Posted 09 March 2010 - 12:58 PM
".aoal" is actually a new variant that I reported to Kaspersky on the 6th of March and the behavior is a little different from previous versions. It showed up in a new location under a new name (<USER>\Local Settings\Application Data\av.exe) and is a hidden, system file. In addition, it adds several hooks into the registry that launches av.exe when applications like Firefox, IE and others are launched. When av.exe is removed, those registry entries break and the applications can no longer be launched. It's quite possible that it can use other names/locations as well, but I've only seen the one instance of it.
Your applications are broken because the registry hooks are likely still in place, but it can't find the referenced file. To fix this, you should search your registry for av.exe. You'll see a line that looks something like
c:\some path\av.exe /START "%1 " %*
I don't remember the "%1 " %* part exactly so it may differ slightly. Everything up to and including /START is hostile and can be removed. That will leave you with something like
"%1 " %*
After making that change, the application in question should run correctly. Perhaps Kaspersky's removal procedure didn't clean up the registry correctly.
Below is a copy of my e-mail with Kaspersky:
This message has been generated by the automated submission tracking system. If we already detect these files, the message below tells you how we identify this threat. Your submission will be passed to a virus analyst.
av_evil.exe - Trojan.Win32.FraudPack.aoal
New malicious software was found in this file. The next antivirus database update will include detection for this malware. Thank you for your help.
Best regards, Kaspersky Lab
>> Fake anti-virus product. Adds registry entries associated with Firefox, IE and a few others that cause the program to launch at the same time as the other processes. Appears to fork the requested process and then reparent it several seconds later. Although I see descriptions of it, none of the AV or malware products I tried detected it and the Kaspersky online scan passes it too. The only file I found associated with it was in <USER>\Local Settings\Application Data\av.exe. I ended up renaming the file to av_EVIL.exe and creating a blank av.exe file in it"s place. av_EVIL.exe that I"m uploading was originally called av.exe. Unfortunately, I no longer have the registry entries, but it was something like:
>> path\av.exe /START "%1 " %*.
>> uploaded files: