Update of September 3:
Some detections of this Trojan were on a component of a commercial application. For this reason we’ve updated the detection type to “potentially unwanted program” (PUP). Customers who see files that exhibit the behavior discussed in the Threat Library for QTaskMgr-1 should submit the file to McAfee Avert Labs.
In anti-virus research, context is everything. We had a sample that was not signed correctly and behaved suspiciously. We have to think of our users security; thus we detected the file. Without knowing that the sample was part of a nonmalicious application, we had to assume it was dangerous.
One reason we make this assumption is due to cases such as files infected with Induc. Here, even if the binary’s resources check out, it’s still compromised. If it looks bad, smells bad, tastes bad, and you’re not told otherwise””then it probably is bad.
Original blog, published September 1:
We’ve heard about malware that reduce a computer’s state of security. These malware might, for instance, disable your access to the registry, lower Internet Explorer’s security configuration, delete system files, or manipulate the system’s DNS settings. Each of these steps exposes the victim to graver malware infections or system compromise.
Yesterday we ran into a Trojan that weakens the victim system’s security by making registry changes. The malware disables Task Manager, Windows Update, and toolbars in Internet Explorer. Further, it does not let you lock your machine or change your password. If you pressed Ctrl+Alt+Del after the infection you would see this:
Because losing Task Manager is the most damaging security attack on our list above, we’ve called this Trojan QTaskMgr-1. We include detection and cleaning for QTaskMgr-1 since the 5727 DATs, released September 1.