W97M.Thus macro virus and ALWIL Software support

[avastman]

kubecj, thank you!

Yes, this makes sense.  My wife is a school teacher, Macs are used throughout her school, and this particular sample was from her school.

This brings up an important point which I had not considered before, which is that viruses which "pass thru" a Mac may not be detected by an AV, yet still pose a threat when opened on a Win machine.

Based on my limited research, most AVs do detect the virus in this sample.  (In addition to my earlier post from Jotti's, both NAV and TrendMicro [HotMail] detect the virus.)

As far as avast!'s scanning engine is concerned, is each such "pass thru" virus effectively a unique virus?  Or can the engine be made to automatically recognize the "pass thru" version of each virus it already knows?

[kubecj]

As far as avast!'s scanning engine is concerned, is each such "pass thru" virus effectively a unique virus?  Or can the engine be made to automatically recognize the "pass thru" version of each virus it already knows?

This question is particularly hard to answer, regarding to low availabilty of Macs here. (Better said - non-existence, I don't know anybody who has Mac or works with it, except for some DTP folks).

[neiby]

kubecj,

Thanks for the response! Your explanation makes a lot of sense.

John

[avastman]

I downloaded the latest prog & sig updates today, and now avast! detects the virus in my sample.

THANK YOU!  THANK YOU!  THANK YOU!

kubecj, now that you had a chance to look at this more closely, could you further explain how avast! handles macro viruses which pass thru a mac?  In particular, was this a one-off solution for the W97M.Thus virus, or was a more general solution implemented?  I'm wondering if I am protected with avast! from other "pass thru" viruses, as it seems likely (given my wife's use of macs) to happen again.

Thanks again.

Kind Regards,

[kubecj]

I admit this is a partial solution - but it should catch all Thus viruses passing thru the mac version of Office.

But since macroviruses are almost no problem today, and also the number of Mac samples was always much, much lower than Win samples, I'd consider it a minimum risk.

[avastman]

Good enough.  Thank you again.  And thank you for your candor.

[jlmene]

Sorry to add a contribution...  The virus W97M.thus.gen (named according to ClamXAV), a.k.a.  W97M.Thus.EQ.gen (according to Norton), has been detected on a USB key, first on a Mac.

However, Avast still does not detect it (although Norton on another PC actually does). I am using Avast 4.6 - antivirus base 0616-0 (17 April, 2006) on a Windows 98SE PC.  The scan is set on "standard" and there is no exclusion.

I wonder  why Avast does not see the virus while others do. Any advice, explanation, even comforting joke would be welcome. 

Thanks in advance.

[DavidR]

The virus name perhaps provides a clue W97M.thus.gen and W97M.Thus.EQ.gen the gen stands for Generic so it could well be a new variant that is caught by generic detection.

You don't state what the file name or location that is infected ?

That could perhaps avoid a Standard scan if it was in an archive file and you hadn't chosen to scan archives ?

Because the Standard scan doesn't scan all files but those most likely to be infected, etc. it may not have scanned the file, a 'Through' scan would scan more of your files and would obviously take much longer.

Did you try a right click context many scan with ashQuick on the suspect file in question ?

If after testing with ashQuick.exe it still isn't detected they send it to avast to be included in the VPS.

If you are not getting a virus warning that you believe is a new or undetected virus, then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest.

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new or undetected virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

[jlmene]

Thanks for the answer.

Unfortunately, the maybe infected file is a Word document, directly on the USB key (and later on my desktop! Gosh!  ), with no shell such as a Zip or RAR or else.

I tried to scan it manually (right rick on it and use of the contextual menu to scan the file - the program name you refer to does not evoke anything to me) and Avast didn't find anything. Hence my question.

I'll do exactly what you suggest tonight. If, as I suspect, no virus can be seen, I'll send all the information as requested.

Thanks again.