Two days ago, I wrote up my notes on my experience with the rouge anti-virus software, Bravesentry. When I found my computer infested with that pesky software I turned to Google for information. Typing “bravesentry” into a Google search turned up a measly 2 results. Can you think of the last time you ran a Google search and it returned less than 10 hits? I can’t. Because of the lack of info on Bravensentry, I figured that this is a new pest and that my feeble research would help to start building a body of knowledge about this piece of malware.
Because this issue has been close to me, I have revisited Google several times over the past several days searching on “bravesentry” to see if more information has been uncovered. Taking Google searches as the “pulse” of the Internet, I also became interested in HOW this story has evolved by noting the changes in the Google search results.
The first report of Bravesentry as a rouge anti-spyware software was published on March 8, 2006 by SunbeltBlog. When I ran my first Google search on the subject (probably on March 9), Sunbelt was one of the two sites that Google returned. Slowly but surely, I’ve noticed the body of information about Bravesentry building in Google’s indexes. On March 10, there was 4 results, on March 11, there were 12 results in the morning and 18 later that day. On March 12, I see 24 references in Google and noticed that five advertisers have also bought “bravesentry” as an adword. The free market hard a work here.
Examining the Google search results also highlighted one more interesting point for me - namely, that my own site did not show up in Google’s search results for “Bravesentry” even though I have posted a fairly complete account of my experience with the software. As my Netsato blog is new, only about a month old, and as my site’s Google pagerank is a whopping 0/10, this clearly shows the importance of pagerank in determining search result indexing. I suppose you can call it “paying your dues.” I bet there’s a bunch of “0″ pagerank sites out there that contain some really good information, but we just don’t find them.
Who cares? Probably nobody but me and about 5 other people in the world…but hey it’s my blog and I can write what I want.
Subscribe to my feed
I’ve been infected simultanelty by Bravesentry and many other trojans. I ran all the anti-virus I know and none is able to delete it. The only one who seems to detect and to be able to do so is bravesentry…. the problem is that you have to buy a license before being able to delete worms detected by the demo version…
Then Blackmailing or not?
Left by Nico from Austin, TX on March 20th, 2006
I would be very suspect of what Bravesentry claims to detect. If it is finding “problems” that no other software can find, then I would look to verify those findings elsewhere. Afterall, what better way to sell a lot of anti-virus/anti-spyware/anti-hacker software than to scare you into buying them with false positives.
Think about it another way, if Bravesentry was really any good, why would it stoop to such aggressive “hijacking” tactics to get itself installed.
Left by Netsato on March 22nd, 2006
I also got hijacked by Brave Sentry. Maybe we should spread a rumor that they are spying for Al Queda and should be demolished.
Anyway, I sent an email to interpol with their supposed address in the Netherlands.
Argh!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Left by jessica bowen on June 15th, 2006
First, my system specs. My computer is an older IBM ThinkPad 1411i, 4.3GB HDD, 160 megs SDRAM, 300MHz P-II MMX processor running Win 98. Browsers: IE 5.5, Firefox 1.0.5, Netscape 4.77. Mail client OE 5.5 (also NS for newsgroup posting). Net connection: pair-gain loop-limited dialup, 26.4 KBaud (courtesy of SBC, which is holding the neighborhood’s head underwater in hopes we’ll all sign up for their DSL deal => more yummy income).
I just had an experience of my own with Brave Sentry. I noticed a “meatball” in my system tray a couple of days ago while working online and assumed it had been generated by an update of my Grisoft AVG. I began scanning with various tools and found real Trojans and worms:
ByteVerify [Java worm] (Spyware Nuker XT)
Proxy.ENI
Downloader2.QUS (AVG)
Spy Sheriff
Counter Spy
Child Safe / WinGuardian [monitor/logger]
The Spy Sheriff detection (and possibly WinGuardian as well) , by a freeware scanner based on an older release of SpySweeper that is distributed by Earthlink through their homepage (the removal tools are available to Earthlink subscribers), was really Brave Sentry. The near-identity of these malware apps is discussed by spywarewarrior.com, whose link I followed here to NetSato.
After chasing the various infected/infecting files around with AVG and Spyware Nuker XT for a couple of days, I thought I had finally stamped out the Trojan infection. A partial listing of files I removed:
BlackBox.class
VerifierBug.class
Beyond.class
Proxy.ENI (see also below)
These were discovered by Spyware Nuker XT and Spy Sweeper (Earthlink’s ELspyaudit.exe) together with Task Man and closely-spaced AVG scans of the WINDOWS/SYSTEM files.
