Author Topic: Virus got into system past avast! :-/  (Read 22459 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re:Virus got into system past avast! :-/
« Reply #30 on: December 22, 2003, 06:52:58 PM »
These 2 reasons for the possibel worm infection Lars-erik got ,gives more strenght again to the thingy i always say : layered defence !

If you had had the freeware Abtrusion protector nothing would have happendend (if you by mistake pressed the wrong button):
http://www.abtrusion.com/  or  http://maxcomputing.narod.ru/ssme.html
or some commercial Anti-trojan with memory/process scan (resident guard).
Waldo

Nice links! Thanks Waldo. We are also joined to layered defences!
The best things in life are free.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:Virus got into system past avast! :-/
« Reply #31 on: December 22, 2003, 08:48:31 PM »
A few notes to the original question:
I'll check the corresponding code when I get back to work, but I believe avast! would never allow an infected program to execute. Of course, it may fail detecting a (new) virus, but if it detects the virus, it will deny access to it. There's no "Continue" button that would allow it.

I can check if this "Agent" client (where can it be downloaded from, btw?) doesn't use some special method to execute its attachments, but I really doubt it (I think all the possible methods are covered now; and even if they weren't, avast! wouldn't detect the virus - and it did).

To me, it seems more likely that the Swen worm was active before (it could have been started before avast) - and the warning was given by avast! at the moment it was trying to spread (execute another instance of itself, maybe?)

That wouldn't explain how Swen could have got to the computer in the first place, of course...  ???

techie101

  • Guest
Re:Virus got into system past avast! :-/
« Reply #32 on: December 22, 2003, 10:17:05 PM »
Lars,

This might help clarify things a bit.  The worm activates when a victim launches the infected file (double clicking on the file attachment) or when a victim machine's email application is vulnerable to the IFrame.FileDownload vulnerability (also exploited by the Internet worms Klez and Tanatos). Once run, Swen installs itself in the system and begins its propogation routine. You can download the patch released in March 2001 for the IFrame vulnerability: Microsoft Security Bulletin MS01-20.

The worm blocks many anti-virus programs and firewalls. Its algorithm and parts of the code text are almost identical to that of another Internet worm called I-Worm.Gibe, although the programming language used is different.

From your posts, the swen was activated and starting propagating almost immediately, even as Avast sounded the alarm.  The "delete" worked, however, if you study the characteristics of Swen, then you will realize that it spreads quickly, mutates, and can disable some AVs, or "hide" themselves from the AV by changing the format coding.

I also noticed that you said you do not use the Avast mail scanner?
Is this correct?  Why don't you use it?  It is one of the best protection features of Avast.

techie

Offline Lars-Erik

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 394
    • Lars-Erik Østerud
Re:Virus got into system past avast! :-/
« Reply #33 on: December 22, 2003, 11:43:33 PM »
1) I use Agent as my mail-client. It doesn't do any preview or in any other way open attached files until they are saved to disk. So when someone chose to open the attachement it was saved to WINDOWS\TEMP, and that triggered avast! (as it should). After an attachement is saved then the mail-program will try to execute it. But we should have gotten this far, should we. As avast! was triggered when the file was saved. And even if it got saved it should trigger avast! when it was opened again too (I scan on both "write" and "open"). So to start it had to get passed TWO times (if the file was not allowed to be saved AND open even after avast! showed the warning).

2) The "Delete" option DID NOT work. It just gave an error message (because by then the file had been executed and was locked). But how could it be exectuded WHILE avast! was showing the virus warning and no one cliked anything.

3) Mail-scanner might be nice, but it will only stop mail coming through a configured pop3/smtp client. My girlfriend use web-mail. And then this would have happend anyway if se clicked an executable attachment (it would first be saved in "temporary internet files" and then run from there. And if the same had occured then it would not have been stopped.

I'm not trying to be unfriendly towards avast!  I'd just like to figure out how the virus could start when the file was BOTH saved to disk AND THEN opened from disk (to be executed). avast! shoud have stopped both those operations, right?

Only explanations I have is that the saving and opening for executions continued in the background while avast! was waiting for us to choos an action in the virus warning box. An that scares me - every file i/o should be stopped then.
www.osterud.name - ICQ: 7297605 - AIM/Yahoo/Facebook/Skype/Astra: LarsErikOsterud

techie101

  • Guest
Re:Virus got into system past avast! :-/
« Reply #34 on: December 23, 2003, 12:12:47 AM »
Lars,
Quote
So when someone chose to open the attachement it was saved to WINDOWS\TEMP, and that triggered avast! (as it should).
And also the Swen32 virus!

