[Solved] Win32.Bagle not detected by avast

[Lisandro]

Complete scanning processed in VirusTotal at 06/26/2007 15:45:18 (CET).

[ file data ]
* size: 277087
* md5.: 9eacc56b2dfa90584a3c06b4dac63fa6
* sha1: 075f3984e9353ae72882aeeece9856da6d2cf778

[ scan result ]
AhnLab-V3 2007.6.21.1/20070626 found nothing
AntiVir 7.4.0.34/20070626 found nothing
Authentium 4.93.8/20070625 found nothing
Avast 4.7.997.0/20070625 found nothing
AVG 7.5.0.476/20070626 found [Downloader.Generic4.YRB]
BitDefender 7.2/20070626 found [Win32.Bagle.SRN@mm]
CAT-QuickHeal 9.00/20070625 found [(Suspicious) - DNAScan]
ClamAV devel-20070416/20070626 found [Worm.Bagle-77]
DrWeb 4.33/20070626 found [Win32.HLLM.Beagle]
eSafe 7.0.15.0/20070625 found [suspicious Trojan/Worm]
eTrust-Vet 30.8.3743/20070626 found [Win32/Glieder.FP]
Ewido 4.0/20070626 found nothing
F-Prot 4.3.2.48/20070625 found nothing
F-Secure 6.70.13030.0/20070626 found [Trojan-Downloader.Win32.Bagle.ch]
FileAdvisor 1/20070626 found nothing
Fortinet 2.91.0.0/20070626 found [W32/Bancban.CH!tr.dldr]
Ikarus T3.1.1.8/20070626 found [Win32.Bagle.SRN]
Kaspersky 4.0.2.24/20070626 found [Trojan-Downloader.Win32.Bagle.ch]
McAfee 5060/20070625 found nothing
Microsoft 1.2701/20070626 found nothing
NOD32v2 2355/20070626 found [Win32/Bagle.IS]
Norman 5.80.02/20070625 found [W32/Mitglied.AEC]
Panda 9.0.0.4/20070626 found [Trj/Mitglieder.OI]
Sophos 4.19.0/20070624 found [Troj/Bancban-QH]
Sunbelt 2.2.907.0/20070626 found [VIPRE.Suspicious]
Symantec 10/20070626 found nothing
TheHacker 6.1.6.137/20070626 found nothing
VBA32 3.12.0.2/20070625 found nothing
VirusBuster 4.3.23:9/20070625 found nothing
Webwasher-Gateway 6.0.1/20070626 found [Win32.Malware.gen (suspicious)]

Since yesterday it was submitted to avast.
It was submitted one month ago by Chest yet.
Still not detected. It's unbelievable 

[DavidR]

Is that the rootkit variant ?

Previously encountered here http://forum.avast.com/index.php?topic=26554.0, which is considerably older than one month.

[Lisandro]

Maybe the same kind of infection. Maybe a kind of rootkit. But it's unbelievable that avast still does not detect it...

[DavidR]

There really needs to be a push on the new submission method, or a higher priority to those submitted via the chest. It may even be useful to have a whitelist to filter that even further, with the email of those making regular submissions.

Perhaps if the virus analysis lab/team should monitor the viruses and worms forum when they have a spare 30 seconds between checking the 4000 + emails received per day as virus at avast dot com.

Though even with the proposed sample submission method unless there is some form of automation, they would still have the 4000+ emails and and using the new method. Either way without automation would still be manpower intensive and have to deal with roughly the same total of daily submissions

However here I am speculating about the proposed new submission method, if only Alwil would give us a small hint of how it will be done, but better still some sort of time frame. Unless this submission method is somehow going to be incorporated into avast version 5

[sasin44]

david i think they should assigne  one of the avast! Evangelist a job of prioritising all the malware which people report thru this forum..since people come to this forum and ask u guys help when they have a real problem..
and since it comes from a avast! Evangelist they can pe 100% sure its not junk..
further more the avast! Evangelist can and a comment to it from all the initial analysis u do here
so u  Evangelist's can send in a very quickly spreading malware
and u can also make sure
rootkits get first priority
backdoors,downloaders and other important stuff get the next priority
adware,tools,cracks etc get the least

i am sure u people can work it out since this is not the first case where a malware has gone undetected for months ..
 and i am sure by including all the malware that comes to this forum in the data base they can atleast eliminate 500 of the 4000+ mails by positive detection.

[DavidR]

The Evangelists are volunteers, avast users, just like yourself so can't be assigned anything. They don't have access to any samples and with 4000+ samples received a day 1 wouldn't make much of a dent in that.

