Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: hungrylilboy on June 25, 2004, 12:29:01 AM

Title: worse virus ever
Post by: hungrylilboy on June 25, 2004, 12:29:01 AM
i have just had to re-install windows after a virus deleted every single .exe, .mp3, .avi, .mpeg i had on my computer in about an hour.

I sat there and watched as they simply disappeared and avast! couldnt find a thing wrong. Neither did the online scan at Trend.

When i re-started my comp after seeing it first, nearly every running process crashed.

Some processes also started loading a c prompt before crashing.

none of my programs would load including avast!

all of my restore points had been deleted

some programs were changed back to original factory settings such as msn (i had 6.2) was suddenly 4.2

i would love to know what this was, and what i can do to stop it happening again. I have never seen anything like this before
Title: Re:worse virus ever
Post by: Kobra on June 25, 2004, 12:35:41 AM
Hate to say it, but i've seen a few trojans like this.  In fact, I have many many samples of them. Most of which were sent to Avast a week ago and still aren't in the doggon database!  What up?

If you caught a name of it, let me know, i'll check it with my records to see if its one of the hundreds I sent to Avast. Mighta prevented this maybe, ugh.

Unfortunately, many AV's are 100% ITW, but hopelessly neglected threats from say 2 years ago, which the average joe are more likely to run into in my experiance.  Gotta shore up those databases from the old threats too and not ignore them!

Title: Re:worse virus ever
Post by: hungrylilboy on June 25, 2004, 12:40:23 AM
Hate to say it, but i've seen a few trojans like this.  In fact, I have many many samples of them. Most of which were sent to Avast a week ago and still aren't in the doggon database!  What up?

If you caught a name of it, let me know, i'll check it with my records to see if its one of the hundreds I sent to Avast. Mighta prevented this maybe, ugh.

Unfortunately, many AV's are 100% ITW, but hopelessly neglected threats from say 2 years ago, which the average joe are more likely to run into in my experiance.  Gotta shore up those databases from the old threats too and not ignore them!


sorry i didnt get a name as nothing was found before i formatted. why arent they in the database? what are we paying for then??
Title: Re:worse virus ever
Post by: lee20 on June 25, 2004, 11:42:11 AM
Im sure they are in the process of added them, btw i was just like to ask how you came about finding these hundreads of trojens?
Title: Re:worse virus ever
Post by: Stephan123 on June 25, 2004, 11:51:01 AM
The people by working Avast are quite busy at the moment.You can see here http://www.avast.com/eng/viruses/vps_history.html (http://www.avast.com/eng/viruses/vps_history.html) What for virusses is in the database
Title: Re:worse virus ever
Post by: hungrylilboy on June 25, 2004, 12:41:22 PM
The people by working Avast are quite busy at the moment.You can see here http://www.avast.com/eng/viruses/vps_history.html (http://www.avast.com/eng/viruses/vps_history.html) What for virusses is in the database

not being rude, ok yes i am, but i couldnt care less whether they are busy or not. Thats what we pay for, or supposedly.

I am now re-installing everything including windows for the second time in 24 hours after it infected my backups too. I have lost years of work, photos and everything. Simply because they dont have old records added...what a joke guys. how about a refund?
Title: Re:worse virus ever
Post by: Vlk on June 25, 2004, 12:52:22 PM
Quote
Unfortunately, many AV's are 100% ITW, but hopelessly neglected threats from say 2 years ago, which the average joe are more likely to run into in my experiance.  Gotta shore up those databases from the old threats too and not ignore them!

That's simply not true. We don't really care about the age of the malware...

I doubt it was a Trojan either...

Quote
not being rude, ok yes i am, but i couldnt care less whether they are busy or not. Thats what we pay for, or supposedly.

Of course, I agree.

Now I'd recommend focusing on the main thing -- getting back the data.
Are you saying that your backups contain files that are already truncated/overwritten? What I'd need is some kind of trace from the beast. So that we could tell what it was. Is it still on the back ups then?



Title: Re:worse virus ever
Post by: hungrylilboy on June 25, 2004, 03:39:58 PM
Quote
Unfortunately, many AV's are 100% ITW, but hopelessly neglected threats from say 2 years ago, which the average joe are more likely to run into in my experiance.  Gotta shore up those databases from the old threats too and not ignore them!

That's simply not true. We don't really care about the age of the malware...

I doubt it was a Trojan either...

Quote
not being rude, ok yes i am, but i couldnt care less whether they are busy or not. Thats what we pay for, or supposedly.

Of course, I agree.

