surfing.

Well, today I visited some random website from Google and a Java runtime splash screen popped up - without clicking a single thing! Straight away I thought “Oh No” and sure enough a package had been delivered into my Docs/App Data and Local Settings folders as I was terminating the browser.

Luckily, I surf in limited account mode with the Defense+ HIPS system, which meant it couldn’t do anything to my registry. I simply checked my Defense+ and Firewall logs to find the offending files, then removed them. Also did a search for any modified/created files at that exact time of infection, and removed those (Some files with random names and the actual AVE.EXE).

Also I knew where to look, as I’ve dealt with it in the past. All cleaned up. :slight_smile: This happened in a split second - I reacted the moment I saw the splash screen so those without things like Noscript, HIPS etc would be ■■■■■■■.

Now here is the interesting part. Virus checker missed this file again! Plus it can install still, after all these months, using a flyby method past the latest Firefox (without noscript) and the latest Java runtime I have installed for open office.

I’m seriously considering removing Java runtime, but I’m not sure if the Java included with Firefox would have done any better. Worrying, that this virus when on a compromised website, can install and run so easily!

Be warned! It a nasty little thing, and seems very widespread! AVE.EXE and AV.EXE by name should be added to the detection engine, or the dropper program identified somehow. In mosts cases it’s called by that name and in the user data folders. It’s delivered by some randomly named files downloaded and run through Java Runtime.

2

Java isn’t included with Firefox. Java and Javascript are different languages.

3

Hi spirits247,

If you can find the file,you can submit through this link:Comodo Firewall | Get Best Personal Firewall Software for $29.99 A Year we can go to have a look at it.

Thanks and Regards
Leno

4

Thanks for the correction Heffed - removing Java runtime then.

I’ve already deleted AVE.EXE - I didn’t really think to keep it as I hate the thing so much and wanted rid of as soon as possible.

Since this has been around for ages, I’m guessing it’s profile is altering somehow to avoid detection. A simple search on Google for AV.EXE or AVE.EXE will turn up loads of results - but I guess you need sample files for it’s signature.

5

Well, this is the exploit:

http://secunia.com/blog/95

http://www.computerworld.com/s/article/9175499/Hackers_exploit_new_Java_zero_day_bug

So it’s out there and no Java update yet.

I have removed any link Java runtime has to my browsers - plugins, support etc, from the settings/prefs. I suggest others do the same. Ironically, the only sites that I’ve come across that use Java runtime are online virus scanners! So I won’t miss it.

I’ve left it installed as I use it with some applications, like open office. The annoying thing with Java runtime is each time it updates, I have to redo all my settings as it never seems to carry them over.

6

There are some situations where you cannot get rid of JRE.
Some years ago, my network client computers only accessed the professionnal application their main function was to run on the server through JRE: lan application, but still…
And the same situation also happened at that same time with one of my banking accounts: here, we are “https”, but online.

But didn’t you say yourself that, at least concerning Firefox, the malicious script was intercepted by Noscript?

A “harmless testing url” is referenced in one of the links you provided:
http://lock.cmpxchg8b.com/bb5eafbc6c6e67e11c4afc88b4e1dd22/testcase.html
It is intercepted by Noscript, and i can’t test any further (if i allow the script, Firefox complains for a missing plugin as i presently have no JRE plugin for Firefox).

7

Yes brucine, I never tested, but I assumed in my opening post noscript would stop it in Firefox. Noscript users should be protected.

I do use Noscript for surfing in my Admin accounts, but for Limited accounts I don’t as people who use this account to surf the web find it a pain in the backside. I have now however removed the JRE browser integration and plugins - anyone can do it through the JRE settings. I think that will stop flyby execution.

That’s the probem with some browser plugins - they open more security holes.

8

Java Runtime Environment 6 Update 20 is a security update release.
It addresses the recently disclosed vulnerability.

NoScript stops it. The update fixes it.

Update your Java Now.

Bad

9

Thanks for the info! Java updated. :slight_smile: