Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: girasole on May 01, 2007, 06:29:33 PM

Title: Sasser worm
Post by: girasole on May 01, 2007, 06:29:33 PM
I have a question. my friend's computer was infected by sasser worm but avast didn't detect it, she only managed to get rid of it by running nod32. how is that possible, not only that worm is not a new maleware but it already is in virus definitions?

Thank you
G
Title: Re: Sasser worm
Post by: RejZoR on May 01, 2007, 07:01:14 PM
I hardly belive that. Sasser worm is in definitions for ages. Even Network Shield can block it.
Is avast! actually the latest version and with fully updated virus definitions?
Title: Re: Sasser worm
Post by: DavidR on May 01, 2007, 07:27:49 PM
If they got infected by sasser their operating system is also way out of date as the sasser vulnerability should have patch ages ago. As RejZoR said the Network Shield should have been able to detect this exploit attempt, assuming that their operating system supports it and the network shield is in enabled.

What is their operating system ?

Quote
Sasser.Worm is a worm that attempts to exploit the vulnerability described in Microsoft Security Bulletin MS04-011
Title: Re: Sasser worm
Post by: mauserme on May 01, 2007, 08:37:27 PM
Did NOD actually identify it as sasser, or did it say lsass.exe was infected by something? 

There is malware that drops a file named lsass.exe, malware that can infect lsass.exe, and malware that can replace lsass.exe with an infected version without actually being the lsass exploit.
Title: Re: Sasser worm
Post by: girasole on May 01, 2007, 10:37:41 PM
Yes, it was up to date I installed it for her about 4 months ago… I’ve used Avast for years and I remember it blocking sasser… so it came as a shock that it didn’t even notify.

I’m not sure about the state her operating system, she was using windows xp, but nevertheless even if it got through some hole in operating system shouldn’t avast still give some sort warning?

And yes it was identified as a sasser warm.
Title: Re: Sasser worm
Post by: calcu007 on May 02, 2007, 12:22:38 AM
Maybe it was infected before you install Avast. Update the computer of your friend, so she don't get infected again. A unpatched systems is dangerous.
Title: Re: Sasser worm
Post by: mauserme on May 02, 2007, 01:16:27 AM
Maybe it was infected before you install Avast.
Makes sense - hiding in an old archive or restore point possibly.

Do you know the path?
Title: Re: Sasser worm
Post by: girasole on May 02, 2007, 01:58:11 AM
I apologize but I really don't know if her windows were updated.

But wait a sec, guys... my field of expertise is not IT, however I still find this odd. If we take the possibility of worm hiding in a restore point shouldn't it be discovered after first installation and reboot?
Title: Re: Sasser worm
Post by: calcu007 on May 02, 2007, 02:16:25 AM
Not necessarily. It will not be detected until windows access or open the infected file or until you made a manual scan in the computer.
Title: Re: Sasser worm
Post by: DavidR on May 02, 2007, 02:21:54 AM
@ girasole

There is little point in speculating ask your friend.
- What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Have her check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

Also what type of scan was it she was doing when the detection was made ?

The first boot-time scan doesn't as far as I'm aware go as deep as an on-demand thorough scan with archives enabled. avast has also introduced new packer (archive unpackers) support so if there was an infected file in a previously unsupported archive (e.g. avast couldn't unpack it), now that it is supported it could find malware in a previously unsupported packer.

So hopefully you can see there may be many possible reasons why it wasn't previously detected, but again that is speculation and doesn't solve anything, we need hard information such as answers to the questions I asked about above.
Title: Re: Sasser worm
Post by: girasole on May 02, 2007, 06:26:47 PM
@ DavidR

I went to her place today to get the info you asked for, but her HDD gave it’s last breath few days ago and the computer is on repair… what, unfortunately, brings this whole discussion to a definite stop. Now I feel bad for even starting this.

And I said that it was not avast that took care of it, it was nod32. avast didn’t even hiccup. There is a big possibility of her win not being up to date and the worm being present in the restore points, but I was the one who did the manual scan, and I always do the through scan. Is there a possibility of a glitch in Slovenian version of avast?
 
Thank you for your help.
Title: Re: Sasser worm
Post by: DavidR on May 02, 2007, 06:46:00 PM
There is no reason to feel bad about starting this, if nothing else it gives you an idea of the things needed to help.

Sorry I forgot that it hadn't been detected by avast. If the nod32 scan was run from your system rather than on-line I would think it would have a similar logging function.

I don't think the issue is language orientated as the signatures and scanning engine aren't language dependant and for some reason (unknown) it wasn't detected.

Sorry we weren't able to be of more help, welcome to the forums.