Author Topic: W32.HLLW.Blaxe  (Read 3668 times)

0 Members and 1 Guest are viewing this topic.

Gu3

  • Guest
W32.HLLW.Blaxe
« on: September 22, 2003, 10:58:16 PM »
Is there any reason that Avast! failed utterly to detect this worm either on receipt or on full scan?

I'm concerned, as a friend using Avast! just received this, and Avast! failed to detect it in any fashion.  He was forced to roll back to Norton Corporate.

Any clues?  

Also, why does it not appear on the virus Definitions/reference list on the web site?  I had to go to SARC to find anything out about it.  It apparently was first detected in August 2003!

Regards,
Scott... :-[

Lito

  • Guest
Re:W32.HLLW.Blaxe
« Reply #1 on: September 23, 2003, 02:49:09 AM »
Maybe the Avast team would like to test that file ;), just send an email to virus at avast dot com

Cheers, Lito.

Gu3

  • Guest
Re:W32.HLLW.Blaxe
« Reply #2 on: September 23, 2003, 04:12:53 AM »
Good Idea.

Sadly, (or fortuantely as it were) it wasn't on my machine, and I'll have to see if my friend will forward it to me.  

Regardless, I'm confused as to why, it isn't in my virusdefs list, and why it does not appear in Alwil's virus information on the website.

I realize that SARC says that the number of instances "in the wild" are 0-X, but this is apparently not the case.  

As it turns out, it appears that the vector that was used on this "attack" was the WinMX P2P tool, and sadly this seems to have bypassed the ususal protections (understandable, since WinMX is not on the Avast! P2P support list).  However the virus should have been detected by teh OnAccess protection service.  It wasn't.

Now, this may be simply because this virus hasn't been seen "in the wild" since it was discovered in August, but it is apparently related to a previous worm W32.Spybot.Worm, which also does not appear in my Virusdefs file.

Once installed, it appears to have then used some technique for installing the RingZero Trojan.  It may be that Blaxe simply provided a point of entry, and some enterprising hacker/cracker simply utilized the resulting space (A bunch of cracks were stored on the machine).

Given that I have been fortunate in not receiving Blaster or Swen, (or any of the more recent worms or viruses (virii), I have been blissfully confident in the competence of Avast! However the apparent failure in this case, coupled with what appears to be a sore lack in my virusdefs file concerns me a bit.

I am a loyal Avast! user, but want to know more about how Alwil selects virus patterns to include in the virusdefs file, and whether this will be addressed (or is already addressed by another def).

I will attempt to get a copy of this file and pass it on to the address suggested.

Thanks!
Gu3