Avast! Home not picking up

[jingarfield]

Hello Folks - I need some advice.

I received one of the infected emails as described at The BBC New  website.

Avast! Home allowed me to save the attached exe (after warning me about a suspicious attachment) and a manual virus scan deems it to be clean. An on-line scan from the Avast site also deems it to be clean. If I attempt to attach it to a Yahoo mail it informs me that the exe contains the Trojan.Packed.8 virus.

I sent two copies of the infected email (one with the attachment zipped and the other unzipped) to virus@avast.com over 24 hours ago. Avast! Home build 4.7.942 and VPS database 704-0 still do not detect it; neither does the on-line scan I undertook just now (20/01/07 at 12.30)

AVG 7.5 also traps the virus, referring to it as Downloader.Tibs

I am somewhat surprised at the lacklustre response to this threat. Am I doing something wrong, or is Avast well behind the opposition on this one?

[Lisandro]

I am somewhat surprised at the lacklustre response to this threat. Am I doing something wrong, or is Avast well behind the opposition on this one?

The time frame of updating for virus submition could vary a lot depending if the virus is on-the-wild, available virus analysts resources, etc.
Of course, we all want it as fast as possible. Oh, another tip, Alwil team does not answer submitted emails. The priority is the database update.

[jingarfield]

The priority is the database update

I quite agree. However, at this point the database update has not occurred, whilst it seems that your major opposition has been able to achieve such an update.

Trend also detects the virus, referring to it as troj_small.edw

As an aside, an automated response to emails sent to virus@avast.com might be useful; that way people would know that their emails containing a potentially nasty payload had not been stopped en route.

[DavidR]

You say you sent one zipped and the other not, but you don't mention password protecting the zipped file, so there is every likelihood that neither got to avast.com, just as your Yahoo mail experience shows. Email servers on route are likely to have anti-virus scans which can open zipped files to scan, applying a password stops that.

You could also add it to the avast chest, User Files section (File, Add) and send it from there, it will be sent encrypted, submissions sent from the chest are detected upon receipt and filtered from those coming in in the way you sent yours. This should help as over 4000 email are received at the virus@avast.com address.

[jingarfield]

David, thanks for the response.

No, I did not password protect the zip file - I will do so in future.

Thanks for the tip about adding the file to the vault and sending that way - now done!

However, all this makes it sound as though I am on the cutting edge of a virus outbreak. The fact that the BBC has had time to cover it suggests that I am in the second wave at least. In this instance it does seem as though Avast! is somewhat behind the level of performance of other AV suppliers.

[DavidR]

If this is the storm warning issue 230 killed in Europe, etc. there are always going to be this type of social engineering attempt to get people to open emails and attachments or click links, etc. So the usual common sense approach applies don't open unsolicited emails, attachments or click links on the same unsolicited email.

Whilst there doesn't seem to be a direct identification by avast don't forget that even without it avast did alert you to the suspicious attachment. Before avast can do anything it first has to obtain a sample and there is no cross anti-virus company co-operation in the sharing samples.

[jingarfield]

I received another suspicious file this morning. This executable was deemed clean by Avast! and also clean by the Yahoo Mail and Trend Housecall AV scanners.

Using my new-found knowledge I have submitted this file to Avast via the Chest.

Perversely, I am happier having had this result as it suggests that perhaps Avast! are not as far off the mark as my experience the other day suggested.

[Lisandro]

This executable was deemed clean by Avast!
Using my new-found knowledge I have submitted this file to Avast via the Chest.

Am I correct to think that you've sent the file to Chest manually as avast did not detect it?
To know if a file is a false positive, please submit it to JOTTI or VirusTotal and let us know the result.

[jingarfield]

Hello Tech,

Thanks for taking the time and trouble to reply - I am learning a lot through this process 

Result from Jotti:
Scan taken on 21 Jan 2007 13:17:06 (GMT) 
AntiVir  Found TR/Small.DBY.G 
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found Downloader.Tibs 
BitDefender  Found Trojan.Spambot.EE 
ClamAV  Found Trojan.Downloader-656 
Dr.Web  Found Trojan.Spambot 
F-Prot Antivirus  Found W32/Downloader.AYES 
F-Secure Anti-Virus  Found Trojan-Downloader.Win32.Agent.bet 
Fortinet  Found nothing
Kaspersky Anti-Virus  Found Trojan-Downloader.Win32.Agent.bet 
NOD32  Found Win32/Fuclip.B 
Norman Virus Control  Found nothing
VirusBuster  Found Trojan.DL.Tibs.Gen!Pac16 
VBA32  Found nothing


It is a nasty!

[Lisandro]

Thanks for taking the time and trouble to reply - I am learning a lot through this process 

No. We thank you because you're helping to improve avast detection.

It is a nasty!

Almost sure...
I hope Alwil take a look here soon...

[DavidR]

I find that VirusTotal is better as it uses the Windows version of avast and has currently 29 different AVs. Jotti uses the Linux version which has less supported packers I believe and Jotti has fewer AV scanners.

[jingarfield]

Email response from VirusTotal:
* name: Read News.exe
* size: 31395
* md5.: 562d6dad245497e6c95d1bb33e4bedda
* sha1: 9c034ab17d66dfb346cc0c261b031161ec52ef19

[ scan result ]
 AntiVir   7.3.0.26/20070121   found [TR/Small.DBY.G]
Authentium   4.93.8/20070120   found [W32/Downloader.AYES]
Avast   4.7.936.0/20070118   found nothing
AVG   386/20070121   found [Downloader.Tibs]
BitDefender   7.2/20070121   found [Trojan.Spambot.EE]
CAT-QuickHeal   9.00/20070120   found nothing
ClamAV   devel-20060426/20070121   found [Trojan.Downloader-656]
DrWeb   4.33/20070121   found [Trojan.Spambot]
eSafe   7.0.14.0/20070121   found [Win32.Agent.bet]
eTrust-InoculateIT   23.73.118/20070120   found nothing
eTrust-Vet   30.3.3336/20070119   found nothing
Ewido   4.0/20070121   found nothing
F-Prot   3.16f/20070121   found [security risk named W32/Downloader.AYES]
F-Prot4   4.2.1.29/20070121   found [W32/Downloader.AYES]
Fortinet   2.82.0.0/20070121   found nothing
Ikarus   T3.1.0.27/20070109   found nothing
Kaspersky   4.0.2.24/20070121   found [Trojan-Downloader.Win32.Agent.bet]
McAfee   4943/20070119   found nothing
Microsoft   1.1904/20070121   found nothing
NOD32v2   1994/20070121   found [Win32/Fuclip.B]
Norman   5.80.02/20070120   found nothing
Panda   9.0.0.4/20070121   found nothing
Prevx1   V2/20070121   found [Win32.Email-Worm.Gen]
Sophos   4.13.0/20070120   found nothing
Sunbelt   2.2.907.0/20070112   found nothing
TheHacker   6.0.3.152/20070121   found [Trojan/Downloader.Generic]
UNA   1.83/20070119   found nothing
VBA32   3.11.2/20070120   found nothing
VirusBuster   4.3.19:9/20070121   found [Trojan.DL.Tibs.Gen!Pac16]

As DavidR suggests, it does seem as though VirusTotal checks more sources.

Edited to add for Tech;

Yes, I manually added the suspect file to the vault after it was passed clean by Avast! and then emailed it from there.

[jingarfield]

Both files now flagged as infected by VPS 704-1

[DavidR]

Thanks for the feedback, looks like the sending from the chest gets quicker attention

[Lisandro]

Thanks avast team