Avast WEBforum
Other => Viruses and worms => Topic started by: Lisandro on July 18, 2005, 03:28:09 AM
-
Some malware detected by AVG (Free, 7.10.321, 267.9.0/50) and Ewido Security Suite (Free, 3.5, #1333) but missed by avast! (Professional, 4.6.691, 0528-6)
Registry key: HKLM\SOFTWARE\Classes\CLSID\{FF8DA190-3574-11D4-8068-0060082AE372}
Malware: Spyware.BingoFun
Registry key: HKU\S-1-5-21-1417001333-796845957-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC}
Malware: Spyware.NavExcel
File: \ToolbarCop 2.5.exe
Malware: Heuristic.Win32.Hijacker1
File: \MyCorkboard Screen Saver 1.00.99.exe/F0000014.DAT
Malware: TrojanDownloader.Small.Go
File: C:\WINDOWS\system32\Kaccjdmp.exe
Malware: Backdoor.Padodor.az
File: C:\WINDOWS\system32\Kaccjdmp.exe
Malware: Backdoor.Padodor.az
File: C:\WINDOWS\system32\Kaccjdmp.exe
Malware: Trojan horse BackDoor.Generic.GAX
File: C:\WINDOWS\system32\Noflpjbp.dll
Malware: Trojan horse BackDoor.Generic.GGC
File: TrojanDownloader.Agent.ho
Malware: C:\WINDOWS\system32\taras.exe
File: C:\WINDOWS\system32\sysinst54.exe
Malware: TrojanDownloader.Small.bcu
File: C:\WINDOWS\system32\sysinit32z.exe
Malware: TrojanDownloader.Small.bcv
File: C:\WINDOWS\system32\sys5622.exe
Malware: TrojanDownloader.Small.bct
File: C:\WINDOWS\system32\sys5620.exe
Malware: TrojanDownloader.Small.bct
File: C:\WINDOWS\system32\sys5350.exe
Malware: TrojanDownloader.Small.bcu
Other infected files created into C:\Documents and Settings\ ... \Local Configurations\Temp\
bszd5358.tmp; bszd5631.tmp; bszd7764.tmp
Samples sent to Alwil :-\
-
Otherwise:
False positive of Ewido: \RejZoR's AdBlock Filter.zip/RejZoR's AdBlock Filter/RejZoR's AdBlock Filter.zip/RejZoR's AdBlock Filter.txt
Sorry RejZor :'(
-
Malware creates tons of infected files... avast! did not detect them (on-demand scanning did not detect too) :'(
Files are replicant (about 2000 on different folders). In fact a terrible infection :P
List on the attached file because it's too big for here.
-
Thx for the warning Tech, notified Ewido guys and i'm now waiting for them to fix the stuff.
Tech,can you tell me the detection name of Ewido on my AdBlock filterlist?
-
Ewido guys said that my latest filterlist isn't detected. Are you using the latest list or not?
-
Ewido guys said that my latest filterlist isn't detected. Are you using the latest list or not?
For sure... I`ll try again, but not know because I`m leaving on a work trip.
Just to note here:
Worst of all: avast! detect nothing!
Cleaning was only possible with AVG at Safe Mode! :P
AVG did not miss any sample and AVG did not have any false positive. Perfect in this case.
-
Yeah i'm also worried about avast! a bit :-\ They add submitted samples way too slow unless they are really urgent.
-
Yeah i'm also worried about avast! a bit :-\ They add submitted samples way too slow unless they are really urgent.
You're worried? I'm terrified :o :o
After one week and nothing changed, all files (samples) sent to Alwil were not added to the VPS database! :'( :-\ :(
What's that? Is this the normal answer time? I'm terrified, really, the samples are detected by NAV, AVG and Trojan Hunter among others...
By the way, the secure Microsoft Antispyware did not detect them at the first time... So, why losing system resources with residents that does not detect anything? :(
Scanning of selected files
------------------------------------------------------------------------------------------
Program will try to scan 13 selected file(s) in the Chest
...
No viruses found! :P :'(
-
Just curious Tech -- did you first suspect something was wrong with your computer (suspected malware) so you first scanned it with avast!, it found nothing, so then you uninstalled it and then installed AVG to see if it could detect problems?
What a nightmare! I trust it's all sorted out for you now. 8)
-
@ Tech
Are you still browsing using an account with administrator privileges. If so this also gives admin privileges to the virus and allows virtually unrestricted functionality, creation/editing/deletion of files in the system folders, creating registry keys, etc.
Browsing (email, etc.) with a restricted permissions should reduce the impact of this first day/undetected virus scenario.
Security Tips & Tricks - DropMyRights (http://forum.avast.com/index.php?topic=7204.msg128315#msg128315)
-
Layered defense,limited user accounts and other crap is not something that i would take as an excuse for slow adding of samples...
