Troy Ball - Backdoor.Win32.(Agent.aiy|Agent.ACE) - virus not detected by Avast!

[avastman]

Hi.

I have a client whose machine is apparently infected with the "Troy Ball" virus.  He is running Avast! with latest signatures, but scanning does not find the virus.

Independent confirmation that Avast is missing this can be found here: http://www.disog.org/ (Javascript Webmail Exploit).

Any suggestions on how I can clean this machine?  Or how long before I can expect Avast to find it?

Thanks.

[DavidR]

If you have a sample of the malware then it can be sent to avast for analysis.

Send the sample to virus@avast.com zipped and password protected with the password in email body and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

[avastman]

Thank you DavidR, but unfortunately I have no way to identify a sample.  I am open to any suggestions.

We know the machine is infected because of its behavior (it matches exactly "Troy Ball").

I suppose that I could purchase and install one of the AV products which does identify the malware, but I hate to "corrupt" this system with Panda or MS (I don't know anything about Ikarus).

Any ideas?

Thanks.

[DavidR]

You could try an scanner, some just notify you of the file in the hope you will buy the software.

On-line Virus Scanners and other useful Links Security-Ops.eu.tt New on-line scanner http://www.eset.com/onlinescan/

I wouldn't use Panda as it doesn't encrypt its signatures (causes false detections by other AVs later) and worse dumps its signature files in the system folders making it more difficult to remove them when you are done.

If this also sends out spam (from my brief reading), set the avast Internet Mail provider to High as this will detect multiple identical emails in a short period, your firewall should also have an impact in blocking unauthorised outbound Internet Connections.

Also useful as a diagnostic tool - FileHippo Download - HiJackThis - HJT Information HiJackThis Tutorial 1

[avastman]

Yes, HiJackThis seems like it may work.  Thanks for that!

As I understand it, I don't think a firewall would help since this is a browser javascript exploit.  The emails are actually sent from the ISP's (Comcast's) webmail interface.

What if I could get one of the infecting emails?  Would that allow the Avast developers to implement detection on an infected machine?

[DavidR]

If you can send the sample to virus@avast.com zipped and password protected with the password in email body and possible undetected malware in the subject.

I don't quite know how it would help if it is web mail then it is viewed on your browser and the web shield monitors that and it would depend on what the javascript in the email did, if it were to try and download some malware then that may well be detected by the web shield.

I think by far the best defensive option is to use firefox with the NoScript extension, I try to avoid IE like the plague, avoiding activeX is another advantage using firefox and possibly a number of other MS tools mentioned "
The script also uses the ActiveX MSXML2.XMLHTTP or Microsoft.XMLHTTP control to stream mail through the web mail interface "