Author Topic: Virus not detected  (Read 24152 times)

0 Members and 1 Guest are viewing this topic.

Ninjagranny

  • Guest
Virus not detected
« on: February 01, 2004, 04:05:05 PM »

Firstly

I recieved a suspicious e-mail
checked - it - saved it  . no problems
scanned it with avast - no problems
opened the entire mail in flat ascii and looked at it ...
SURE its a virus
scanned it with
NAV  AVG PANDA  TRUST  MACAFEE  and about 7 other online scanenrs
All negative....

Im Still sure its a virus
Scanned it with
Kaspersky
Infected I-Worm-Swen variant.

Hmmm ..
Reasons I was suspicious

Message body

**********
Hi.
Message from america.com



Undeliverable mail to kjmlsfshf@america.com


Message follows:
**********

so it looks wrong

Checked header info

--cpthpherex
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD></HEAD>
<BODY>
<iframe src=3D"cid:ttsirtvkuxzdeu" height=3D0 width=3D0></iframe>
<BR><BR>Hi.

<BR>Message from america.com
<BR><BR><BR><BR>Undeliverable mail to <B>kjmlsfshf@america.com</B>
<BR><BR><BR>Message follows:<BR><BR><BR><BR>
</BODY></HTML>

--cpthpherex
Content-Type: audio/x-wav; name="fedkv.com"
Content-Transfer-Encoding: base64
Content-Id: <ttsirtvkuxzdeu>


Followed by the hex code

Copied out the hex and saved it
(still nothing  from any of them )
except kaspersky again .

Trust me the hex IS a varient of swen that attempts to autorun on ms mail systems
Have sent it to avast for them to inspect

Secondly
I have avast ( which I  am truly happy with)
I have it on maximum settings and the pop scanner on.

The incoming pop scanner says it scans messages but doesn't ever find a virus -- the virus's are caught only if I try to launch/save them by the standard shield.

whocares

  • Guest
Re:Virus not detected
« Reply #1 on: February 01, 2004, 04:14:35 PM »

Secondly
I have avast ( which I  am truly happy with)
I have it on maximum settings and the pop scanner on.

The incoming pop scanner says it scans messages but doesn't ever find a virus -- the virus's are caught only if I try to launch/save them by the standard shield.


Hi,

What Win do you have ?
you rechecked your Email-settings/avast-config ?
did you try runnind the mailprotection wizard again ?

is the Mailscanner module shown as active/running ?
What Mailprogram do you use ? how are the options set there ?

did you try sending yourself the eicar.com testfile ? (from www.eicar.com ) .. what happens then ? ;)
« Last Edit: February 01, 2004, 04:15:58 PM by whocares »

Ninjagranny

  • Guest
Re:Virus not detected
« Reply #2 on: February 01, 2004, 04:30:15 PM »
What Win do you have ?

Win2k Pro

you rechecked your Email-settings/avast-config ?

Yes

did you try runnind the mailprotection wizard again ?

No , it doesn't work for mozilla 1.6 properly did it manually

is the Mailscanner module shown as active/running ?

Yes

What Mailprogram do you use ? how are the options set there ?

Mozilla 1.6  - set as per instructions

did you try sending yourself the eicar.com testfile ? (from www.eicar.com ) .. what happens then ?

Yes - it catches it when I send it  - catches it if i try to launch it but ignores it when it is sent to me .

That is point 2 of my mail covered :) - but I hope I can get it fixed .
Point  1 is a real problem - sent the file to all the av vendors it failed on and I have decomplied the file and im 99% sure its a swen variant - doesnt effect anyone using standard mail clients - only if they use outlook / exchange  

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re:Virus not detected
« Reply #3 on: February 01, 2004, 06:21:07 PM »
Kaspersky detected this but none of the others did? hmm strange
Kaspersky's unknown virus detection module must have found it.
how are you sure it is a swen variant??? ???
"People who are really serious about software should make their own hardware." - Alan Kay

Ninjagranny

  • Guest
Re:Virus not detected
« Reply #4 on: February 01, 2004, 09:24:51 PM »
its in c and i decompiled it

Kaspersky is very rarely wrong - not knocking avast - im personally singing its praises all over the net now that ive found out about ti last   :)

any idea about the other problem ? - it happens with every virus i get and has done ever since i got avast.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Virus not detected
« Reply #5 on: February 01, 2004, 10:43:29 PM »
Quote
I have it on maximum settings and the pop scanner on.

