« previous next »
Pages: [1]   Go Down

Author Topic: Two viruses Avast! didn't detect  (Read 3470 times)

0 Members and 1 Guest are viewing this topic.

hooseuser

  • Guest
Two viruses Avast! didn't detect
« on: July 27, 2008, 05:06:55 PM »
People. I've had two viruses in the last two days that Avast didn't detect but other AV apps did

Are these really viruses or am I seeing something generic that other AV apps are classifying as viruses when they're not.

Below are the reports I sent to virus@avast. If you want I can post the actual exe's as well (the 2nd email has the link to the web site that has the virus that tries to convince you it's a flash updater to get you to download it and install it if you want to download and scan it

Thanks for any help

--------------------------------------------------------
--------------------------------------------------------
Hi

Attached is a virus Avast! doesn't detect. It arrived as a zip file in an email with Subject [RE] UPS Tracking Number 5988367489

You need to unzip it (password = virus) and then rename it to have .exe at the end (Google doesn't allow sending .exe in zip files)

See http://www.virustotal.com/analisis/52b78cba74517513f4d2946a0cbd4722 for how other virus checkers pick up this virus

The results from your online scanner were
 UPS_INVOICE_187271.exe
       clear
    * VPS version: VPS 080723-0 23.07.2008
    * Scaner version: 3.0.1
    * Scanned files: 1
    * Scanned directories: 0
    * Archives count: 0
    * Infected files:
    * Errors: 0
    * File count: 55.5 kB
    * Scan time: 0s 5ms
    * Scanned speed: 10.7 MB

The email headers on the mail it arrived in were

Return-path: <tymridsmmie@boldermarketing.com>
Envelope-to: MYADDRESS-REMOVED
Delivery-date: Wed, 23 Jul 2008 08:05:34 -0500
Received: from [81.80.139.189] (port=30704)
   by MYMAILSERVER-REMOVED with esmtp (Exim 4.69)
   (envelope-from <tymridsmmie@boldermarketing.com>)
   id 1KLe28-00062A-2w
   for MYADDRESS-REMOVED; Wed, 23 Jul 2008 08:05:34 -0500
Received: from [81.80.139.189] by mailavas1.pacific.net.au; Wed, 23 Jul 2008 14:05:33 +0100
From: "United Parcel Service" <tymridsmmie@boldermarketing.com>
To: <MYADDRESS-REMOVED>
Subject: [RE] UPS Tracking Number 5988367489
Date: Wed, 23 Jul 2008 14:05:33 +0100
Message-ID: <01c8eccd$2bf53480$bd8b5051@tymridsmmie>
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----=_NextPart_000_000E_01C8ECCD.2BF53480"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Importance: Normal

    *  What operating system are you using? (e.g. Windows 2000 Server...) = WinXP
    * What version of avast! are you using? (e.g. 4.0.160 - you can find this information in the "About avast!..." dialog) = 4.8
    * What version of VPS file are you using? (e.g. 0303-10, 04/15/2003 - you can find this information in "About avast!..." dialog) = 080723-0 23/07/2008
    * What is your e-mail client? (e.g. Outlook, Outlook Express, IncrediMail...) = Thunderbird
    * Do you use other security software? Which one? (e.g. Norton Antivirus...) = nope

--------------------------------------------------------

--------------------------------------------------------
Hi

Virus atatched. Zip password is virus. It needs renaming to .exe

It arrived in a spam email with a link to a web site that then popped up and tried to install it

Virus Total (http://www.virustotal.com/analisis/1a3dfe338be88b758e0b8cbda17a6dda) detects it as