-
Just curious Tech -- did you first suspect something was wrong with your computer (suspected malware) so you first scanned it with avast!, it found nothing, so then you uninstalled it and then installed AVG to see if it could detect problems? What a nightmare! I trust it's all sorted out for you now. 8)
I was browsing. I stupid click and a Trojan was downloaded and installed. avast! can't recognize it, does not have signatures for it. So, no provider did anything to protect me. Microsoft Antispyware failed miserably too. Firewall did not alarmed me until next boot but virus use some kind of 'workaround' to get access to Internet. I think the same procedure that some anti-piracy features use: they use a HTTP protocol of the browser and by-pass the firewall. I can't understand as the firewall should alarmed me that a program was being called by other one. But, you know, this is a virus and they make it.
Less than one minute after a 'freeze', I've got a BSOD. I think this was the virus strategy to not being detected and force the user to boot.
Next boot, infection, nightmares and so on.
I've booted in Safe Mode and used on-line scanning. All scannings confirmed the infection, except avast!
Run AVG to send the infected files to an USB drive. Get clean. Confirmed on-line scanning
Boot. Tested the USB drive with avast! on-demand scanning. Nothing was detected. :'(
@ Tech
Are you still browsing using an account with administrator privileges. If so this also gives admin privileges to the virus and allows virtually unrestricted functionality, creation/editing/deletion of files in the system folders, creating registry keys, etc.
I'm now using DropMyRights with easy... (well, right now, I'm on Linux ;D).
I hope I've listen your advice before... It's doing perfectly its job: Browsing (email, etc.) with a restricted permissions should reduce the impact of this first day/undetected virus scenario..
-
Layered defense,limited user accounts and other crap is not something that i would take as an excuse for slow adding of samples...
It's what I'm trying to say... :'(
-
It is not an excuse, for slow adding of samples, rather a means of protecting people from the damage that can be done before you even get a sample to send.
There is no where in my post that I offered this up as some form of excuse, more to reduce what happened to Tech "Files are replicant (about 2000 on different folders). In fact a terrible infection" happening to others. An ounce of prevention is better than a pound of treatment.
-
I stupid click and a Trojan was downloaded and installed. avast! can't recognize it, does not have signatures for it. So, no provider did anything to protect me. Microsoft Antispyware failed miserably too. Firewall did not alarmed me until next boot but virus use some kind of 'workaround' to get access to Internet. I think the same procedure that some anti-piracy features use: they use a HTTP protocol of the browser and by-pass the firewall. I can't understand as the firewall should alarmed me that a program was being called by other one. But, you know, this is a virus and they make it.
Hi Tech,
If you have so-called "Host Intrusion Prevention System/Behavior Blocking" installed on your computer, this nightmare infection should not be happend, I think.
Behavior Blocking doesn't rely on signature in order to stop malware but contrary, it analyzes/stops general behavior of all applications (including malware). I've used Behavior Blocking featured in Kerio Personal Firewall and it has saved me several time when avast! and others security apps failed to do their job.
When malware downloaded into a disk and it wants to run, Kerio blocks it and asks me. When malware wants to start or launch other apps (e.g. IE) to do something, Kerio blocks it and asks me. You have the full control over any apps (including malware) installed on you computer.
Kerio has no advaned Host Intrusion Prevention System/Behavior Blocking as Prevx but it can be last line of layered defence for you.
-
ZAPro now has a similar system in V6 whereby a programme has to be allowed rights to change or add to the registry, add to startup, run other programmes or change other programmes. At first run a popup appears asking to allow or deny the action. A bit annoying when you update videos drivers, install programmes or update programmes which you have restricted to running only, but a good level of protection that should stop spawning trojans - unless you have given it permission first which hopefully you wouldn't. Any ? just ask..
-
If you have so-called "Host Intrusion Prevention System/Behavior Blocking" installed on your computer, this nightmare infection should not be happend, I think. Kerio has no advaned Host Intrusion Prevention System/Behavior Blocking as Prevx but it can be last line of layered defence for you.
Yes, I know... But PrevX cannot be used in a system with a local proxy (it is not prepared to update through a proxy, etc.)
PrevX brought a lot of problems in some systems of mine. I need a less intrusive protection software.
But what I want is that avast! has better detection... and I'm not being listened by Alwil team :'(
-
If you have so-called "Host Intrusion Prevention System/Behavior Blocking" installed on your computer, this nightmare infection should not be happend, I think. Kerio has no advaned Host Intrusion Prevention System/Behavior Blocking as Prevx but it can be last line of layered defence for you.
Yes, I know... But PrevX cannot be used in a system with a local proxy (it is not prepared to update through a proxy, etc.)
PrevX brought a lot of problems in some systems of mine. I need a less intrusive protection software.
But what I want is that avast! has better detection... and I'm not being listened by Alwil team :'(
ZAPro6 takes over from prevxx and as far as I know it will work through a proxy
-
ZAPro6 takes over from prevxx and as far as I know it will work through a proxy
Sure... ZA (pro and free) works very well through a proxy.
