Avast WEBforum

Other => Viruses and worms => Topic started by: sanctuary24 on November 07, 2007, 09:38:32 PM

Title: w32.dumaru.ab help URGENT
Post by: sanctuary24 on November 07, 2007, 09:38:32 PM
My firewall blocked an attempt on port 10000 saying that it could be w32.dumaru.ab so I went to check it out at symantec.co.uk and the explanation page was infected with it as Avast warned me to abort connection whats going on? Is symantecs website infected or something?????
Title: Re: w32.dumaru.ad help URGENT
Post by: Lisandro on November 07, 2007, 10:01:38 PM
Seems a false positive...
Title: Re: w32.dumaru.ad help URGENT
Post by: sanctuary24 on November 07, 2007, 10:04:22 PM
www.symantec.com/security_response/ writeup.jsp?docid=2004-020314-4015-99 this is the exact web address DONT CLICK can someone check this specific page with a scanner please (I have put a space in it so it wont be accidenttly clicked the space should be removed after security_response/

how do I get Avast to ckeck if its a false positive
Title: Re: w32.dumaru.ad help URGENT
Post by: Lisandro on November 07, 2007, 10:10:35 PM
I turned back clean with Dr. Web again...
Title: Re: w32.dumaru.ad help URGENT
Post by: sanctuary24 on November 07, 2007, 10:13:02 PM
Can someone from the Alwil team please look into this as my Firewall picked up an attack on port 10000 which is what this virus uses.

How do I get someone from Alwil to check this out, do I e-mail them?

ps how do you get that dr web to work when I try it says busy, file too big etc
Title: Re: w32.dumaru.ad help URGENT
Post by: DavidR on November 07, 2007, 10:29:43 PM
Did your firewall not go to the length of saying what file name it was that was trying to connect ?

It may be a false positive on the symantec site, but you would have to chesk the detection by the firewal outbound check.

It is possible there is some information about the infection that matches an avast signature but that is speculation.

the actual writeup.jsp proved clean when downloaded and scanned by avast, VT shows 0/32 on writeup.jsp.

DrWeb shows clean on the URL link for Technical Details tab which is what avast is alerting on.

I have sent a FP email so we will have to see if they pick it up.
Title: Re: w32.dumaru.ad help URGENT
Post by: DavidR on November 08, 2007, 12:03:51 AM
Hi guys,

Just got a response and this FP is sorted.

Quote
Hello,
this false alarm was repaired by VPS update 071107-7
Best regards Cernik

I assume the -7 is a typo as the latest VPS is 071107-0 as this VPS update corrects the FP, having just visited the Technical Details tab and no alarm.
Title: Re: w32.dumaru.ab help URGENT
Post by: sanctuary24 on November 08, 2007, 02:24:14 PM
so it was a false positive, if that the case I rest easy
one other thing how come my firewall blocked the port that this virus uses yet at another time it was appearing like a virus got through, is it something like it piggybacked a ride on a file and the other time it tried to force itself in?
Title: Re: w32.dumaru.ab help URGENT
Post by: DavidR on November 08, 2007, 02:37:28 PM
You will have to check your firewall logs for that, but what was detected by the web shield will have been using port 80 and not 10,000 (no indication if that was a local or external port) that element if present wouldn't have been intercepted by the web shield.