Author Topic: Hey, I think avast has missed a "Mydoom"??  (Read 11862 times)

0 Members and 1 Guest are viewing this topic.

writerguy

  • Guest
Hey, I think avast has missed a "Mydoom"??
« on: March 03, 2004, 07:26:19 PM »
Hi,

I'm new to avast and pretty new to the forums. I just downloaded email in PocoMail and I got one with the subject "Email account utilization warning" from the email address "noreply@mydomain.com" (The "mydomain.com" was actually my domain -- the one at which I actually have my email account.) It has the attachment named "TextFile.zip" on it, the attachment shows as being 12,720 bites in size.

It came in right past avast Pro, which I'm currently evaluating. I right-clicked and scanned the zip file in PocoMail's attachment directory. It never tripped an alarm then, either.

Am I being paranoid? There absolutely is no email address "noreply@mydomain.com" I own the domain and know exactly what email addresses I've created there.  >:(

What gives with avast? Why didn't it catch this?

Gary Speer

whocares

  • Guest
Re:Hey, I think avast has missed a "Mydoom"??
« Reply #1 on: March 03, 2004, 07:30:39 PM »
Hi,

is your avast uptodate ? check..

what happens if you unzip the file(s) in the archive ?
what are their names and extensions ?
Does the Resident Shield or the mainscanner detect it then ?

is the RS active ?

scan it with other scanner like online scanners from KAV & Trend (See below)

if it really is a virus/worm and it is not detected by uptodate avast, please send it in a password-protected zip-archive to
virus (at) asw (dot) cz

include a system/problem description and the password in the mailtext
 ;)

writerguy

  • Guest
Re:Hey, I think avast has missed a "Mydoom"??
« Reply #2 on: March 03, 2004, 07:41:20 PM »
Hi,

is your avast uptodate ? check..

what happens if you unzip the file(s) in the archive ?
what are their names and extensions ?
Does the Resident Shield or the mainscanner detect it then ?

is the RS active ?

scan it with other scanner like online scanners from KAV & Trend (See below)

if it really is a virus/worm and it is not detected by uptodate avast, please send it in a password-protected zip-archive to
virus (at) asw (dot) cz

include a system/problem description and the password in the mailtext
 ;)

1. My avast is indeed updated. Matter of fact, it just did 2 auto updates today and I've scanned and rescanned the file.

2. Do I really want to unzip it and look at the contents?? If it is a virus -- and it certainly shows the signs of being Mydoom -- won't that launch the virus?

3. How do I send it in a password-protected zip file? I'm not sure how to do that?

Thanks for your response and suggestions, but I really am hesitant to unzip it.

Anybody have other suggestions? Instructions for getting the thing to avast without having to unzip?

Gary Speer

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9410
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Hey, I think avast has missed a "Mydoom"??
« Reply #3 on: March 03, 2004, 08:36:53 PM »
Hm,i have re-tested MyDoom-A worm and its detected with VPS 0403-0.

Check if your Mail scanning is configured properly.
« Last Edit: March 03, 2004, 08:37:34 PM by RejZoR »
Visit my webpage Angry Sheep Blog

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11819
    • AVAST Software
Re:Hey, I think avast has missed a "Mydoom"??
« Reply #4 on: March 03, 2004, 08:41:35 PM »
Maybe I overlooked something - but what makes you think it's exactly Mydoom?

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9410
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Hey, I think avast has missed a "Mydoom"??
« Reply #5 on: March 03, 2004, 09:00:06 PM »
MyDoom-A is 20,5 KB (21.019 bytes) in size (ZIP archive/Maximal Compression). I doubt that your "virus" is a MyDoom except if it has different size in each mail...
« Last Edit: March 03, 2004, 09:03:27 PM by RejZoR »
Visit my webpage Angry Sheep Blog

writerguy

  • Guest
Re:Hey, I think avast has missed a "Mydoom"??
« Reply #6 on: March 03, 2004, 09:25:55 PM »
I'm perfectly willing to take suggestions on this thing.

I thought of Mydoom because 1) it's an "error message" type subject line, and, 2) the attachment is named "textfile.zip," which is one associated with Mydoom.