PrevX works but does not update through a local proxy :P
-
Bump! :(
I won't just give up to have a better avast! I'm not complaning but I'm not joking too :'(
-
Hi Tech,
Well this week brought us two updates. The best for updates is the KAV 5.0 machine (Kaspersky 1 hour update), but Dr. Web is a good second (2 hour updates), thats why I installed the AV browser plug-in from Dr. Web to have a bit of extra in scanning the links I like to open (html OK, script OK javascript OK all checked on the Global Update Server of Dr. Web). I have the advantages of this minus the disadvantages of an heuristic AV product on my machine.
greets,
polonus
-
AV browser plug-in from Dr. Web to have a bit of extra in scanning the links I like to open (html OK, script OK javascript OK all checked on the Global Update Server of Dr. Web).
Working very well and doing it's job. It could scan 'suspicious' downloads.
VPS is updated and malware detected now.
Virus has been detected!
File Name: sysinit32z.exe
FileID: 311
Virus Description: Win32:Trojano-1864 [Trj]
Virus has been detected!
File Name: sysinst54.exe
FileID: 312
Virus Description: Win32:Trojano-1866 [Trj]
Virus has been detected!
File Name: taras.exe
FileID: 313
Virus Description: Win32:Trojano-1865 [Trj]
Virus has been detected!
File Name: sys2431.exe
FileID: 314
Virus Description: Win32:Trojano-1867 [Trj]
Virus has been detected!
File Name: sys240.exe
FileID: 315
Virus Description: Win32:Trojano-1867 [Trj]
Virus has been detected!
File Name: sys5620.exe
FileID: 324
Virus Description: Win32:Trojano-1867 [Trj]
Virus has been detected!
File Name: sys5622.exe
FileID: 325
Virus Description: Win32:Trojano-1867 [Trj]
-
But it took very long to add them. I understand they have vaccations,but VPS updates are top priority for any antivirus. Especially for those that don't have any pro-active protection (not that this would be the reason not to update defs,but it's a smaller chance to get infected anyway). As Vlk mentioned in other Tech's thread about improving malware submission,priocessing and adding to VPS i hope this will really be improved :)
-
But it took very long to add them. I understand they have vaccations,but VPS updates are top priority for any antivirus. Especially for those that don't have any pro-active protection (not that this would be the reason not to update defs,but it's a smaller chance to get infected anyway). As Vlk mentioned in other Tech's thread about improving malware submission,priocessing and adding to VPS i hope this will really be improved :)
Hmm, I'm not in the virus team, but I am sure they have added many signatures in each VPS update. What I am also sure that Karel and Vlada have many yet unanalyzed samples. Perhaps you would like to place submited signatures to the top of the list? What if something more dangerous appears? Should those be postponed too?
-
I'm sure that Karel and Vlada are doing their best. Normally updates do contain a lot of new things, but since there are many unanlyzed samples.... Shouldn't there be a 3rd person on the job? Perhaps just to make a preselection from the mails with fp's and 'real' samples?
-
Shouldn't there be a 3rd person on the job? Perhaps just to make a preselection from the mails with fp's and 'real' samples?
I made mine the Eddy's words... Maybe RejZor could have a new job ;)
-
No offense, so please pardon me.
Sometimes I really doubt about the way ALWIL does.
As we know, many AV companies have been improving their product capabilities like they get crazy, some has hourly/daily updates and some has so-called heuristic detection and they take these improvements to be a BIG marketing point.
Ask NOD32's users they will tell us their beloved AV has the better heuristic than other AVs, ask Kaspersky's users they will tell us their beloved AV has hourly updates and the better overall detection rates than other AVs.
While avast! seems to be ignored about improvement its detection rates, update scheme and proactive detection even these are the most important aspect of antivirus software, nothing more than detecting viruses/malware as soon as possible. So this reason seems to make avast! to be underrated AVs and has no unique marketing point when compared to thers.
What I really doubt is that, what other AVs do is nothing but over marketing hype or it is really needed?
-
@TAP
No offence, but if you are so dissatisfied with avast's VPS updates and lack of heuristics (other than in the mail scanner) why are you still here?
avast's VPS update frequency is better than many AVs, auto update checks for an update every time I connect to the internet (dial-up) or every 4 hours if you remain connected and if there is an update available you get it. That has got to be better than any artificial hourly/two, four hourly/daily (and much worse weekly) update.
-
@TAP
No offence, but if you are so dissatisfied with avast's VPS updates and lack of heuristics (other than in the mail scanner) why are you still here?
No, I'm completely satisfied with avast! and I think even avast! Home is better than some commercial AVs. But I'm just curious, I really doubt that what some other AVs do (e.g. updates/heuristic almost every breath its users take) now is nothing but over marketing hype or it is really needed?
-
No, I'm completely satisfied with avast!
As it was my first desire at this thread, we always want avast! better and better...