The incoming pop scanner says it scans messages but doesn't ever find a virus -- the virus's are caught only if I try to launch/save them by the standard shield.


What mail client do you use?
Have you completed the Mail Protection Wizard? (Start menu -> avast antivirus group)

Vlk
 
If at first you don't succeed, then skydiving's not for you.

Ninjagranny

  • Guest
Re:Virus not detected
« Reply #6 on: February 01, 2004, 10:59:02 PM »

Replied to this earlier :)

What mail client do you use?

Mozilla 1.6

Have you completed the Mail Protection Wizard? (Start menu -> avast antivirus group)

It doesn't work on mozilla 1.6 so I configureed it manually as per the instructions ( ie these are the changes etc etc.)
Mail scanner is running .
I watch it  - little icon flashes and i see the file names and it  puts its footer on all outgoing messages and detects viruses on them ... I watch it recieve messages the box comes up and  if you watch the scanner it says the right file names but ... doesn't actually seem to do anything apart from that ... no footer  no virus detection  - it has the file name as the last scanned but every virus gets through -- they are ALL caught by the standard shield if attempted to be launched or saved ... Extremely impressed with the standard scanner .. it caught 7 mydooms that were  went / arrived  2.00am GMT  on day 1 ... ( pop scanner missed them though ) and its stopping the general swens  ( apart from the one i mentioned above) brilliantly .... the standard scanner cant be faulted !!

Vlk


Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Virus not detected
« Reply #7 on: February 01, 2004, 11:03:13 PM »
So the last scanned file of the Internet Mail provider does show the infected e-mail, but the virus is not detected? :o That's VERY strange...

Are you sure you have the INCOMING server set to 127.0.0.1 and it's coming through avast? (i.e. the last scanned file doesn't refer to an outbound message)?

Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

Ninjagranny

  • Guest
Re:Virus not detected
« Reply #8 on: February 02, 2004, 01:16:12 AM »
I think I may have found the problem - and its my fault  - not quite sure how to fix it yet .

I have spampal running  and i tried at first to get avast to run with it  using the help/config options and i may have hurt my ini file ( i changed the default pop server to 9110 ) - but as i couldnt get my mail to send or recieve i  used the config setup in spampal to cahne its listening ports as the config is easier and they have a rather good  explaination on how to get spampal working with avast
http://www.spampal.org/usermanual/antivirus/avast/avast.htm

-  i had assumed that logging etc. was disabled in home version so have just been using firewall and spampal logs to try to find error  - but im thinking now that its what i did to the inin file maybe thats causing a problem ?

Can i get another one or do i have to just reinstall ? - reinstall wont hurt as the outoconfig  for mozilla didnt pick up any of my accounts anyway but i thinks thats due to the new structure of prefs.js  that has been implementeed in 1.6

Ninjagranny

  • Guest
Re:Virus not detected
« Reply #9 on: February 02, 2004, 01:40:14 PM »

okay - i now have avast to the state where it says
wont be able to protect incoming mail pop  error code 10049 - can you point me in right direction to resolve ??

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Virus not detected
« Reply #10 on: February 02, 2004, 02:22:43 PM »
It's because it's trying to listen on a port that's already in use (most likely by Spamhilator).

You need to reconfigure either avast or Spamhilator to use other port numbers.

It has already been discussed for a number of times here, see e.g. http://www.avast.com/forum/index.php?board=2;action=display;threadid=2351
If at first you don't succeed, then skydiving's not for you.

