Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: tweed on August 31, 2004, 11:30:22 PM

Title: un-found virus CAUTION W/ATTACHMENT
Post by: tweed on August 31, 2004, 11:30:22 PM

Good day all!

CAUTION!! POSSIBLE INFECTION ATTACHED!!!

A suspicius email arrived this morning with an attachment.  I viewed the source on the email and saw it had attachment "fotos.zip".  Saved the zip file to desktop and scanned it with Avast.  Avast found it to be clean.

So in the interest of testing, I copied the file to two other machine to scan.  One other has AVG, and the last is running Sophos.  AVG and Sophos BOTH see this zip file to be infected with
"Results of Complete Test, date and time 8/31/2004 14:24:58 :
Testing C:\Documents and Settings\Administrator\Desktop serial 5064-E5BA  C:\Documents and Settings\Administrator\DESKTOP\INFECTED.ZIP:\foto\foto.htm Virus found JS/IllWill

Test finished, duration 00:00:00.8 s
21 objects tested, 1 found infected

This is a 3 week old virus...why is Avast not reporting it?  My Avast version/update info follows:
ver 4.1home(4.1.418),  with def file from today (8-31-04)(0436-0)

I can point Avast RIGHT AT THE FILE, and it reports clean.

I have attached file for inspection.

Any thoughts???

Thanks!

Title: Re:un-found virus CAUTION W/ATTACHMENT
Post by: Eddy on August 31, 2004, 11:47:21 PM

Please send the file in a password protected zip file to virus@avast.com
Mention in the mail what you told us here (link to this thread may be usefull) and don't forget to mention the password ofcourse. I'm sure they will investigate it and if release a update of the vps if needed asap.

If you like, please run a online scan HERE (http://virusscan.jotti.dhs.org/) and tell us the result(s)

Thank you for letting us know this. Information like this really can help make Avast only better. [Is that possible :D]

Title: Re:un-found virus CAUTION W/ATTACHMENT
Post by: softwareguy on September 01, 2004, 01:28:19 AM

Is Alwil working with virusscan.jotti.dhs.org into getting samples and new detections?

Title: Re:un-found virus CAUTION W/ATTACHMENT
Post by: tweed on September 01, 2004, 07:13:07 AM

Quote from: Eddy on August 31, 2004, 11:47:21 PM

If you like, please run a online scan HERE (http://virusscan.jotti.dhs.org/) and tell us the result(s)

Thank you for letting us know this. Information like this really can help make Avast only better. [Is that possible :D]

That scan yielded these results on zip file in question...zip file extracts into foto.html and foto1.exe.
 AntiVir    
TR/Bagle.AK.HTML, TR/Bagle.AL (2.48 seconds taken)
BitDefender    
JS.Dword.dropper, Trojan.Dropper.Small.KU (5.76 seconds taken)
ClamAV    
Trojan.JS.RunMe (11.33 seconds taken)
Dr.Web    
Exploit.CodeBase, Win32.HLLM.Beagle.9728 (11.92 seconds taken)
F-Prot Antivirus    
HTML/ObjData@exp, dropper for W32/Mitglieder.AA (1.70 seconds taken)
F-Secure Anti-Virus    
HTML/ObjData@exp, Exploit.CodeBaseExec, W32/Bagle.AK@mm, TrojanDropper.Win32.Small.kv (7.47 seconds taken)
Kaspersky Anti-Virus    
Exploit.CodeBaseExec, TrojanDropper.Win32.Small.kv (6.85 seconds taken)
Norman Virus Control    
JS/IllWill.A, W32/Bagle.AK (1.26 seconds taken

All engines found infection.  Avast still says this file is clean.  Have set max everthing in scan parameters.

Here is text from log file on Avast scan (thorough scan with archives) (I have extracted the infected file to a folder and then scanned the folder)

*
* avast! Report
* This file is generated automatically
*
* Task 'Simple user interface' used
* Started on Tuesday, August 31, 2004 11:16:45 PM
* VPS: 0436-0, 08/31/2004
*

Infected files: 0
Total files: 2
Total folders: 1
Total size: 13.6 k

*
* Task stopped: Tuesday, August 31, 2004 11:16:45 PM
* Run-time was 0 second(s)
*

Title: Re:un-found virus CAUTION W/ATTACHMENT
Post by: Jlo on September 01, 2004, 09:03:23 AM

Hi,

I think the file you received is a new one. It was spammed on the 31st August. I guess Avasgt have not updated there VPS yet but I am sure they will in the next few hours.

Just  check ourt http://www.f-secure.com/v-descs/bagle_ak.shtml

for more info.

Please also make sure you post the file to virus@avast.com (just in case they have not received it yet)

Cheers
Jlo

Title: Re:un-found virus CAUTION W/ATTACHMENT
Post by: Vlk on September 01, 2004, 09:41:25 AM

The update is already out... :)

Title: Re:un-found virus CAUTION W/ATTACHMENT
Post by: clanky on September 01, 2004, 03:15:26 PM

I've been sent this twice, the 1st time it contained foto1.exe & the 2nd time calc.exe.   Fsecure & Symantec are not reporting the calc.exe file

Title: Re:un-found virus CAUTION W/ATTACHMENT
Post by: Pavel Baudis on September 01, 2004, 03:57:09 PM

Yes, the CALC.EXE is another variant. It is detected by avast! with today's update.

BTW: Another two variants were discovered several minutes ago, so please expect another update soon  ;) .

Pavel

Title: Re:un-found virus CAUTION W/ATTACHMENT
Post by: MikeBCda on September 01, 2004, 05:23:26 PM

Quote from: Pavel on September 01, 2004, 03:57:09 PM

BTW: Another two variants were discovered several minutes ago, so please expect another update soon  ;) .
Pavel

If you mean 0436-2, it came in while I was reading this.  Nice timing.  ;)

Title: Re:un-found virus CAUTION W/ATTACHMENT
Post by: Jlo on September 01, 2004, 05:49:23 PM

Hi Avast!

Thanks for the quick updates again!

Best wishes

Jlo

Title: Re:un-found virus CAUTION W/ATTACHMENT
Post by: bob3160 on September 01, 2004, 07:14:54 PM

MikeBCda

Quote

If you mean 0436-2, it came in while I was reading this.  Nice timing.

That's funny same here. I was actually reading your post when the Pop Up occurred. :)