Now I'd recommend focusing on the main thing -- getting back the data.
Are you saying that your backups contain files that are already truncated/overwritten? What I'd need is some kind of trace from the beast. So that we could tell what it was. Is it still on the back ups then?


ok sorry for the above. have calmed down now. I went to a cyber cafe and transfered my data from one disc to another without touching any .exes.

they are running nortan anti virus and it picked it up straight away, labeling it as w32.axon.B

is this in our viruses and if so how come it didnt pick it up?

edit. i do have the file still on my back ups, but unless u want me to send a cd-r through the snail mail, i am afraid i am going no where near it
Title: Re:worse virus ever
Post by: whocares on June 25, 2004, 04:23:01 PM

w32.axon.B


Seems like avast detects AXON(.A) as "Win32:Xenon", but not AXON.B
That's a pity..

I'm sorry about your files, hungrylilboy,
and avast SHOULD have detected it,
and you will neither like this, nor does it help you at present,
but as a hint for the future:

a) we don't live in a perfect world:
b) FACT: no AV-scanner offers 100% detection/protection
c) if I look at your past postings & at the description of AXON.B:
"This virus has been distributed on peer-to-peer file-sharing networks, using deceptive filenames such as "Keygen.exe."

-> you should exercise some more caution when using your PC & moving about the internet

P.S.: I hope your MP3 & AVI on (external ?) backup media are still intact ?



P.P.S: According to the date when Win32:XENON was included in avast's database, it could also be that this includes BOTH AXON/XENON-variants ?
Mabe VLK could comment..

HLB: Your resident shield & P2P-Provider was always on & configured correctly ?

 ;)
Title: Re:worse virus ever
Post by: Staind on June 25, 2004, 04:47:02 PM
Is it possible that Avast! was infected and wasn't working right? I know this happens to my dad's norton quite often..
Title: Re:worse virus ever
Post by: Lisandro on June 25, 2004, 05:45:14 PM
Is it possible that Avast! was infected and wasn't working right? I know this happens to my dad's norton quite often..

I don't think so but it's recommended by any antivirus to scan just after the installation or even before, by a clean CD  :-\

hungrylilboy, is there anything more we can help you?  :-\
Title: Re:worse virus ever
Post by: DavidR on June 25, 2004, 05:49:40 PM
If you haven't already done so you should patch a vulnerability which this virus exploits.

Quote
Virus Prepends Itself to Files With .Exe Extensions

W32.Axon.B is a virus that prepends itself to the files with the .exe extension. It also deletes the files with .mp3 and .avi extensions.

Technical details are at this Symantec page.

Worm Exploits Microsoft Vulnerability

W32/Cycle.worm is a worm that spreads by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533)].

The worm copies itself to the Windows system directory as SVCHOST.EXE, for example:

%SysDir%\SVCHOST.EXE

It installs itself as a service ("Host Service") on the victim machine:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\Host Service

The service bears the following characteristics:
Display name: Host Service
Image path: %SysDir%\SVCHOST.EXE
Startup: automatic

A text file containing a political message is dropped to %WinDir% as CYCLONE.TXT:

%WinDir%\CYCLONE.TXT (3,316 bytes)

A side-effect of the worm is for LSASS.EXE to crash, by default such a system will reboot after the crash occurs.

The following Microsoft update should be installed to be protected from the exploit used by this worm. See this (http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx)Microsoft page.

This patch has been on the MS windows update site for some time. Everyone should ensure that their OS is fully updated.

David
Title: Re:worse virus ever
Post by: Vlk on June 25, 2004, 05:51:47 PM
I was told by the virus guys that Axon is detected by avast as Win32.Xenon. I'm not sure about the .B variant, though... :-\
Title: Re:worse virus ever
Post by: Kobra on June 25, 2004, 08:06:00 PM
Looking over my data I see that I submitted Axon.b to Avast about a week ago.  

 :'(
Title: Re:worse virus ever
Post by: Vlk on June 25, 2004, 08:53:00 PM
hungrylilboy, do you have any idea about how you got infected (email, P2P, web download, ...). The Axon virus is not exactly common... :-\
Title: Re:worse virus ever
Post by: hungrylilboy on June 25, 2004, 09:13:48 PM
sorry been away.

1)my pc was fully up to date with windows update. This mean that the windows fix doesnt work?

2)i lost all my mp3 and avi file

3)i was looking for the netmeeting file, conf.exe and couldnt find it anywhere on google, so did end up using kazaa. Big mistake I know. (by formatting, i do have my real conf.exe back though!  ;D) (just looked again to try and get a hash but cant find it. Had about 15 users, was "correctly" labelled - at least one person had anyway)

4)please can this be added as this is the nasiest virus i have ever encountered

5)sorry again for stressing earlier. Bit hard losing all that work (oh forgot to say that most of the mp3 were my own work)

6)avast! definately got infected. Think it was one of the first, because as soon as I realised I had somehing wrong, I tried to open it and it opened a c prompt and crashed.

