Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Avastfan1 on April 16, 2010, 10:39:10 AM
-
Dear Avast Team,
I have sent you a file infected with a virus which disables and destroys Avast 5.0.507. The name of the file is 'wyskq6lt.exe' (I unsuccessfully renamed it to wyskq6lt.333.exe).
It completely destroyed Avast 5.0.507 and MBAM 1.45 on my friend's computer. I became suspicious when I inserted a USB stick into my computer from his and, whilst holding left shift down, noticed an 'autorun' file which pointed to wyskq6lt.exe.
This is really worrying and I am writing this message in the hope that Avast will be able to detect this virus in the future and help other users. That is, I hope they will not suffer the same fate as my friend. He was left with no other choice but to format his computer and reinstall everything. He lost a lot of valuable data.
- If you could kindly confirm Avast's receipt of the sample I sent that would be great.
- In addition, if you could kindly advise how I will know that wyskq6lt.exe in my chest has now been identified that would be much appreciated.
- Finally, if you could please briefly let me know whether wyskq6lt.exe is safe in the Avast chest, I would be very grateful.
Thank you and I hope that I have helped other Avast users. This is a particularly nasty virus and it would be terrible to see other people have to go through the agony which my friend had to go through.
Thank you and I look forward to your response.
Best regards,
Avastfan1
PS: I am bricking it that my system is infected and have started a separate thread here http://forum.avast.com/index.php?topic=58584.0;topicseen (http://forum.avast.com/index.php?topic=58584.0;topicseen)
-
wow deadly virus
-
Absolutely! Hence the reason for this post.
Hope it will help other Avast users!
-
Thanks Avastfan,
I have notified our virus lab team. They shall look into this shortly. Have you sent the file to virus (at) avast (dot) com ?
-
Hello,
can you please, post here the virustotal report, to see the sha checksums to find it in our database.
Milos
-
Hi Kurt and Milos,
Thank you for the prompt replies. When Avast finally recognised the file as Win32:Malware-gen, I selected the 'submit file to Avast' option and pressed ok. So I assume that the file has been submitted as I pressed the 'update program' button yesterday.
Can you please confirm receipt of the file? (wyskq6lt.exe)
I stupidly didn't print or save the virustotal report. However, I can confirm that around 20 of the other virus scanners listed on the page flagged it as a specific virus or a suspicious file. Unfortunately, neither Avast nor MBAM was one of them!
If you were happy to guide me (a novice!) safely through the extraction process and how to send it to you or rename it to .333 or whatever, so that my system wasn't compromised, I would of course be more than happy to work with the Avast team. In addition, I would like to help other Avast users not become by this nasty virus.
Thanks and look forward to hearing from you!
Avastfan1
-
Hello,
we received 54 "false positive" submisions of file from location "C:\wyskq6lt.exe", but this is detected as "Win32:Rootkit-gen [Rtk]" not "Win32:Malware-gen". And and some "malware" submisions, but I don't know how to identify the submit which is yours.
Milos
-
Hi Milos,
Thank you for the reply. I am running Avast 5.0.507 with Virus def: 100416-0 and Avast has identified the file 'wyskq6lt.exe' in the chest as 'Win32:Malware-gen'.
Perhaps the file I sent is different? The location I sent it from was E:\ not C:\. Could you possibly check your submissions for E:\wyskq6lt.exe ?
Thank you!
Avasfan1
-
Hello,
there are 4 submisions form "[Chest] E:\wyskq6lt.exe" but none of them form avast! 5.0.507, all are from 5.0.462.
Milos
-
Hi Milos,
I don't understand that then. I sent it yesterday. In addition, I just re-sent it from C:\suspect as I was trying to extract it to that directory, rename it and zip it up. However, Avast detected it and I made double sure that the option 'Sent to Avast' was checked before I pressed ok.
Perhaps you have received it now?
Regards,
Avastfan1
-
Hi,
in dialog you can only choose "type" (potential malware/false positive), checkBox "I know what I am doing", and some optional fields.
Milos
-
Hi Milos,
I have done as you instructed.
I just realised that the file I sent was renamed to 'wyskq6lt.333.exe'. I must have unsuccessfully tried to rename it to .333.
Please confirm receipt of this file by Avast.
