Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: pingram3541 on March 08, 2010, 05:25:13 PM
-
I had switched a few years back from Free AVG to Avast free version because my wifes machine had got infected. Since then I have been pretty happy with Avast free version and it's minimal impact on my machine and occasionally manually checking suspicious files from the interwebs and also running full system scans every now and then. However, a few days ago running the latest Avast 5 free version on a newly install Windows 7 Ultimate I got an infection.
I was doing my typical routines from a new OS install by installing all the key software I use regularly and decided the old version of WinRAR was out dated and browsed the internet for the latest copy. The download from WinRAR's website kept timing out so I did a search with my bit torrent client, found a copy and began the download thinking it could be infected but I'll just scan it when it's finished. Besides, there were no comments attached to the torrent indicating it was infected and there were a lot of seeders.
Nevertheless, upon completion I scanned the zip file (kinda funny, WinRAR packed in a zip)...moving on...I then scanned the extracted folder, both times Avast 5 free version found no threats.
The WinRAR 3.92 version installed normally and everything was fine for about 2 minutes, then all of a suddon all kinds of pop ups and warning dialogs started coming up. Some new "Dr Guard" had installed itself in addition to disabling Avast while making it look as though it was still running, the built in Windows firewall, Windows Defender had been disabled and a cloned version was running, the task manager was disabled and my browser was hijacked always redirecting to a "you're infected with blah, blah, blah, you need to purchase the full version to clean the infections..."
So this rogue had gotten through and in my opinion is worse than a virus even though it didn't destroy any "personal" files, it left traces all over the place, was a pain to remove and left parts of the internal OS broken...I finally resulted in a format and a clean install.
Since then I have re-installed and use Avast and Malwarebytes Anti-Malware which does catch the Dr Guard and now I perform 2 scans on any download.
So today I open up my email using Thunderbird V3.0.3 and find a suspicious email supposedly from UPS saying they failed to deliver a package and to print out the details from an attached zip file. Suspicious, since I am not expecting anything and I wonder why UPS would not just have a tracking number, I scan the attachment with Avast and it finds an infection with a W32.Trojan. I have TLS/SSL disabled in Thunderbird so Avast can scan my incoming and outgoing messages but I'm really now considering if Avast 5 free edition is really trustworthy. If it was scanning my incoming emails, why did this one get through? Why did I have to save the file to the hard disk and then run a scan on it to find the infection? Why did Dr Guard make it through? All this in a few days?
I know some of you would say that my actions in downloading the bit-torrent was like asking for a problem, but seriously, this is why we have these security programs and this is truly putting these programs to the test. I consider myself an above average computer user and can usually pin point when something looks suspicious. I am sure the average folk would still be dealing with the rogue or even worse, purchased the scammy software and would now also be infected with the back door from the email. I also think that a fully licensed Pro verison of Avast would have the same results.
I'm calling out Avast...can you truly advertise your software as trustworthy and reliable after the events I have experienced? :)
-
You my friend are not the only one!
http://www.dslreports.com/forum/remark,23647698?hilite=ups
http://www.dslreports.com/forum/r23904162-BewareMalware-Disguised-as-UPS-Notification-Message
-
I got this one today...UPS...I wanted to download it in a VM to see if avast! detected it, but hotmail wouldn't let me...oh well at least they know about it...
-
do you still have the attached zip file ? can you upload it to VirusTotal www.virustotal.com
and when you have the result copy the URL in the addressbar and post it HERE
-
Not me...hotmail wont let me have it... ::)
Maybe pingram3541 does...
-
Here is the link from virustotal as requested...
http://www.virustotal.com/analisis/f13520886f62ac265c67b50a35cb472d0a3928bdbb75cb0d4e7ab08943040830-1268052549
Also, details of the email
====================
from: Manager Kenny Montoya <help@ups.com>
subject: UPS Delivery Problem NR 12802
body:
We failed to deliver your postal package sent on the 10th of January in time
because the recipient’s address is erroneous.
Please print out the invoice copy attached and collect the package at our department.
United Parcel Service of America.
attachment: UPS_invoice_Nr284.zip
Return-path:<spitefulnessk@jboy.com>
-
@scott
have you tried to forvard to virustotal mail upload ?
http://www.virustotal.com/metodos.html
-
:)
-
At bong2x...
both infection types were not from browsing the web and allowing a script to run. The case w/ the Dr. Guard rogue was with a zip file I had downloaded via a torrent and I ran 2 scans before doing anything else with the file, 1. scanning the archive and 2. scanning the extracted folder. The WinRar installer executable was infected and was not detected (before a script could even be ran to disable Avast and other security programs). Windows defender also had the latest and after my new clean install, ran several programs against the download I had placed on a flash drive.
Avast 5 Free - No threats
Windows Defender - No threats
Malwarebytes Anti-Malware - Threat found
Ad-Aware - Threat found
As for the email, same thing, a physical file contained the threat and I will say that Avast did find it, but only after I had saved the attachment to my hard disk from within my email client software. My disappointment is that Avast did not block the email from being downloaded like I expect it should. It seems as though only SOME of my emails are being scanned and not ALL of them but I can't tell why.
-
:)
-
@ bong2x: ...may be read the forum threads a bit more and learn about avast 5 before making such wrong statements ;) (this concerns at least your two last posts here)
@ pingram3541: you said you saved an infected attachment, scanned it, and that's only when avast detected a virus. I don't like this at all, never had to experience an infected mail yet so I can't tell, but I would have thought that the mail scanner would be able mails including attachments...including archives etc...I got to test this. That's interesting but not a welcome news if verified.
-
doesn't mean much, I can only see what happens when sending an eicar zip file to myself, and the mail scanner already detects it and blocks it. Can't test this with an incoming mail obviously because even if the mail shield is deactivated when sending, or if sending from the web interface, my mail provider won't let the zip file through.
-
I'm confused, if it was detected when you scanned it, why isn't it detected on VT...
The mail scanner works...It has alerted to me sending out malware...
Although incoming is harder to test, seeing as the email providers block everything...
-
Logos, got your email, trying to send you the zip file but having problems password protecting it since I currently only have the built in windows archive method. (haven't attempted downloading WinRAR again yet).
I assume you want it password protected for a reason, maybe so it's contents can't be scanned?
-
Also to note, there isn't any integration it seems with Thunderbird, i.e. rick clicking a message context menu asking to scan mail manually or any kind of "been found clean" type icons or text in my email messages as I have read in other threads from users with MS Outlook. Should there be any of this within Thunderbird?
-
I was doing my typical routines from a new OS install by installing all the key software I use regularly and decided the old version of WinRAR was out dated and browsed the internet for the latest copy. The download from WinRAR's website kept timing out so I did a search with my bit torrent client, found a copy and began the download thinking it could be infected but I'll just scan it when it's finished. Besides, there were no comments attached to the torrent indicating it was infected and there were a lot of seeders.
(haven't attempted downloading WinRAR again yet).
Have you tried here http://filehippo.com/download_winrar/
www.filehippo.com
-
Sorry meant to say Pondus instead of Logos... ;D
email is sent, funny thing is when I tried to send the "original" infected email to virus@avast.com, it sent the email without warning but while uploading to my mail server's "sent item" folder, Avast found the threat and removed the attachment. Checking my "sent items" folder on my mail server shows the message without attachment.
So now the question is not only why didn't the Avast email scanner catch the infection when I first received the email or even when I sent it to virus@avast.com??? But why DID it catch it when sending to my Apache mail server?