Yes, I can yield to your view.  However, just keep in mind that the Swen32 is a nasty little thing that CAN activiate even when not opened by the user.  This is fact!  All it needs is to be downloaded and saved.  Avast did detect it, however, when you deleted the virus (and it is only conjecture on my part) the Swen had already started to spread and mutate.  Avast stopped the original exe coded virus but some of the little buggers got out.  You said Avast alerted you when the virus was saved.  That is correct.  It would not alert you again because Avast will not let you execute an infected file. You stated that you got the "locked file" message.
I know you want to go round and round with this, but I have had Avast for some time now and it has stopped viri on many occasions without any compute damage or corruption.  Sometimes a file will not "delete" for different reasons: passworded, active, locked, in the Restore directory and others.  But until you can figure out HOW to delete the virus, Avast will not let it do damage.

Also, you are also correct about webmail.  Unfortunatley, Avast cannot scan an email client not configure by POP3 and SMTP.

I wish I could offer a better explanation, but maybe there really isn't any!  

Thank you for your input,
techie

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:Virus got into system past avast! :-/
« Reply #35 on: December 23, 2003, 12:22:08 AM »
I think the "Created/modified files scan" works a little different than you expect. As I already explained somewhere, the scan is performed after the file is written (can't be reasonably done better) and it's probably non-blocking (not completely sure about this one - Vlk may have some more info). I.e. the virus warning is rather informative-only in this case.

The other ones (scanning on open/execute) do deny the access to the file, however, so the file should never be executed, if infected.

As I said... I'll check it later, but I believe the original scanario went a little different than it appeared.

techie: Having unfixed Outlook is bad (though it wasn't the case here), but I think the executed attachment should be caught anyway, and not allowed to be started.

Offline Lars-Erik

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 394
    • Lars-Erik Østerud
Re:Virus got into system past avast! :-/
« Reply #36 on: December 23, 2003, 12:28:38 AM »
>Yes, I can yield to your view.  However, just keep in mind that the Swen32 is a nasty little thing that CAN activiate even when not opened by the user.  This is fact!

How? The code is NOT executed when a file is saved. And we are not talking Outlook Express here either. When I save an attachement from Forte Agent, the code is written from the mail database (where it cannot be executed) and written to a file (that is not executet yet). Where should the virus code have been executed (I'm, a bit curious, this is really interesting). Do you mean it executed while coming through the POP3 port allready, and if yes - how, and how do you protect against that (even a mail scanner would be to late to catch that, but this seems a bit far fetched).

I have received virus by mail before, and saved them (to test, only save - not save & execure) without any trouble (stopped by McAfee). And this includes several worms as well. So I'm not convinced. If I have had the mail still I would have tried to save it once more (only "save", no "open") to see - well, they keep coming from time to time so :-)

I would very much like to contribute to making avast! even better by finding out what really happend here so if there is anything I could test or do to revael more detail - say so.

Anyway, avast! did a godd job cleaning up the virus though.
www.osterud.name - ICQ: 7297605 - AIM/Yahoo/Facebook/Skype/Astra: LarsErikOsterud

Culpeper

  • Guest
Re:Virus got into system past avast! :-/
« Reply #37 on: December 23, 2003, 06:22:57 AM »
It is indeed easy to make a mistake and press "the wrong button" when alerted for a possibel virus. Everybody gets scared from a mesage like that.

It's also possibel that AVAST did detected it, but ley it run anyway...also, i doubt that. This must be ivestigated by the vendors of Avast.

These 2 reasons for the possibel worm infection Lars-erik got ,gives more strenght again to the thingy i always say : layered defence !

It's correct that Avast shoudn't let virusses & worms run (especially well known worms) but i don't believe this ever happended in the past.

If you had had the freeware Abtrusion protector nothing would have happendend (if you by mistake pressed the wrong button):

http://www.abtrusion.com/

or :

http://maxcomputing.narod.ru/ssme.html

or some commercial Anti-trojan with memory/process scan (resident guard).

Waldo



Is there anything like the freeware Abtrusion Protector that is for Win98 also.  The Abtrusion website states it is for Win NT,  XP and 2000.

whocares

  • Guest
Re:Virus got into system past avast! :-/
« Reply #38 on: March 01, 2004, 12:47:48 PM »
BTW:  I'd like a new check-box in advances. Under "Scan files on open" I'd like the "Default extension set" here as well (so that all common file types can be scanned on open too, it's not obvoius what files are scanned on open today)

Second the motion...!!
(Although in the board there are numerous postings as to the default list, which you could just copy and paste in the "scan on open" fields) ;)