Avast WEBforum

Other => Viruses and worms => Topic started by: Lisandro on May 23, 2004, 04:01:23 AM

Title: Blood-418
Post by: Lisandro on May 23, 2004, 04:01:23 AM

This virus is only detected by the following command:

"C:\Arquivos de programas\Avast\ashQuick.exe" "*MEMORY" "*MEMORY-SHORT" "*STARTUP"

It's not detected by the splash screen scan, neither by avast itself (even at High Sentivity, scanning archives and so on...)

What the hell is this?:  :(

Title: Re:Blood-418
Post by: Lisandro on May 23, 2004, 04:11:30 AM

Screen shot  :P

Title: Re:Blood-418
Post by: SpeedyPC on May 23, 2004, 08:25:57 AM

I am getting very worry too and I am getting the same problem, and this is my first time catching a virus on HD which I never had a virus for 4 years straight. SHIT!.

When I run the Avast 4 Home and I do a full thorough scan with the archive file tick turn on scanning both drives C and D, no virus has been found.

Suddenly I went to Windows Explorer and do a manual quick scan high lighting the C drive, suddenly the quick scan had pickup a Blood virus the same problem as Technical.

Question how come the manual quick scan from Windows Explorer has pickup a virus, and the Avast 4 Home Anti-Virus software running a full thorough scan didn't pick it up.

Otherwise I am smelling a bug under my very own nose using the latest version, please advise.

I have set all my protection setting to High using Avast 4 Home, instend I don't have the Pro version for Script Blocking.

Title: Re:Blood-418
Post by: RejZoR on May 23, 2004, 09:22:09 AM

Hm,i went to Virus List page (you can find it on my page) and i got this result for Blood-418:
http://www.viruslist.com/eng/viruslist.html?id=316

I think this is the point on which Alwil guys should help...

Title: Re:Blood-418
Post by: Lisandro on May 23, 2004, 04:28:58 PM

Thanks RejZor:

Blood.418
It is a not memory resident not dangerous virus. The .COM-files of current directory gets infection when the virus starts. The virus from time to time types: "File infected by BLOOD VIRUS version 1.20".

But in my case I have a 'memory block' infected... I cannot map which file is related (infected) by it... Besides this, there is what SpeedyPC said  :'(

Title: Re:Blood-418
Post by: whocares on May 23, 2004, 05:00:43 PM

Hi,

I also get this with the above ashquick-options..

My guess is that this is a false alarm .. maybe avast stumbles over it's own Sigs in Memory ?

But alwil team should comment on this or better, rectify it ;)

Title: Re:Blood-418
Post by: Lisandro on May 23, 2004, 05:29:56 PM

Quote from: whocares on May 23, 2004, 05:00:43 PM

Hi,

I also get this with the above ashquick-options..

My guess is that this is a false alarm .. maybe avast stumbles over it's own Sigs in Memory ?

But alwil team should comment on this or better, rectify it ;)

Thanks for posting whocares...
I read your thread (http://forum.avast.com/index.php?board=2;action=display;threadid=4679) but I cannot see a solution for the deactivation of avast  :'(

Title: Re:Blood-418
Post by: igor on May 24, 2004, 10:03:54 AM

avast! certainly doesn't find its signatures in memory because the decrypted signatures are never present there (you can check what this process 552 is in Task Manager).
Anyway, it's probably just a false alarm. We'll try to do something about it.

Title: Re:Blood-418
Post by: Lisandro on May 24, 2004, 01:47:44 PM

Igor, thinking better, the process is:
BDSS.EXE
2024 (not more 552)
C:\Program files\Common files\Softwin\BitDefender Scan Server\bdss.exe

So, it's BitDefender (backup scanner)  :-\

Title: Re:Blood-418
Post by: igor on May 24, 2004, 01:56:21 PM

Oh... in that case, maybe avast! found BitDefender's virus signatures in memory?

Title: Re:Blood-418
Post by: Lisandro on May 24, 2004, 02:00:22 PM

Quote from: igor on May 24, 2004, 01:56:21 PM

Oh... in that case, maybe avast! found BitDefender's virus signatures in memory?

Maybe, how can I be sure?
On-line scanning (trendmicro), on-demand and on-access scanning of avast do not detect it...  ::)

Title: Re:Blood-418
Post by: Lisandro on May 24, 2004, 02:04:29 PM

Igor, does this help?

Process: BDSS.EXE Pid: 2024

Type   Name
Desktop   \Default
Directory   \Windows
Directory   \BaseNamedObjects
Directory   \KnownDlls
File   C:\WINDOWS\Temp\tmp00000802\tmp00000000
File   \Device\NamedPipe\net\NtControlPipe20
File   \Device\NamedPipe\svcctl
File   C:\WINDOWS\system32\
Key   HKLM
KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0013
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0014
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0015
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0016
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0017
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0018
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0019
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0020
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0021
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0022
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0023
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0024
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0025
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0026
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0027
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0028
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0029
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0030
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0031
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0032
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0033
Mutant   \BaseNamedObjects\XCOMM_ANONYMOUS_COUNT
Mutant   \BaseNamedObjects\XCOMM_CONNECTION_MUTEX_00065536
Mutant   \BaseNamedObjects\AVXSS-CSEC
Mutant   \BaseNamedObjects\AVXSS-CSEC3
Mutant   \BaseNamedObjects\AVXSS-CSEC2
Mutant   \BaseNamedObjects\AVXSS-CSEC1
Mutant   \BaseNamedObjects\AVXSS-CSEC0
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0000
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0001
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0002
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0003
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0004
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0005
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0006
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0007
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0008
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0009
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0010
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0011
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0012
Section   \BaseNamedObjects\AVXCommunicator
Semaphore \BaseNamedObjects\XCOMM_EMPTY_QUEUE_SEM_0012
...
Semaphore \BaseNamedObjects\XCOMM_EMPTY_QUEUE_SEM_0033
Semaphore \BaseNamedObjects\XCOMM_FULL_QUEUE_SEM_0033
Semaphore \BaseNamedObjects\AVXSS-GETSEM
Semaphore \BaseNamedObjects\AVXSS-PUTSEM
Semaphore \BaseNamedObjects\XCOMM_EMPTY_QUEUE_SEM_0000
...
Semaphore \BaseNamedObjects\XCOMM_FULL_QUEUE_SEM_0011
Thread   BDSS.EXE(2024): 444
Thread   BDSS.EXE(2024): 436
Thread   BDSS.EXE(2024): 456
Thread   BDSS.EXE(2024): 496
Thread   BDSS.EXE(2024): 2028
Thread   BDSS.EXE(2024): 152
WindowStation   \Windows\WindowStations\Service-0x0-3e7$
WindowStation   \Windows\WindowStations\Service-0x0-3e7$

Title: Re:Blood-418
Post by: igor on May 24, 2004, 02:06:05 PM

I am afraid it doesn't.
We would simply have to know what is inside the memory block where avast! detects the virus.

Title: Re:Blood-418
Post by: Lisandro on May 24, 2004, 02:08:09 PM

Can you test it, installing BidDefender 7.0 Free?
Is there any way to search into the memory blocks and see what is there at that time?