Spam mail-ashBase.dll

[JuninhoSlo]

Hi

A few days ago I received an email with false content I didn.t read all mail but I was surprised on this line: Please copy our file to C:\Program Files\Alwil Software\Avast5. Well I did,t copy this file to Avast5 folder anyway I download this file and sent it to Virustotal. Virus total found 7 viruses.

Fake ashBase.dll : http://www.virustotal.com/file-scan/report.html?id=ac1a4715e3b8eb7ea713ac96b1c9355854003959523380debec5ce6fc2922f41-1295122535

ashBase.dll from Avast folder: http://www.virustotal.com/file-scan/report.html?id=5b289e25ffae13b361cde24d7093666a8b3afd8f872ef67d24fc640f29f791fc-1295122982

Does ashBase.dll contain a virus? Should I send this file to Avast?

Thank you. Lep pozdrav

[DavidR]

Well avast (self-defence module) should prevent you just being able to dump files in the avast folder; so I did a little test trying to copy the aswClear5.exe (avast uninstall utility) to the avast5 folder and it failed as expected.

Now that is for a file that doesn't already exist in the avast5 folder and an attempt to replace an existing file I would have thought would have had even more protection.


So it looks like some chancer hoping a) you actually have avast installed, b) you would do it and c) that avast wouldn't block it.

I would say that it is highly suspect and should be sent the sample to avast as possible undetected malware, so it should be detected if this happens in any further emails.

[JuninhoSlo]

Well avast (self-defence module) should prevent you just being able to dump files in the avast folder; so I did a little test trying to copy the aswClear5.exe (avast uninstall utility) to the avast5 folder and it failed as expected.

Now that is for a file that doesn't already exist in the avast5 folder and an attempt to replace an existing file I would have thought would have had even more protection.


So it looks like some chancer hoping a) you actually have avast installed, b) you would do it and c) that avast wouldn't block it.

I would say that it is highly suspect and should be sent the sample to avast as possible undetected malware, so it should be detected if this happens in any further emails.

Thank you for your answer. I tried replace ashBase.dll with ashBase.dll(fake) but Avast self defence modul blocked it As you said Yes I will send  file to analysis.  Thank you for your time

Lep pozdrav.

[DavidR]

You're welcome.

There is absolutely no way I would have even attempted to replace a file with a suspect file, as you are relying on it not working.

[JuninhoSlo]

Avast add this file to VPS now Avast detectes this file as Win32:Trojan-gen. 

Does anyone knows what would happened if this file become active?

Have a nice day.

[DavidR]

I rather doubt anyone other than those experienced in this would know what it would do without running it in a VM environment and monitor what it does, that would also require a number of monitoring tools.

There is an on-line analysis that gets close, but doesn't go into huge detail, though I don't know if it analyses dll files.