Kind regards,
Avastfan1
-
Hi Avastfan1
as I am not a member of avast team I can largely say what I want, without compromising the good name of avast
and firstly I want say that I mean no disrespect towards yrself or yr friend
Now for antivirus to run at optimal performance, computer itself must run at good performance level
let's say Java program is not updated and is not fault of user ???
- I need fix PC wit Java could not update as required elevation as runonce task to install updates - special case
- elevation means that install must be run by overall administrator, which is hidden on Normal Mode desktop
- user has no comprehension of this issue, and first time for me too - I do this fixup tomorrow so still new to me
let's say PC still runs SP2, lets say Adobe reader is well out of date, let's say Flash Player is broken, and so on ???
These kind of things makes very hard on antivirus to perform at optimal level and prevent infection on computer ???
- regardless, avast does perform commendably even within these imperfect, 'broken' environments :)
And on top of that no antivirus is 100%, and bear in mind also that malcreants are infinitely deceiving ???
So it is not always the case that the antivirus is at fault - though this is not to defend avast under any possible argument
regards
Mark :)
-
Hi Mkis,
Thank you for your reply. No disrespect or offence taken at all. Quite the contrary actually. I agree with your response: prevention is always better than cure. An anti-virus programme will never detect malware and viruses with a 100% success rate.
Moreover, I do not believe the fault lies with Avast at all. Rather, I think the fault lies in my stupidity of not disabling the Autorun feature on my computer. Thank Christ I held down the left shift key out of habit.
I hope to God that this has spared my computer from infection! I am currently working with some of the Avast Forum experts to ensure my PC is free from infection.
I am a happy Avast user and in my five plus years of using the programme, I have never seen anything which would make me want to change.
Avast is a fine piece of software and, more importantly, the people behind the software and the user community make it my first choice.
To sum up, I hope that by submitting the file that Avast are able to specifically identify it and prevent further infections from the arseholes who make/write/program these nasty things.
Avastfan1
-
:)
-
And that piece of malware destroys MBAM too??
-
Hi JoeBlack,
It did. Although my friend was running the latest versions of MBAM and Avast, this nasty piece of work completely nuked his computer.
That is why I have gone to so much effort in trying to provide Avast and MBAM with a sample. My friend was devastated due to the loss of valuable data. Moreover, the blood, sweat and tears involved in reformatting and reconstructing his computer.....
That agony I would like to spare other Avast and MBAM users. Hopefully Avast will now be able to specifically identify this virus and kill it.
I would again like to stress, as per my previous post, that the blame lies with my friend and I. Avast does a brilliant job and is my number one choice for anti-virus software. Our stupidity cannot be made up for.
Best regards,
Avastfan1
-
Hi Alwil Avast Team,
Could somebody please confirm receipt of the file I sent wyskq6lt.333.exe?
Were you able to analyse, classify and create a specific identification signature for this nasty piece of work?
Kind regards,
Avastfan1
-
Oh yes, rest assured that avast team will be aware that this horrible beastie is in circulation.
Well done Avastfan1, and I'm sure they will appreciate yr concern - is a horrid piece of work
-
Hi Avastfan1
Thank you for your quick response.I just wondering,Comodo with D+ could stop this,if get passed by Avast and MBAM,or whatever AV?
I'd like to think that it could do it. It's a HIPS after all.
Sorry for your friend's computer :'(
-
Hi JoeBlack40,
Unfortunately, I am not qualified enough to answer that question. One of the experts on this board will definitely be able to give you some wise words with regards to Comodo and D+.
All I can confirm is that it got through Avast and MBAM on my friend's computer.
Sorry I could not be of more help.
Best regards,
Avastfan1
-
It is when you break up the definition that things get interesting - but no idea what is to do wit anything
horrible beastie - wysk 6lt ;D (edited)
- wysk q 6lt will return a single link - third entry - that is blocked by my hosts file
-
Wow seem rather like a music which's name is in a language my computer can't support when converted and renamed
When you try to see that name again in a computer which support that language it looks like that!
-
:D obfuscated text I guess - but I don't really know whats actual happen here
seems like may have pulled all obfuscated text it can get hands on from anywhere it can find it
I'm going to erase the picture tomorrow and post deleted unless someone can explain some purpose in it
-
I just wondering,Comodo with D+ could stop this
If you don't allow it to run, d+ would stop it.