Ninjagranny

  • Guest
Re:Virus not detected
« Reply #11 on: February 02, 2004, 09:18:03 PM »
CHecked that -

Here is the report

ashmaisv.exe:1076   TCP   127.0.0.1:25   0.0.0.0:0   LISTENING   
ashmaisv.exe:1076   TCP   127.0.0.1:110   0.0.0.0:0   LISTENING   
ashmaisv.exe:1076   TCP   127.0.0.1:143   0.0.0.0:0   LISTENING   
BTSTAC~1.EXE:1376   UDP   0.0.0.0:1029   *:*      
BTTray.exe:1132   UDP   0.0.0.0:1030   *:*      
BTTray.exe:1132   UDP   0.0.0.0:1031   *:*      
BTTray.exe:1132   UDP   0.0.0.0:1032   *:*      
BTTray.exe:1132   UDP   0.0.0.0:1033   *:*      
BTTray.exe:1132   UDP   0.0.0.0:1034   *:*      
BTTray.exe:1132   UDP   0.0.0.0:1035   *:*      
BTTray.exe:1132   UDP   0.0.0.0:1036   *:*      
BTTray.exe:1132   UDP   0.0.0.0:1037   *:*      
BTTray.exe:1132   UDP   0.0.0.0:1038   *:*      
BTTray.exe:1132   UDP   0.0.0.0:1039   *:*      
BTTray.exe:1132   UDP   0.0.0.0:1040   *:*      
mozilla.exe:788   TCP   0.0.0.0:1309   0.0.0.0:0   LISTENING   
mozilla.exe:788   TCP   0.0.0.0:1343   0.0.0.0:0   LISTENING   
mozilla.exe:788   TCP   0.0.0.0:1477   0.0.0.0:0   LISTENING   
mozilla.exe:788   TCP   127.0.0.1:1308   0.0.0.0:0   LISTENING   
mozilla.exe:788   TCP   127.0.0.1:1308   127.0.0.1:1309   ESTABLISHED   
mozilla.exe:788   TCP   127.0.0.1:1309   127.0.0.1:1308   ESTABLISHED   
mozilla.exe:788   TCP   192.168.2.2:1343   194.168.222.8:119   ESTABLISHED   
mozilla.exe:788   TCP   192.168.2.2:1477   204.1.226.226:119   ESTABLISHED   
mozilla.exe:788   TCP   0.0.0.0:1627   0.0.0.0:0   LISTENING   
mozilla.exe:788   TCP   127.0.0.1:1627   127.0.0.1:8080   ESTABLISHED   
MSTask.exe:652   TCP   0.0.0.0:1025   0.0.0.0:0   LISTENING   
persfw.exe:624   TCP   0.0.0.0:44334   0.0.0.0:0   LISTENING   
persfw.exe:624   UDP   0.0.0.0:44334   *:*      
Proxomitron.exe:1180   TCP   127.0.0.1:8080   0.0.0.0:0   LISTENING   
Proxomitron.exe:1180   TCP   127.0.0.1:8080   127.0.0.1:1625   TIME_WAIT   
Proxomitron.exe:1180   TCP   127.0.0.1:8080   127.0.0.1:1616   TIME_WAIT   
Proxomitron.exe:1180   TCP   127.0.0.1:8080   127.0.0.1:1614   TIME_WAIT   
Proxomitron.exe:1180   TCP   127.0.0.1:8080   127.0.0.1:1543   TIME_WAIT   
Proxomitron.exe:1180   TCP   127.0.0.1:8080   127.0.0.1:1623   TIME_WAIT   
Proxomitron.exe:1180   TCP   127.0.0.1:8080   127.0.0.1:1621   TIME_WAIT   
Proxomitron.exe:1180   TCP   0.0.0.0:1628   0.0.0.0:0   LISTENING   
Proxomitron.exe:1180   TCP   127.0.0.1:8080   127.0.0.1:1627   ESTABLISHED   
Proxomitron.exe:1180   TCP   192.168.2.2:1628   62.252.0.4:80   ESTABLISHED   
rsvp.exe:1700   TCP   127.0.0.1:1608   0.0.0.0:0   LISTENING   
rsvp.exe:1700   TCP   127.0.0.1:1608   127.0.0.1:1609   ESTABLISHED   
rsvp.exe:1700   TCP   127.0.0.1:1608   127.0.0.1:1610   ESTABLISHED   
spampal.exe:1172   TCP   127.0.0.1:9025   0.0.0.0:0   LISTENING   
spampal.exe:1172   TCP   127.0.0.1:9110   0.0.0.0:0   LISTENING   
spampal.exe:1172   TCP   127.0.0.1:9143   0.0.0.0:0   LISTENING   
svchost.exe:364   TCP   0.0.0.0:135   0.0.0.0:0   LISTENING   
System:8   TCP   0.0.0.0:445   0.0.0.0:0   LISTENING   
System:8   TCP   0.0.0.0:1027   0.0.0.0:0   LISTENING   
System:8   TCP   192.168.2.2:139   0.0.0.0:0   LISTENING   
System:8   UDP   0.0.0.0:445   *:*      
System:8   UDP   192.168.2.2:137   *:*      
System:8   UDP   192.168.2.2:138   *:*      
WinMgmt.exe:716   TCP   127.0.0.1:1609   0.0.0.0:0   LISTENING   
WinMgmt.exe:716   TCP   127.0.0.1:1609   127.0.0.1:1608   ESTABLISHED   
WinMgmt.exe:716   TCP   127.0.0.1:1610   0.0.0.0:0   LISTENING   
WinMgmt.exe:716   TCP   127.0.0.1:1610   127.0.0.1:1608   ESTABLISHED   

