Avast WEBforum
Other => Viruses and worms => Topic started by: umiwangu on November 21, 2009, 02:12:52 PM
-
I had to clean a bunch of flash drives for a project this morning and I noticed one folder was not being cleaned. It was called Pozuda and of course it had a desktop.ini inside there that made the folder look like the Recycle Bin. Therefore, when you click on it, the folder takes you to the Recycle Bin as well.
I scanned the folder on my laptop (MacBook, Windows 7) with Avast Home (4.8.1355, defs from today), and it didn't find anything. I knew there was something in there, because it was 150 kb, which is too much for just a .ini file.
I scanned the same flash drive on another computer with up to date AVG 9.0 (just reformatted last night). Nothing.
I scanned the same flash drive on another computer with up to date Bit Defender Business Client (enterprise ed). Nothing.
So I rebooted into Mac, and of course, there inside the folder was a file called malena.exe. I've removed both the autorun.ini and the Pozuda folder and have them sitting here on my Mac.
Why the hell couldn't these three (reputable) AVs detect it?
Edit: I'm seeing a lot of these things that Avast isn't removing, so I'm semi-seriously thinking about just running Mac OS all the time on my laptop (and using VMs for my dev work). It'll be hard, as I've been using Windows about 99% of the time now. And maybe Ubuntu for the desktop back at home. What a bugger. WTF Windows/AV vendors?
-
I just submitted the file to virusscan.jotti.com and only 5 of the 19 engines listed there detected it.
Here's the link - http://virusscan.jotti.org/en/scanresult/294aa54ee2c6f4ffbc8b162bc31a895813d5914e
-
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
The reason I suggest this is that jotti uses linux versions of the AV and two virustotal uses the windows versions and there are 40/41 different scanners.
- Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
-
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
The reason I suggest this is that jotti uses linux versions of the AV and two virustotal uses the windows versions and there are 40/41 different scanners.
- Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
Thanks for that tip. Yes, even with VirusTotal is was 8/41. http://www.virustotal.com/analisis/f7bbaedb51a11545052d039e1367bc98a6e0579b9604bd5af7907a6a07beeb98-1258811962
I couldn't send the file to the chest because of the desktop.ini file (completely blocked access to the real pozuda folder (trying open it always redirects to Recycle Bin). So that's why I had to reboot into Mac.
Ok, I'll submit it.
Seth
-
Gmail doesn't allow .exe files to be attached.... (it looked inside the .zip file).
Seth
-
You might be able to double zip it, with the inner one password protected, or you could try using 7zip which uses the 7zp file type, which may get round the primitive/pathetic gmail blocking of .zip files.
You should presumably having been able to access the file from the MAC, it would be possible to rename the desktop.ini file to desktopOLD.ini and that may remove the protection of the pozuda folder. Or make a copy of the file in a different location, which may allow the file to be sent to the chest.
-
:) Hi :
When it comes to flash drives, should consider using "SPECIALITY" programs,
like the FREE "Flash Disinfector" or a-squared's HijackFree . IF the flash drive
is known to be "clean", then consider using "Panda USB Vaccine" .
-
It looks like Avast now detects it as Win32:Malware-gen.
Sorry it took so long.
Seth
-
well.. no
I've seen just this virus as well (malena.exe in pozuda folder). AVAST in the newest version ( 091126-1.26.11) does *NOT* recognize it. I've pretty much tried everything - either it's not found, or it can't be properly cleaned. Spyware Doctor, which I bought(!), for example claims to find "Buzus", removes it and.. voila, it's there again. :-(
it also phones home, e.g. tries to contact other hosts for updates and a special host of organization "balkan hosting" with contact in bosnia, but hosted in frankfurt. crazy stuff.
best,
-h
-
well.. no
I've seen just this virus as well (malena.exe in pozuda folder). AVAST in the newest version ( 091126-1.26.11) does *NOT* recognize it. I've pretty much tried everything - either it's not found, or it can't be properly cleaned. Spyware Doctor, which I bought(!), for example claims to find "Buzus", removes it and.. voila, it's there again. :-(
it also phones home, e.g. tries to contact other hosts for updates and a special host of organization "balkan hosting" with contact in bosnia, but hosted in frankfurt. crazy stuff.
best,
-h
Serious? The only reason I said Avast detected it was because that's what it now says on VirusTotal.
And with my original system, with BitDefender, they told me that BD will now detect it, but it doesn't... And I think I also have the virus running on the system. I did a full system and it didn't pick up anything. I'm having svchost.exe memory errors (on shut down) and nissan.exe application faults (what the hell is nissan.exe?).
System restore is turned off, so it shouldn't be hiding in there...
Let me know if you get anything. Like I said, I'm semi-seriously thinking of just leaving Windows except for VMs. What a pain in the ass.
-
yep... google for nissan.exe and find out that it's just another malware.. same here ;-)
i just want to know how to get rid of this sh*t. :-(
PS: I already took the step you're talking about. I'm not a windows user
and I don't miss it. I'm doing this disinfection-stuff for someone else.
-
So what did you switch to?
Also, do you happen to know of any flash drives on the market that have read-only switches? I used to have an old 64 MB Kingston that had the feature and it was great for using on infected computers.
Oh well.
-
So what did you switch to?
Also, do you happen to know of any flash drives on the market that have read-only switches? I used to have an old 64 MB Kingston that had the feature and it was great for using on infected computers.
Oh well.
IronKey makes flash drives that have a read-only switch. Not a flash drive for the average bear however, as they're ridiculously priced.
-
I have not yet fixed the problem. :-\
I've also thought about a read-only stick. None here, though. An old 128MB stick had this feature, but I have probably already dumped it.
BTW: The virus will also contact various other hosts (dialup) on port 80 (presumably to get updates?). It does not talk HTTP on this port.
So it's not enough to firewall everything apart from DNS/HTTP (what I did for updating the AV programs).
Best,
_h