Depends on user behavior. ;)
asyn
-
I just wondering,Comodo with D+ could stop this
If you don't allow it to run, d+ would stop it.
Depends on user behavior. ;)
asyn
Exactly.I'm glad i have Comodo along with Avast and MBAM.
-
I just wondering,Comodo with D+ could stop this
If you don't allow it to run, d+ would stop it.
Depends on user behavior. ;)
asyn
+2 ;D Me to glad to have Comodo with the +D protection
-
Now, don't start off guyz.. We don't want comodo ads here. peace!
nmb
-
Now, don't start off guyz.. We don't want comodo ads here. peace!
nmb
Gimma a kiss nmb ;D ;D
-
Now, don't start off guyz.. We don't want comodo ads here. peace!
nmb
It's not just a free ad,you know....for whatever reason,my Avast doesn't play well with OA,i've got some BSOD too...and with Outpost,web surfing is painfully slow,even with Outpost's web guard disabled....PC Tools fw,i don't like it,because it doesn't have a terminate option,for active programs....so.....Comodo is the best choice,at least for me.
-
I use PCTools Firewall and it has run extremely smoothly. The only two issues I have are:
- An annoying 'new network' box which appears each time the computer is started
- For ONE of the many WLAN connections I use, PCTools Firewall won't let me on it
-
From my limited experience,PC Tools HIPS are not so effective.I just don't feel secure with it,just a matter of taste i suppose. :)
-
That is true JoeBlack40. I ran with ZoneAlarm Pro for a long time. It served me well until they released one version which majorly fücked up a lot of their users' computers.
After that, it was all downhill for ZA Pro. Their software, in my opinion, unfortunately became slower, more resource intensive and, most importantly, the user support forum and customer support died.
That is why I changed firewalls.
I trialled PCTools Plus Firewall after reading the posts of the experts on this form and asking for their advice.
I read many negative comments about Comodo, Outpost and Online Armour. Admittedly, some negative commentary about PCTools Plus Firewall, too. However, I had to choose one. PCTools Firewall Plus was my choice.
I will wait and see how it develops. The two problems I described above are annoying, yet not ground-breaking.
Will wait and see! :-)
-
That's right,Avastfan1,the pc's are pretty much like people...if something is good for me,doesn't means that is good for everybody.With the softwares as i said,pretty much the same thing.Mysterious ways for AI's too :)
-
Sorry JoeBlack40 - I'm not familiar with AI. Do you mean artificial intelligence?
-
Sorry JoeBlack40 - I'm not familiar with AI. Do you mean artificial intelligence?
Yes Avastfan1 :)
Btw,what does the Alwil team said?Not a confirmation yet about the malware?
-
Hi JoeBlack40,
I have not heard anything about the malware yet. An official comment from Avast would be really great.
I would like to see this piece of malware analysed and specifically classified so that other Avast users are protected against the same fate my friend suffered.
Let's hope we hear something soon!
Best wishes,
Avastfan1
-
Hi Alwil Avast Team,
Could somebody please confirm receipt of the file I sent wyskq6lt.333.exe?
No, I didn't find it.
Were you able to analyse, classify and create a specific identification signature for this nasty piece of work?
Yes, but why?
Milos
-
Hi Milos,
Thanks for your reply. That is strange, because I sent it like three times to Avast from the chest! :S
You wrote 'Yes' that you were able to specifically classify it. Does that mean it is now not just identified as WIN32-Malware-GEN?
Could you kindly tell me the name of the virus? I would love to pass it on to my friend so he could read about what totally destroyed his computer.
Thanks!
Avastfan1
-
if it was detected WIN32-Malware-GEN why you want a specific name for the virus? It was detected by Avast already
-
Hello,
You wrote 'Yes' that you were able to specifically classify it. Does that mean it is now not just identified as WIN32-Malware-GEN?
Maybe there was misunderstanding: We are able to specifically classify it, but there is no reason to do that.
Milos
-
Thank you both for the information.
Is there a specific name for this virus or malware then Milos?
Where could my friend read more information about it? Is there a link on Avast's website?
Thanks,
Avastfan1