We have no more input with Alwil than you have and we can't prioritise work as we don't know what else is going on only the limited traffic on the forums.

The Moderators are members of the Alwil team (and have alternative positions in Alwil) and that is how you can differentiate who works for avast and who doesn't.

[sasin44]

this i dint know 

gee i thought u people were actually a part of the awil team..
i thought all u guys were analyists, so u mean u some here in u free time to help out people ??
davidr judging by ur regular replys i thought u and tech were paid to do the job ..
i must say u guys are doing a very good job 
keep it up u guys  [clap] [clap] [clap]
no wonder avast forums are one the best

[Lisandro]

gee i thought u people were actually a part of the awil team.

No we're not.

so u mean u some here in u free time to help out people ??

Yes, we love help

davidr judging by ur regular replys i thought u and tech were paid to do the job

Well it will cost some bucks to Alwil... no we don't receive a penny.
I myself have received a Pro license of avast. It's not that few... but it does not that much...

[sasin44]

coooooooooooooool

u guys are top notch.....
i hope to join u guys after i learn more right now i only know  C,C++,some VB,and my skills are very intermediatory .i sure i hope i am of some help in this forum

so can i know wat u guys learned i mean in terms of academics ?
 and can i know the meaning of avast! Überevangelist and evangelist ...
and i dont know how but i have noticed some on made me  a junior member 

[mauserme]

There should be some method of communication between the evangelists and the malware analysts to let them know a sample of filename x.mal was requested.  This way it could be found quickly and given some priority without needing to assign anyone the task of monitoring the forum for submissions.

Ideally the analyst could communicate back some information about the malware to help the cleaning process, but one step at a time ...

In all honesty, the current method of adding files to the chest and sending them to Alwil is an interuption to the cleaning process that I often avoid.  I just don't see much use in doing it.  If there was a more productive method I would add these steps more often.


EDIT:

so can i know wat u guys learned i mean in terms of academics ?
 and can i know the meaning of avast! Überevangelist and evangelist ...
and i dont know how but i have noticed some on made me  a junior member 

You can learn anything you set your mind to.

There are some malware schools on the internet where you can learn alot.  Essexboy as graduated Geeks2Go and Snowhite is currently taking those classes.  I'm strongly considering it - just need to find the time.

The various titles (Jr. Member, Sr. member, etc) just reflect your number of posts in the forum - no big deal (well, "Uberevangelist" recognizes and unusually dedication to helping others  ).

[DavidR]

coooooooooooooool

u guys are top notch.....
i hope to join u guys after i learn more right now i only know  C,C++,some VB,and my skills are very intermediatory .i sure i hope i am of some help in this forum

so can i know wat u guys learned i mean in terms of academics ?
 and can i know the meaning of avast! Überevangelist and evangelist ...
and i dont know how but i have noticed some on made me  a junior member 

Thanks 

There is no need to wait, you have been contributing to the forums already helping others 

By regularly being in the forums you will gain more in depth knowledge of how avast works and you will find that many things are the same problem or slight variations on it. For that you don't have to be a programmer, though those that do program generally have good grasp of analysing a problem and finding a logical answer to that question/problem.

We all started somewhere zero posts and a first time avast user and gained information by participating in the forums. Many though had a general computer knowledge prior to avast which is helpful for the non-avast related issues that crop up.

Soon you will be a Senior member at 100 posts and no doubt not long after that Evangelist.

@ mauserme
I wish there was a means of communicating with the Alwil team by the evangelists, even if Alwil were to set a level or select some that may communicate directly on forum related issues in the Viruses and Worms forum. It could certainly put an end to the very lengthy delays of some of the submissions seen in this forum, which after all the public face of avast.

If only there was a way of communicating this outside of the forums, which with the best will in the world the Alwil team can't monitor every post.

[Lisandro]

Not detected yet :'(

[sasin44]

geeks2go ? is it good i'll look into it....
so online malware schools u say..so any pre qualifications to join it ?
well its above time i did something useful with my net ..sick of downloading crap which u dont need ??
so any of u guys still students i am still a student...

[mauserme]

so online malware schools u say..so any pre qualifications to join it ?

a desire to learn ...  a desire to help  ...  a willingness to put in some hard work

I think that's about it, but then I haven't done it yet.

so any of u guys still students i am still a student...

yeah - but sort of an old one now.  a different school with different lessons these days.


Oh and, BTW, anyone with almost 17,000 posts is no slouch in the dedication department either 

[DavidR]

I probably have a little more free time to contribute