This post originated from an RSS feed registered with .NET Buzz by Steve Hebert. Original Post: Aurora/Nail Virus - a simple virus that has stumped the anti-virus firms Feed Title: Steve Hebert's Development Blog Feed URL: /error.htm?aspxerrorpath=/blogs/steve.hebert/rss.aspx Feed Description: .Steve's .Blog - Including .Net, SQL Server, .Math and everything in between Latest .NET Buzz Posts Latest .NET Buzz Posts by Steve Hebert Latest Posts From Steve Hebert's Development Blog

The latest word on anti-virus firms  focuses on their inability to adjust to the rootkits that are running around in the wild these days.  Companies such as Symantec, McAfee and Trend Micro do not have rootkit detection and removal capabilities.

While rootkit detection and removal appears to require an architectural change, it appears that not only rootkits are giving the anti-virus firms fits.  Back in July, I posted one of my most viewed posts – the Aurora (Nail.exe) spyware fix . At the time I posted the fix, I decided to leave it off the main feed of CodeBetter because it has nothing to do with .Net.  Given the technical nature and the fact that most anti-virus firms are still unable to deal with the threat, I really wonder what my yearly anti-virus subscriptions are worth.  The Aurora/Nail virus is also known as ‘adware/betterinternet’ and information is available on all three names across the 'net. When I first ran into the problem, Symantec's product was able to detect the virus 10-20% of the time.  When it did detect the virus, it claimed to have removed it, but it only reappeared after successive reboots. 

This is an interesting virus because it contacts a central server to locate popups.  Once installed, the program keeps itself running on the local machine using virtually random filenames.  These processes all focus on running the application side of the virus and appear to keep a couple of things in place as I discussed in my initial blog entry. The program does not have an uninstall, and in response to criticism the company provides a removal tool surrounded by questions. 

Given that this virus/spyware has a huge achilles heel that I revealed back in July, I am hearing that several major virus vendors still cannot remove it in spite of correctly identifying it.  This has me wondering, how are the anti-virus corporations working to adjust the underlying shifts in virus activity?  How can this simple virus be stumping them for so long and how will they address rootkits when a simple problem gives them so much trouble?  The new wave of virus attacks go far beyond the mechanics of identifying payloads and providing signature updates – I wonder how much longer it will take anti-virus firms to shake up their R&D departments to change their approach?   

If you have a tool that actually removes this virus, I’d be very interested in hearing.  Right now I’m hearing from many people that their anti-virus solutions do not successfully remove the Aurora/BetterInternet/Nail virus.  I’d love to be able to pass along a functional removal for myself and others.