Avast WEBforum
Other => Viruses and worms => Topic started by: zebracomputers on July 26, 2012, 12:21:57 AM
-
So, what is up with Avast 7 and failure to protect computers from win32:morto.p?
I have a customer that had like 15 Windows XP Pro computers running MS Security Essentials infected.
We were able to disinfect using a combination of Combofix, Norton Power Eraser, Malware Bytes, and Spybot S&D along with Avast Endpoint Protection Trial ver. 7, after a boot scan and patching of deleted infected files, the network was fine for a few days, then it hit again, maybe a different variant, but Avast did not stop the computers from being infected.
As an Avast Reseller, this really puts egg on my face, as I recommended Avast, and have used it for years with great results.
But what is up with this one?
I can provide a virus sample submission if necessary.
This has been out since Nov. 2011, not anything new.
-
I can provide a virus sample submission if necessary
have you tested the sample at virustotal.com ?
-
Could be user had two "resident" av solutions running. Avast has protection for this malcode: https://www.virustotal.com/file/2aa8bd7268bac0681da9b5d2019ae678b9ed28f643995ac7a68d8ad4cac780b8/analysis/
MSE's real-time functionality is incompatible with Avasts resident shield and there is why you get the "ghost" detections
of av solutions finding up each other's defs, etc.
polonus
-
@pondus, no I haven't yet.
@polonus, no MSSE was removed prior to installation of Avast EP 7.
And like I said, they were clean for days, I suspect new variants or infection vectors.
Thanks for response folks.
-
BTW this is detected as Win32/Serpip.b by Eset online scanner.
-
Hi zebracomputers,
Then the description is here: http://www.eset.eu/encyclopaedia/win32-serpip-a-worm-fipp-a-virus-morto-w32-b-pift
It is a polymorphic file infecting worm. Did you send a sample to virus AT avast dot com?
The malcode presents victim with fake-av pop-ups and is a scam really.
Infected system files should be replaced with the help of a qualified malware removal expert.
Here avast did not detect: https://www.virustotal.com/file/f9a12ac987d7737024df78471169d56c1225f31254d3914af8e16a3bbf32daaf/analysis/
polonus
-
Thanks Polonus.
I have submitted a sample in pw protected zip file.
Thanks all.
-
Hi,
http://blogs.technet.com/b/mmpc/archive/2012/07/26/morto-goes-viral.aspx
A link is worth a thousand words ;D :D
-
well! u must know that no AV is 100%..how many times should we repeat ::)
recommend your customers to use Malwarebytes PRO with avast! free and norton DNS...
That will be the only one time when they wont get again infected...
Tell them to use web mail such as gmail,hotmail etc as they have excellent spam filters...
any AV u give them alone to run they are ought to get infected again...tell them about how to excercise self caution with opening mail attachments
-
All good points true indian, but that doesn't happen in the real world, now does it? One buys an enterprise level AV and expects it to protect their computer from viruses.
I can am reasonably sure that other AV products, through heuristics, or other behavioral analysis would stop, detect, remove this threat as soon as it was encountered in email or on a web page or in a download, the source of infection is still unknown.
Corporate users that have used Outlook for years, will likely not transition well to the web based format, and that may or may not help protect them if the AV on their computer doesn't protect them.
This lack of detection/removal in AVAST will force me to discontinue my sales and support of AVAST.
Took a big one in the ASS, not likely to let it happen again....
FYI, malwarebytes pro didnt see this one either, not to mention that once its on the computer, and you try to run any executable, not in the Windows folder, it will be infected as well....
IMHO< norton products have degenerated to money pits for the user, and cash cows for symantec.
Just ranting mind you...
well! u must know that no AV is 100%..how many times should we repeat ::)
recommend your customers to use Malwarebytes PRO with avast! free and norton DNS...
That will be the only one time when they wont get again infected...
Tell them to use web mail such as gmail,hotmail etc as they have excellent spam filters...
any AV u give them alone to run they are ought to get infected again...tell them about how to excercise self caution with opening mail attachments
-
As an example, sirfef has been around for a while and Avast detects all variants.. But due to the changes in the dropper it can only block when installed.. Compare that to five systems I have just cleaned:
AV's were .. Norton, Trend Micro, ESET, Kaspersky and AVG
All the above only gave a warning at boot that a file was infected, then they kept quiet till the next boot.