7)avast! was running properly before this

8) i dont use p2p much but i though avast! was set to automatically scan them?
Title: Re:worse virus ever
Post by: whocares on June 25, 2004, 09:16:05 PM
If you haven't already done so you should patch a vulnerability which this virus exploits.


Hi david,

I didn't find any info on vulnerabilities related to AXON.B:
could you post a link ?

Title: Re:worse virus ever
Post by: Kobra on June 25, 2004, 09:58:03 PM
Always the lesser common ones I run into..  Some kid pulling something off a VX site, then dropping it into a file and thinking hes funny.

I seldom run into ITW's, so I consider 1-4 year old threats to be my nemesis..  Even ones considered extinct I run into quite often!
Title: Re:worse virus ever
Post by: hungrylilboy on June 25, 2004, 11:01:14 PM
hmm i just read on a site that compares and tests anti virus progs, that avast failed...why?
Title: Re:worse virus ever
Post by: DavidR on June 25, 2004, 11:29:11 PM
If you haven't already done so you should patch a vulnerability which this virus exploits.


Hi david,

I didn't find any info on vulnerabilities related to AXON.B:
could you post a link ?


Now you asking, I started on  google search and expanded from their, this is where I started. http://securityresponse.symantec.com/avcenter/venc/data/w32.axon.b.html

Then here http://www.esecurityplanet.com/alerts/article.php/3351651 and the info that I posted is at the bottom of the page.

David

Title: Re:worse virus ever
Post by: hungrylilboy on June 25, 2004, 11:33:00 PM
If you haven't already done so you should patch a vulnerability which this virus exploits.


Hi david,

I didn't find any info on vulnerabilities related to AXON.B:
could you post a link ?


Now you asking, I started on  google search and expanded from their, this is where I started. http://securityresponse.symantec.com/avcenter/venc/data/w32.axon.b.html

Then here http://www.esecurityplanet.com/alerts/article.php/3351651 and the info that I posted is at the bottom of the page.

David



i have been looking around found it as W32.Axon.B and
Win32.HLLP.Riaz.

But  the only AV that seems to find it is norton. Even NOD32 doesnt have it listed. Is there another name for it?

Title: Re:worse virus ever
Post by: Tipton on June 25, 2004, 11:33:17 PM

4)please can this be added as this is the nasiest virus i have ever encountered


Sorry to hear about your virus issue. But trust me when I say that this is far from being the nastiest virus. The nastiest virus is the one that infects your motherboard bios, and turns your system into a paper weight untill you replace the motherboard. At least you are able to re-format and re-install.

Might I also offer some advice? Get yourself some imaging software. You could have had this fixed in no time. I use my AV for scanning files I download from the net, and thats it. If I get a virus, I restore to a clean/stable image, instead of rely on an AV for that. I create images all the time, and worse case scenerio, I may lose a day or two of work by having to install an image. I always scan with Avast first, then a couple online scanners before I create an image and consider it clean.

Douglas
Title: Re:worse virus ever
Post by: hungrylilboy on June 25, 2004, 11:36:43 PM

4)please can this be added as this is the nasiest virus i have ever encountered


Sorry to hear about your virus issue. But trust me when I say that this is far from being the nastiest virus. The nastiest virus is the one that infects your motherboard bios, and turns your system into a paper weight untill you replace the motherboard. At least you are able to re-format and re-install.

Might I also offer some advice? Get yourself some imaging software. You could have had this fixed in no time. I use my AV for scanning files I download from the net, and thats it. If I get a virus, I restore to a clean/stable image, instead of rely on an AV for that. I create images all the time, and worse case scenerio, I may lose a day or two of work by having to install an image.

Douglas

such as? program i mean
Title: Re:worse virus ever
Post by: Tipton on June 25, 2004, 11:39:52 PM

4)please can this be added as this is the nasiest virus i have ever encountered


Sorry to hear about your virus issue. But trust me when I say that this is far from being the nastiest virus. The nastiest virus is the one that infects your motherboard bios, and turns your system into a paper weight untill you replace the motherboard. At least you are able to re-format and re-install.

Might I also offer some advice? Get yourself some imaging software. You could have had this fixed in no time. I use my AV for scanning files I download from the net, and thats it. If I get a virus, I restore to a clean/stable image, instead of rely on an AV for that. I create images all the time, and worse case scenerio, I may lose a day or two of work by having to install an image.

Douglas

such as? program i mean

I use Acronis True Image.

http://www.acronis.com/products/trueimage/
Title: Re:worse virus ever
Post by: DavidR on June 26, 2004, 12:00:05 AM
Other options are PowerQuest's Drive Image, I have DI2002 but I believe the latest version of True Image is more flexible.

I don't know about the latest version of drive image, it has probably advanced since my 2002 version.