In addition, here is a copy of my AVG log of the malware files found by its scans:
Trojan horse Downloader.Generic2.DQC C:\WINDOWS\SYSTEM\vxgamet3.exe 9/10/06 8:19:47 PM
vxgamet3.exe 11.22 KB
Trojan horse Downloader.Generic.QUS C:\WINDOWS\SYSTEM\vxgamet4.exe 9/10/06 8:19:47 PM vxgamet4.exe 1.59 KB
Trojan horse Downloader.Generic.QUS C:\WINDOWS\TEMP\1.dlb 9/10/06 8:19:47 PM 1.dlb 2.46 KB
Trojan horse Downloader.Generic2.MWW C:\WINDOWS\TEMP\5.dlb 9/10/06 8:19:48 PM 5.dlb 4.17 KB
Trojan horse Proxy.ENI C:\WINDOWS\TEMP\vx6.game 9/10/06 8:19:48 PM vx6.game 14.73 KB
Trojan horse Downloader.Generic2.DQC C:\WINDOWS\TEMP\vxt3.game 9/10/06 8:19:48 PM vxt3.game 11.22 KB
Trojan horse Downloader.Generic.QUS C:\WINDOWS\TEMP\vxt4.game 9/10/06 8:19:48 PM vxt4.game 1.59 KB
Trojan horse Downloader.Generic.QUS C:\WINDOWS\TEMP\1.dlb 9/10/06 3:21:38 PM 1.dlb 2.46 KB
Trojan horse Downloader.Generic2.MWW C:\WINDOWS\TEMP\5.dlb 9/10/06 3:21:38 PM 5.dlb 4.17 KB
Trojan horse Downloader.Generic2.LGI C:\WINDOWS\TEMP\vx3.game 9/10/06 8:19:48 PM vx3.game 2 KB
Trojan horse Generic.YZR C:\WINDOWS\TEMP\vx4.game 9/10/06 8:19:48 PM vx4.game 14 KB
Virus found SpySheriff C:\WINDOWS\DESKTOP.HTML 9/11/06 11:52:49 AM DESKTOP.HTML 1.95 KB
Trojan horse Downloader.Generic.QUS C:\WINDOWS\SYSTEM\DLH9JKDQ1.EXE 9/10/06 7:00:11 PM DLH9JKDQ1.EXE 2.46 KB
Trojan horse Downloader.Generic2.MWW C:\WINDOWS\SYSTEM\DLH9JKDQ5.EXE 9/10/06 7:00:52 PM DLH9JKDQ5.EXE 4.17 KB
Trojan horse Downloader.Generic2.LGI C:\WINDOWS\SYSTEM\VXGAME3.EXE 9/10/06 7:04:28 PM VXGAME3.EXE 2 KB
Trojan horse Generic.YZR C:\WINDOWS\SYSTEM\VXGAME4.EXE 9/10/06 7:05:23 PM VXGAME4.EXE 14 KB
Trojan horse Proxy.ENI C:\WINDOWS\SYSTEM\VXGAME6.EXE 9/10/06 7:06:23 PM VXGAME6.EXE 14.73 KB
After a system secure shutdown with Evidence Eliminator (deletion of all TEMP files, cookies, and recycling-bin contents, followed by overwriting of the deleted material and all free space on the hard drive), I booted up to discover the meatball was back. Curious — and apprehending that I hadn’t gotten the installation .EXE file — I double-clicked on the meatball. Brave Sentry immediately began to unpack from whatever (probably encrypted as well as hidden) zipfile it had been lurking in and began to install. I called Task Manager right away and stopped the installation. I noticed that two suspect processes I’d seen and killed the previous day were back:
xpupdate (nice ute to have, considering I’m running Win98)
dlh9jkdq1.exe
I killed them and then systematically began deleting the Brave Sentry folders and files (avoiding the Uninstal.exe utility) from the Program Files/ and Windows/Start Menu directories.
Since that point, the malware processes associated with Brave Sentry and its companion Trojans have not yet reappeared, so far, but I expect to see them again at the next restart, if I don’t locate a removal tool for the hidden file which is dropping fresh copies of everything on reboot. This task is what led me, chasing links, to the NetSato weblog.
I am in the dark about the source of the infection. There are two possibilities: one is spammers looking for ways to distribute remote-administration Trojans with their spew, which I handle daily with OE 5.5, and the other is a drive-by, stealth download acquired while visiting Epinions.com two days ago with IE 5.5 and reading product-review wiki entries there.
I, too, would like to receive communications with more information about this pest and where I could find a removal tool that will allow me to avoid reformatting or deploying backup copies of configuration files.
Left by Michael Brennan on September 12th, 2006
This illustration from spywarewarrior’s website shows what I saw when “Brave Sentry” began to unpack and install itself:
http://www.spywarewarrior.com/pics/bs-2.jpg
One can imagine the jam a nOOb would feel himself or herself in, confronted by this aggressive pest. This is abject abuse of skills against the uninitiated and helpless, the equivalent of a crude robbery-by-force.
Left by Michael Brennan on September 12th, 2006
Yesterday, I seem to have picked up BraveSentry. I’m not certain how/where I picked it up, but I realised that I’d only recently set up the computer (not this one - the infected one’s running a scan right now) and didn’t have a firewall running … so I guess I asked for it. It’s a clever, but evil, piece of software … luckily, a search in Google turned up your page!
Left by Gary on September 22nd, 2006
It seems that one or more of the msconfig startup items are responsible for administering the effects of the bravesentry trojan
Left by Manesh on January 16th, 2007
I am the onwer of a very small startup, and I received a desktop support call from a UPS store in Concord, Ca.
I successfully tracked down and remove the Brave Sentry file folder, and all of the necessarry files. I am now working on cleaning the registry out and getting rid of the .dll files.
The Dcom Prcess Server has become active, and continues to fail.
Does anyone have a fix for the Dcom besides changing the settings to disabled?
Josh
Left by Joshua on March 28th, 2007