Avast however will block the malware everytime it tries to connect to the download server. So although you are still infected, with Avast there is no data going out and no new malware coming down.. It is in effect contained.
Compare that to the others I have mentioned
-
Hi zebracomputers,
Pay attention to what essexboy says here, he knows, he is a qualified removal expert here and he has seen more malware in various forms in his time as others would meet in a couple of existences. So when malware does not even get access to a victim's machine and such is the workings of the pro-active shields, we know we are being protected by several more layers than just avast file detection. Consider this also before you withold this av-solution from your costumers,
polonus
P.S. Can you give a link to the initial VT scan, where avast failed detection?
-
I have the greatest respect for all the malware removal specialists here, the time they donate etc.
I personally have been removing malware from Windows, Apple and Linux PCs since 1998. (yes these other OS's do have threats and exploits that infect them)
I own a small computer store www.zebracomputers.com (http://www.zebracomputers.com) and we service thousands of customers a year.
Just FYI, Avast is still not able to prevent, or remove this new variant. Fully a week after the sample was sent in to Avast. I have a password protected zip file with an infected file in it, if anyone would like me to email it to them to verify my statements.
Eset nod32 found and cleaned the infected files on zero day, I guess I expect too much from Avast.
-
Hi zebracomputers,
Can you fill us in with the VT link where avast failed detecting Win32/Serpip.b ?
Else there is not much to comment on, and sometimes that particular strain of malware can be closed or no longer responding after being active for 3 1/2 hrs or shorter even and then adding detection could be really "water under the bridge". It is not only what you should expect of a good av solution like avast's, but also what the possibilities are in the real malware theater of an ever-changing malware landscape. It can never be "user demands" and "we will deliver", that is not how it works,
polonus
-
I have the greatest respect for all the malware removal specialists here, the time they donate etc.
I personally have been removing malware from Windows, Apple and Linux PCs since 1998. (yes these other OS's do have threats and exploits that infect them)
I own a small computer store www.zebracomputers.com (http://www.zebracomputers.com) and we service thousands of customers a year.
Just FYI, Avast is still not able to prevent, or remove this new variant. Fully a week after the sample was sent in to Avast. I have a password protected zip file with an infected file in it, if anyone would like me to email it to them to verify my statements.
Eset nod32 found and cleaned the infected files on zero day, I guess I expect too much from Avast.
Good luck with you r store.I just found your page @ Facebook and "liked" it ;D .If you need help,feel free to contact me VIA Facebook or Avast forums etc.
-
@polonus and anyone else that is interested:
I just submitted the infected file to Virustotal, with the following results:
https://www.virustotal.com/file/59daa8b0c29595975f78ea531e2e9acd68d18dff9a27f19cca06c7dcc88fd744/analysis/1344033225/ (https://www.virustotal.com/file/59daa8b0c29595975f78ea531e2e9acd68d18dff9a27f19cca06c7dcc88fd744/analysis/1344033225/)
-
seems to be new......
First seen by VirusTotal
2012-08-03 22:33:45 UTC ( 1 time, 2 minutter ago )
Sigcheck
publisher................: Adobe Systems Incorporated
product..................: Adobe PDF Broker Process for Internet Explorer
internal name............: AcroBroker.exe
copyright................: Copyright 1984-2008 Adobe Systems Incorporated and its licensors. All rights reserved.
original name............: AcroBroker.exe
file version.............: 9.0.0.2008061200
description..............: Adobe PDF Broker Process for Internet Explorer
-
Hi Pondus,
Acrobroker.exe is developed by Adobe Systems Incorporated. It’s a system and hidden file. Acrobroker.exe is usually located in the %PROGRAM_FILES% sub-folder and its usual size is 279,952 bytes.
