Virus not detected by Avast

[frampo]

sorry. please remove post

[Eddy]

NEVER post a link to (suspected) malware on this board please.
Submit the file to virus@avast.com for analyses.
Preferably in a password protected zip.
Mention in the body of the mail why you think it is malware and the password ofcourse.

Edit:
This seems to be a false positive since JOTTI found absolutely nothing

[Eddy]

No need to remove the post. Just the link was enough.

ps: Read the edit in my previous post.

[frampo]

Have emailed the file over.
Avast does not detect it as a virus, but Norton does.

Dan

[frampo]

Have also used  a website to check the file and its results are posted below.
Antivirus Version Update Result
AntiVir 6.31.1.0 09.08.2005 Worm/Robobot
Avast 4.6.695.0 09.09.2005 no virus found
AVG 718 09.07.2005 no virus found
Avira 6.31.1.0 09.08.2005 Worm/Robobot
BitDefender 7.0 09.02.2005 Trojan.Downloader.ZT
CAT-QuickHeal 8.00 09.08.2005 Backdoor.Robobot.al
ClamAV devel-20050725 09.09.2005 no virus found
DrWeb 4.32b 09.09.2005 Trojan.DownLoader.3918
eTrust-Iris 7.1.194.0 09.08.2005 Win32/Boxed.47616!Trojan
eTrust-Vet 11.9.1.0 09.09.2005 Win32.Boxed.BB
Fortinet 2.41.0.0 09.07.2005 W32/Dedler.fam-net
F-Prot 3.16c 09.09.2005 could be infected with an unknown virus
Ikarus 0.2.59.0 09.08.2005 Backdoor.Win32.Robobot.P
Kaspersky 4.0.2.24 09.09.2005 Backdoor.Win32.Robobot.ap
McAfee 4577 09.08.2005 DDoS-Boxed
NOD32v2 1.1212 09.08.2005 Win32/Robobot
Norman 5.70.10 09.09.2005 W32/Downloader
Panda 8.02.00 09.09.2005 DDos/Boxed.E
Sophos 3.97.0 09.09.2005 Troj/Borobot-O
Symantec 8.0 09.09.2005 Trojan.Webus
TheHacker 5.8.2.102 09.08.2005 no virus found
VBA32 3.10.4 09.08.2005 Trojan.DownLoader.3918



VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.> Go to: Home Contact En español
--------------------------------------------------------------------------------

[Eddy]

Ah wait. I just noticed that the zip is password protected. That's why JOTTI didn't report anything.
Can you send me the password in a private message so I can check again?

[frampo]

Just "PM'd" you the password.

Dan

[Eddy]

Thanks. Here are the results from JOTTI:

AntiVir    Found Worm/Robobot
ArcaVir    Found nothing
Avast    Found nothing
AVG Antivirus    Found nothing
BitDefender    Found Trojan.Downloader.ZT
ClamAV    Found nothing
Dr.Web    Found Trojan.DownLoader.3918
F-Prot Antivirus    Found unknown virus (probable variant)
Fortinet    Found W32/Dedler.fam-net
Kaspersky Anti-Virus    Found Backdoor.Win32.Robobot.ap
NOD32    Found Win32/Robobot
Norman Virus Control    Found Sandbox: W32/Downloader;
UNA    Found Backdoor.Robobot
VBA32    Found Trojan.DownLoader.3918
 
Info I found out about the malware:
* Creating several executable files on hard-drive.
* File length: 42054 bytes.

[ Changes to filesystem ]
* Deletes file autorun.inf.
* Creates file C:\WINDOWS\System\SMSS.EXE.
* Creates file C:\TEMP\upd_0002.exe.

[ Changes to registry ]
* Creates value "smss"="C:\WINDOWS\System\SMSS.EXE" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Deletes value "KAVPersonal50" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

[ Network services ]
* Opens URL: http://upseek.org/u/upd_0002.exe.
* Connects to "CONFIGURED_DNS" on port 53 (IP).
* Uses unsupported DNS query.

[ Network ]
* **Uses IPHLPAPI services.

[ Security issues ]
* Starting downloaded file - potential security problem.
* Possible backdoor functionality [UNKNOWN] port 1108.

[ Process/window information ]
* Creates a mutex 6534C64A-Z454-122E-BFC6-083C2BF4S551.
* Will automatically restart after boot (I'll be back...).

[frampo]

Hopefully we will have an update soon then?

Dan

[Lisandro]

Hopefully we will have an update soon then?

I hope so... Improving detection is an urgent must have