win32:morto.p

[zebracomputers]

So, what is up with Avast 7 and failure to protect computers from win32:morto.p?
I have a customer that had like 15 Windows XP Pro computers running MS Security Essentials infected.
We were able to disinfect using a combination of Combofix, Norton Power Eraser, Malware Bytes, and Spybot S&D along with Avast Endpoint Protection Trial ver. 7, after a boot scan and patching of deleted infected files, the network was fine for a few days, then it hit again, maybe a different variant, but Avast did not stop the computers from being infected.
As an Avast Reseller, this really puts egg on my face, as I recommended Avast, and have used it for years with great results.
But what is up with this one?
I can provide a virus sample submission if necessary.
This has been out since Nov. 2011, not anything new.

[Pondus]

I can provide a virus sample submission if necessary

have you tested the sample at virustotal.com ?

[polonus]

Could be user had two "resident" av solutions running. Avast has protection for this malcode: https://www.virustotal.com/file/2aa8bd7268bac0681da9b5d2019ae678b9ed28f643995ac7a68d8ad4cac780b8/analysis/
MSE's real-time functionality is incompatible with Avasts resident shield and there is why you get the "ghost" detections
of av solutions finding up each other's defs, etc.

polonus

[zebracomputers]

@pondus, no I haven't yet.
@polonus, no MSSE was removed prior to installation of Avast EP 7.
And like I said, they were clean for days, I suspect new variants or infection vectors.
Thanks for response folks.

[zebracomputers]

BTW this is detected as Win32/Serpip.b by Eset online scanner.

[polonus]

Hi zebracomputers,

Then the description is here: http://www.eset.eu/encyclopaedia/win32-serpip-a-worm-fipp-a-virus-morto-w32-b-pift
It is a polymorphic file infecting worm. Did you send a sample to virus AT avast dot com?
The malcode presents victim with fake-av pop-ups and is a scam really.
Infected system files should be replaced with the help of a qualified malware removal expert.
Here avast did not detect: https://www.virustotal.com/file/f9a12ac987d7737024df78471169d56c1225f31254d3914af8e16a3bbf32daaf/analysis/

polonus

[zebracomputers]

Thanks Polonus.
I have submitted a sample in pw protected zip file.
Thanks all.

[Left123]

Hi,
http://blogs.technet.com/b/mmpc/archive/2012/07/26/morto-goes-viral.aspx
A link is worth a thousand words 

[true indian]

well! u must know that no AV is 100%..how many times should we repeat 

recommend your customers to use Malwarebytes PRO with avast! free and norton DNS...

That will be the only one time when they wont get again infected...

Tell them to use web mail such as gmail,hotmail etc as they have excellent spam filters...

any AV u give them alone to run they are ought to get infected again...tell them about how to excercise self caution with opening mail attachments

[zebracomputers]

All good points true indian, but that doesn't happen in the real world, now does it?  One buys an enterprise level AV and expects it to protect their computer from viruses.
I can am reasonably sure that other AV products, through heuristics, or other behavioral analysis would stop, detect, remove this threat as soon as it was encountered in email or on a web page or in a download, the source of infection is still unknown.
Corporate users that have used Outlook for years, will likely not transition well to the web based format, and that may or may not help protect them if the AV on their computer doesn't protect them.
This lack of detection/removal in AVAST will force me to discontinue my sales and support of AVAST.
Took a big one in the ASS, not likely to let it happen again....
FYI, malwarebytes pro didnt see this one either, not to mention that once its on the computer, and you try to run any executable, not in the Windows folder, it will be infected as well....
IMHO< norton products have degenerated to money pits for the user, and cash cows for symantec.
Just ranting mind you...

well! u must know that no AV is 100%..how many times should we repeat 

recommend your customers to use Malwarebytes PRO with avast! free and norton DNS...

That will be the only one time when they wont get again infected...

Tell them to use web mail such as gmail,hotmail etc as they have excellent spam filters...

any AV u give them alone to run they are ought to get infected again...tell them about how to excercise self caution with opening mail attachments

[essexboy]

As an example, sirfef has been around for a while and Avast detects all variants.. But due to the changes in the dropper it can only block when installed..  Compare that to five systems I have just cleaned:

AV's were .. Norton, Trend Micro, ESET, Kaspersky and AVG
All the above only gave a warning at boot that a file was infected, then they kept quiet till the next boot.
Avast however will block the malware everytime it tries to connect to the download server.  So although you are still infected, with Avast there is no data going out and no new malware coming down.. It is in effect contained.

Compare that to the others I have mentioned   

[polonus]

Hi zebracomputers,

Pay attention to what essexboy says here, he knows, he is a qualified removal expert here and he has seen more malware in various forms in his time as others would meet in a couple of existences. So when malware does not even get access to a victim's machine and such is the workings of the pro-active shields, we know we are being protected by several more layers than just avast  file detection. Consider this also before you withold this av-solution from your costumers,

polonus

P.S. Can you give a link to the initial VT scan, where avast failed detection?

[zebracomputers]

I have the greatest respect for all the malware removal specialists here, the time they donate etc.
I personally have been removing malware from Windows, Apple and Linux PCs since 1998. (yes these other OS's do have threats and exploits that infect them)
I own a small computer store www.zebracomputers.com and we service thousands of customers a year.
Just FYI, Avast is still not able to prevent, or remove this new variant.  Fully a week after the sample was sent in to Avast.  I have a password protected zip file with an infected file in it, if anyone would like me to email it to them to verify my statements.
Eset nod32 found and cleaned the infected files on zero day, I guess I expect too much from Avast.

[polonus]

Hi zebracomputers,

Can you fill us in with the VT link where avast failed detecting Win32/Serpip.b ?
Else there is not much to comment on, and sometimes that particular strain of malware can be closed or no longer responding after being active for 3 1/2 hrs or shorter even and then adding detection could be really "water under the bridge". It is not only what you should expect of a good av solution like avast's, but also what the possibilities are in the real malware theater of an ever-changing malware landscape. It can never be "user demands" and "we will deliver", that is not how it works,

polonus

[Left123]

I have the greatest respect for all the malware removal specialists here, the time they donate etc.
I personally have been removing malware from Windows, Apple and Linux PCs since 1998. (yes these other OS's do have threats and exploits that infect them)
I own a small computer store www.zebracomputers.com and we service thousands of customers a year.
Just FYI, Avast is still not able to prevent, or remove this new variant.  Fully a week after the sample was sent in to Avast.  I have a password protected zip file with an infected file in it, if anyone would like me to email it to them to verify my statements.
Eset nod32 found and cleaned the infected files on zero day, I guess I expect too much from Avast.

Good luck with you r store.I just found your page @ Facebook and "liked" it  .If you need help,feel free to contact me VIA Facebook or Avast forums etc.