Well, here the executable is treated as generally safe: http://www.computer-support.nl/Systeemtaken/taakinfo/21678/AcroBroker.exe/
but then it should be in the C:\Windows\System32 folder. As malicious it is related to spyware. From the VT results I see that avast detects this now as
Win32:Morto-R [Trj]. Well in that case we have detection, I think this played an importal role initially to flag it: Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%) (also flagged in Utorrents). But in this case the executable has been remotely infected by a file-infector that turns the running executable into Win32:Morto-R [Trj] malware. Read a description of the malware here: http://www.infosecurity-magazine.com/view/27277/ (link author = Edgardo Diaz Jr. from
Microsoft Malware Protection Center)
polonus
-
Virus:Win32/Morto.A
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus:Win32/Morto.A
so according to the info here, this is a file infector that inject code in to valid executables
so i guess that is why it show on the VT scan with that adobe sigcheck ?
-
Hi zebracomputers,
Can you check this executable against this free software, Agics Hashscan, and give back the results? Link to download here: http://www.backgroundtask.eu/Software/AHC/Setup.exe (to see if the original Acrobroker.exe has been resource engineered into a Fraudtool by malcreants)?
See info on new file-infector that turned this executable into this new malware:
http://www.infosecurity-magazine.com/view/27277/ (link article author = Microsoft Malware Protection Center's Edgardo Diaz Jr. )
polonus
-
Hi all,what also seems interesting is that this variant uses anti-debugging technique.It tries to detect debugger VIA IsDebuggerPresent function.
[[KERNEL32.dll]]
GetCurrentThreadId, InterlockedIncrement, InterlockedDecrement, SetEvent, MultiByteToWideChar, SizeofResource, LoadResource, FindResourceW, LoadLibraryExW, WideCharToMultiByte, GetFileSize, CreateFileW, GetFileAttributesW, SetEndOfFile, ReadFile, WriteFile, DeleteFileW, GetLongPathNameW, RemoveDirectoryW, CreateDirectoryW, GetModuleHandleW, FindClose, FindFirstFileW, SetFileAttributesW, CopyFileW, FindNextFileW, LocalFree, LocalAlloc, GetProcAddress, lstrlenA, GetTempPathW, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, CreateEventW, CreateThread, Sleep, GetModuleFileNameW, GetUserDefaultLCID, LoadLibraryW, lstrcmpiW, WaitForSingleObject, CloseHandle, FreeLibrary, GetLastError, DeleteCriticalSection, InitializeCriticalSection, RaiseException, SetFilePointer, lstrlenW, GetStartupInfoW, InterlockedCompareExchange, GetVersionExA, GetThreadLocale, GetLocaleInfoA, GetACP, InterlockedExchange, GetSystemTimeAsFileTime, GetFullPathNameW, GetDriveTypeW, SwitchToThread, LeaveCriticalSection, EnterCriticalSection, TlsSetValue, CreateSemaphoreA, TlsAlloc, TlsGetValue, TlsFree
-
Found this analysis in the Google cache: http://webcache.googleusercontent.com/search?q=cache:pR_ce8hxPRAJ:xml.ssdsandbox.net/view/98a8d4b8e3ee85b1e045ea9a4b7868f8+Global%5C_PPIftSvc&cd=8&hl=nl&ct=clnk&gl=nl
So a heap file creates scmpreload. The dropper is : _isdel.ini (temp); wmicuclt.exe (is worm Molto created), this is a self-replicating malicious program,
which uses a computer network to send copies of itself to other computers -> Get File Attributes: %SystemRoot%\system32\wmicuclt.exe Flags: (SECURITY_ANONYMOUS). Mutexes: Like earlier memory resident viruses, Morto's payload and infection routine is executed in the context of other processes (svchost.exe (here) and/or lsass.exe – the target of process injection). To avoid multiple injections in the same process (or running multiple copies of the virus), a mutex called "Global\_PPIftSvc" is created
Quote taken from the Spykiller, article author = Jeong Wook (Matt) Oh MMPC;
randomized \PIPE\lsarpc executable deleter and setup boot, Open Service Manager - Name: "SCM" used in generic trojans,
UDP Connections on port 53 for 8.8.4.4, 208.67.222.12, 205.171.3.65, The IP 205.171.3.65 is also a known IP for a Zlob downloader,
polonus
-
Keep in mind that this is just one of approximately 144 infected executables on this system.