Antivirus    Version    Last Update    Result
AhnLab-V3    2008.7.26.0    2008.07.27    -
AntiVir    7.8.1.12    2008.07.26    TR/Crypt.XPACK.Gen
Authentium    5.1.0.4    2008.07.27    -
Avast    4.8.1195.0    2008.07.26    -
AVG    8.0.0.130    2008.07.26    I-Worm/Nuwar.V
BitDefender    7.2    2008.07.27    -
CAT-QuickHeal    9.50    2008.07.25    (Suspicious) - DNAScan
ClamAV    0.93.1    2008.07.27    -
DrWeb    4.44.0.09170    2008.07.27    -
eSafe    7.0.17.0    2008.07.24    Suspicious File
eTrust-Vet    31.6.5983    2008.07.26    Win32/Collet!generic
Ewido    4.0    2008.07.27    -
F-Prot    4.4.4.56    2008.07.26    -
F-Secure    7.60.13501.0    2008.07.27    Trojan-Downloader.Win32.Exchanger.hk
Fortinet    3.14.0.0    2008.07.26    W32/PolyZlob!tr.dldr
GData    2.0.7306.1023    2008.07.27    Trojan-Downloader.Win32.Exchanger.hk
Ikarus    T3.1.1.34.0    2008.07.27    Trojan-Downloader.Win32.Exchanger.hk
Kaspersky    7.0.0.125    2008.07.27    Trojan-Downloader.Win32.Exchanger.hk
McAfee    5347    2008.07.25    -
Microsoft    1.3704    2008.07.27    -
NOD32v2    3301    2008.07.27    -
Norman    5.80.02    2008.07.25    -
Panda    9.0.0.4    2008.07.27    -
PCTools    4.4.2.0    2008.07.27    -
Prevx1    V2    2008.07.27    Suspicious
Rising    20.54.61.00    2008.07.27    -
Sophos    4.31.0    2008.07.27    Mal/EncPk-DA
Sunbelt    3.1.1536.1    2008.07.25    -
Symantec    10    2008.07.27    -
TheHacker    6.2.96.389    2008.07.25    -
TrendMicro    8.700.0.1004    2008.07.26    -
ViRobot    2008.7.26.1311    2008.07.26    -
VirusBuster    4.5.11.0    2008.07.26    Trojan.DL.Exchanger.BP
Webwasher-Gateway    6.6.2    2008.07.27    Trojan.Crypt.XPACK.Gen
Additional information
File size: 78848 bytes
MD5...: c81b29a3662b6083e3590939b6793bb8
SHA1..: d513275c276840cb528ce11dd228eae46a74b4b4
SHA256: 037d48a1fdcfc95ca4576d1cab3b8b1cced5e191aadd253e9a9154132237f32d
SHA512: 07d76ee77591c75079ad1edb9e8870652c533b108154e21658988f9e38c04014
08167ba4297a2e145eb2853081fc87b288040130ace133d33cf403b125dc44a8
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4057ff
timedatestamp.....: 0x482ea8c7 (Sat May 17 09:43:35 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xdf88 0xc200 8.00 c022f73d70ca77ed6ef5ab8cb4684da1
.rdata 0xf000 0x3df8 0x2200 7.98 09b16ab667efc4bc7a01307960dceac7
.data 0x13000 0x6000 0x4000 4.86 f229a7bb130002438c84d2fe09f55f25

( 3 imports )
> USER32.DLL: DrawIcon, DestroyCaret, FillRect, GetActiveWindow, GetMonitorInfoW, GetShellWindow
> ADVAPI32.DLL: ReportEventW, RegFlushKey, DecryptFileW, ReadEventLogW, OpenThreadToken
> WININET.DLL: FtpGetFileW, GopherFindFirstFileA, GopherOpenFileW, FreeUrlCacheSpaceA, HttpQueryInfoA

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=B74B67E3006C2AD834CA01BBEDF6C600EC76F2DD
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=c81b29a3662b6083e3590939b6793bb8




The email was

    Return-path: <nedietna_1952@100anosdemusica.com.br>
    Envelope-to: REMOVED@REMOVED.com
    Delivery-date: Sun, 27 Jul 2008 07:14:30 -0500
    Received: from [87.243.139.101] (port=3280)
        by REMOVED.com with esmtp (Exim 4.69)
        (envelope-from <nedietna_1952@100anosdemusica.com.br>)
        id 1KN58v-0005JB-Py
        for REMOVED@REMOVED.com; Sun, 27 Jul 2008 07:14:30 -0500
    Message-ID: <13D82F07.C4871822@100anosdemusica.com.br>
    Date: Sun, 27 Jul 2008 14:24:17 +0200
    From: Fortin <nedietna_1952@100anosdemusica.com.br>
    User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
    MIME-Version: 1.0
    To: REMOVED@REMOVED.com
    Subject: Angry man shoots lawnmower
    Content-Type: text/html; charset=ISO-8859-1
    Content-Transfer-Encoding: 7bit

    <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    <html>
    <head>
    </head>
    <body bgcolor="#ffffff" text="#000000">
    Steve Jobs suffers a sudden heartache and is in critical condition <a href="http://kwhgs.ca/hotnews.html">http://kwhgs.ca/hotnews.html</a><br>
    </html>

Logged
Pages: [1]   Go Up
« previous next »