Saturday 14 Worm detected

[Arup]

Something strange happened today, decided to try out the avast external control tool and while doing a thorough memory scan I got the notice that my memory is infected with Saturday the 14 Worm.

Is this a false alarm? I have been using Avast since the last two years and do regular offline scans with it, however, being this is a memory resident worm, I guess it went undetected.

[Lisandro]

Most probably, a false positive...
Is it a file or just on memory (running process)?

If it's a file, can you submit it to JOTTI and let us know the result.
If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used.

[Arup]

Hi Technical,

Thanks for the fast response, the problem is that it is only indicated when I use the 3rd party Avast External Control tool and set it to thorough memory scan, it tells me to do a boot time scan which I have already done and nothing gets detected there. So my guess would be that it is a false positive, I use Jetico which pops up for any kind of net access so I would know if a worm is trying to connect out to the net but then if it is disguised as System app, it then becomes tricky.

[igor]

Where was it detected?

[DavidR]

If it's a file, can you submit it to JOTTI and let us know the result.

The new url for Jotti is http://virusscan.jotti.org/

[Lisandro]

Thanks for the fast response

Be used to 
avast forum is fast 

The problem is that it is only indicated when I use the 3rd party Avast External Control tool and set it to thorough memory scan

If you start avast antivirus with the option for 'memory scan' checked, do you receive any error?
Can you send an IM to RejZor (the author of Avast External Control) and relate the fact?

[Arup]

Hi Technical,

The detection only happens when I use the Avast external tool which has an option for thorough memory scanning, it doesn't happen if I start Avast conventionally, that is through the regular interface. It isn't a file, it is a certain block of memory, so technically, it cant be sent.

How do I IM Rejzor?

[Lisandro]

The detection only happens when I use the Avast external tool which has an option for thorough memory scanning, it doesn't happen if I start Avast conventionally, that is through the regular interface. It isn't a file, it is a certain block of memory, so technically, it cant be sent.

It seems that the application is scanning something 'different' way that from the splash screen of avast.
Better is contacting RejZor...

How do I IM Rejzor?

Clickhere 

[Arup]

Thanks Techincal, send him a IM, lets see what he says about this. I am interested, I have already done scans with BitDefender, Clam AV, a2, Ewido and KAV but none of them have detected anything so far.

[RejZoR]

Thorough Memory scan is also a part of avast! (it's NOT my invention hehe).
It's just that avast! doesn't have any menu controls for this mode,only Normal Memory scan which is perfromed every time before launching Simple Interface.
I belive only Alwil team can help you,because i'm no expert for memory resident malware.

[igor]

Arup, avast! shows the ID of the process where the virus was found. Can you identify the process executable (e.g. using the Windows Task Manager, if you use Windows NT/2000/XP)?

[Arup]

Process 992, memory block 0x00CF9000, block size 36864

This is quite interesting, the process identified is bdss.exe, part of the free BitDefender AV I had installed last week just to check if Avast is doing its job. Looks like either this is a false positive or BitDefender has infected program on their servers which I am sure is unlikely.

[igor]

I think it's quite likely that BitDefender is keeping decrypted virus signatures in memory. I believe Satuday 14th is an old DOS virus, so it really doesn't seem to be a real infection.

[Arup]

Thanks Igor, dont need BitDefender or any other, got Avast and it runs fine. False alarm or not, had me rattled for a while.