This file infector will infect any running processes, unless the path includes certain variables, such as Windows, or Outlook etc. as in the documentation.
So to disinfect this one, registry entries, running process needs to be killed/removed, then a scan with something that will detect it, so far AVAST just quarantines the infected files, while Eset will actually move the infected file to quarantine, and disinfect and leave the original executable in place.
Most of the machines we cleaned up with AVAST had to have the missing executables replaced with clean ones to restore program function.
BTW, the hash tool crashed on my Windows 7 Pro 32 bit machine. Will try again.
Bottom line, this is a nasty bugger!
Thanks again to all for interest and help.
-
Hi all,this is indeed a file infector,but it's weak,just weak compared to other file infectors we've seen.
Morto is just a "standard" project,packed by UPX etc.Nothing customized,pretty typical.
https://www.virustotal.com/file/25db59c54887b1c74c896c1298188535f15b8f6a2f1a982ee5bad8d4026716c2/analysis/
UPX0 4096 49152 0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 53248 24576 23040 7.87 953f4a69dedc3b84917a631dbae840db
Also found packed by Armadillo
https://www.virustotal.com/file/10849e13ccc8d3c958ac408084f47da2f1283b2a0e84458d13893733f797d85f/analysis/
PEiD packer identifier
Armadillo v1.xx - v2.xx
More UPX here :
https://www.virustotal.com/file/f632bb539c9c11f46b90de8cd9a9a805bbfef8b22830340f45825953a5851489/analysis/
Opened mutexes...
Global\_PPIftSvc confirms our friend Polonus
Also :
TCP connections...
198.40.53.4:80
59.188.25.20:80
UDP communications...
8.8.4.4:53
<MACHINE_DNS_SERVER>:53
208.67.222.123:53
Another sample here,found unpacked :
https://www.virustotal.com/file/042e1c3f189dd281705349b75647138ec87cb05fe3da2496ad4357a16e89c742/analysis/
Note that it uses the function SetWindowsHookEx .Unfortunately,i don't know what parameters are used so i can't tell its purpose,dynamic would help but i am too bored at the moment,in most cases it is used to monitor keyboard,keylogger activities.
205.171.3.65 was not only connected to Zlob,but also Google redirects and possibly TDDS infections.
Regards,
Philip
-
Hi Left123,
This tool might come in handy to cleanse this fileinfector : http://support.kaspersky.com/viruses/solutions?qid=208287055
This is a special utility for curing an active Worm.Win32.Fipp.a infection.
Good I found this analysis via Google cache: http://webcache.googleusercontent.com/search?q=cache:t12riY-TPI4J:xml.ssdsandbox.net/view/2abea6b604122425c7fb17a5ef92a660+2abea6b604122425c7fb17a5ef92a660&cd=2&hl=nl&ct=clnk&gl=nl
After visiting the site, the script modified our PIPE\lsarpc Windows file and created a Mutex for itself.
The file rasacd.sys is a device driver. It is included as part of the standard Windows file set from Microsoft.
While infecting host system: When the malware runs for the first time, it searches for %system32%\wmicuclt.exe and %system32%\wscript.exe..
Host IP address: 59.188.25.20
And through this analysis and that IP, Left123, we will land here: http://minotauranalysis.com/search.aspx?q=7ee000408df8594c0c3f1293125dadf5
OK, Quod erat demonstrandum ...malware family characteristics of±
Win32/Morto
TR/Dropper.Gen
Win32:Morto-R [Trj]
Win32/Serpip
Win32.Morto.A
W32.Fipp.A
W32.Virus.Morto
Heur.Suspicious
Win32.Morto.1
W32/Morto.H.gen!Eldorado
Virus.Win32.Heur
Worm.Win32.Fipp.a
W32/Pift
Heuristic.LooksLike.Win32.SuspiciousPE.F
Virus:Win32/Morto.A
W32/Morto.SPZ
W32/Morto.D
Win32.Cisig.a
W32/Fipp-A
W32.Morto.B
PE_MUSTAN.A
BScope.Trojan.SvcHorse.01643
Win32.Fipp.A
Virus.Win32.Heur!IK
Virus
Virus.Win32.Morto.a (v)
pol