clearly spampal is on the right ports and avast seems to be too

Ninjagranny

  • Guest
Re:Virus not detected
« Reply #12 on: February 03, 2004, 08:02:16 AM »
bump

Offline vojtech

  • Avast team
  • Advanced Poster
  • *
  • Posts: 939
    • ALWIL Software
Re:Virus not detected
« Reply #13 on: February 03, 2004, 10:28:41 AM »
Look into the headers of an incoming message, are there these lines ?
X-Antivirus: avast! (VPS 26.6.2003), Inbound message
X-Antivirus-Status: Clean

How did you set the username in Mozilla mail account ?

Ninjagranny

  • Guest
Re:Virus not detected
« Reply #14 on: February 03, 2004, 12:27:29 PM »
Not in incoming it doesnt
header on inc
7bit
X-Bayesian-Result:
Spam (100)
X-Bayesian-Words:
7bit 99 about 99 against 99 attached 99 available 99 clicking 99 delivered 99 description 99 enterprise 99 free 99 help 99 impact 99 install 99 latest 99 linux 99
X-RegEx-Score:
35.9
X-RegEx:
[35.9] UNSUB_PAGE URL of page called "unsubscribe"
X-SpamPal:
PASS


on outgoing
X-Mozilla-Status:
0001
X-Mozilla-Status2:
06000000
User-Agent:
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.5) Gecko/20031007 Netscape/7.1
X-Accept-Language:
en-gb, en, en-us
MIME-Version:
1.0
Content-Type:
text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding:
7bit
X-Antivirus:
avast! (VPS 29/01/2004), Outbound message
X-Antivirus-Status:
Clean
X-Bayesian-Result:
Spam (100)
X-Bayesian-Words:
7bit 99 alwil 99 antivirus 99 avast 99 avast! 99 clean 99 copyright 99 dominic 99 dominicmd 99 en-gb 99 en-us 99 excalibur 99 fairfax 99 mime-version 99 mta03-svc 99
X-RegEx-Score:
63.5
X-RegEx:
[109.6] FROM_AND_RECEIVED_DO_NOT_MATCH FQDN in From and Received header do not match
X-RegEx:
[-49.8] USER_AGENT_MOZILLA_UA User-Agent header indicates a non-spam MUA (Mozilla)
X-RegEx:
[0.0] X_ACCEPT_LANG Has a X-Accept-Language header
X-RegEx:
[3.7] TO_HAS_SPACES To: address contains spaces
X-SpamPal:
PASS A-WLIST EMAIL
X-Wlist-Pattern:

working fine

In mozilla
Server name
Localhost
Port 9110
username localhost#username@popservername

It just keeps on coming up with password incorrect

Have also tried it with
port 110
to see if bypassing spampal works

Same result