It certainly might be something else? What makes me totally suspicious that it's not legitimate and might be some sort of virus/worm is that it comes from a non-existant address on my own domain besides all of the above stuff.

Gary Speer

Summoner Yuna

  • Guest
Re:Hey, I think avast has missed a "Mydoom"??
« Reply #7 on: March 03, 2004, 09:49:23 PM »
did you ever scan the file with an online scanner as whocares suggested?   IF it is MyDoom and Avast Missed it an online scanner will find it.

Offline .: Mac :.

  • Avast √úberevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re:Hey, I think avast has missed a "Mydoom"??
« Reply #8 on: March 03, 2004, 09:51:33 PM »
I agree with Lady Yuna. If avast missed it (avast is not perfect no AV program is) an online scanner should be used http://housecall.trendmicro.com
"People who are really serious about software should make their own hardware." - Alan Kay

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9410
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Hey, I think avast has missed a "Mydoom"??
« Reply #9 on: March 03, 2004, 09:56:11 PM »
Can you send me that peace of code? Add it into ZIP archive and lock it with password: virus
than send it to rejzor@email.si

I wanna take a closer look on that one.

Thx

PS: you should send it to avast! too,so analysts can check it.
Visit my webpage Angry Sheep Blog

writerguy

  • Guest
Re:Hey, I think avast has missed a "Mydoom"??
« Reply #10 on: March 03, 2004, 10:31:05 PM »
Can you send me that peace of code? Add it into ZIP archive and lock it with password: virus
than send it to rejzor@email.si

I wanna take a closer look on that one.

Thx

PS: you should send it to avast! too,so analysts can check it.

Sure. I'll send it to the address in your post. It's titled "suspect-virus.zip" protected by the password "virus" as you suggested. It'll be coming from news@gsezines.com

I'd appreciate it if you could look at it. My hope is that it's just some sort of nutty hoax and not a virus at all.

BTW -- I'm going to send it to avast. And I'm also going to try that online virus scan.

Thanks to you all!

Gary Speer

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9410
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Hey, I think avast has missed a "Mydoom"??
« Reply #11 on: March 03, 2004, 11:10:13 PM »
You probably forgot to attach that file,because i got only text and no attachement ;)
Visit my webpage Angry Sheep Blog

writerguy

  • Guest
Re:Hey, I think avast has missed a "Mydoom"??
« Reply #12 on: March 04, 2004, 02:31:24 AM »
You probably forgot to attach that file,because i got only text and no attachement ;)

 ::) Duh. How dumb was that? I just resent it and this time I remembered to send the file.

BTW -- I explained this in my email this time, but for anyone else following this thread: I did the online scan at microtrend and it immediately identified the "textfile.zip" in question as the Bagle.gen-I worm. Haven't looked that up anywhere to see what it is.

Why would avast have missed that? While I was at it, I uninstalled the evaluation avast 4.1 Pro I was running and installed AVG Pro 7. I tried that and it TOO missed the worm.

Grrrrrr. I really DON'T want to go back to NAV. It's so invasive of my whole computer -- and NAV missed 6 variants of a different worm last week when I was running it.

Gary Speer

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67211
Re:Hey, I think avast has missed a "Mydoom"??
« Reply #13 on: March 04, 2004, 02:51:15 AM »
Grrrrrr. I really DON'T want to go back to NAV. It's so invasive of my whole computer -- and NAV missed 6 variants of a different worm last week when I was running it.
Gary Speer

Please, don't do it with yourself  ;D

Why would avast have missed that? While I was at it, I uninstalled the evaluation avast 4.1 Pro I was running and installed AVG Pro 7. I tried that and it TOO missed the worm.

Is it your avast! well-configurated?
I mean: sensitivity, standard shield extensions...
The Internet Mail provider scans each file to see if it is not an archive file with 'changed' extension. Your file has the .zip extension, it should be caught by avast! at normal conditions and good configuration...  ::)

The best things in life are free.

writerguy

  • Guest
Re:Hey, I think avast has missed a "Mydoom"??
« Reply #14 on: March 04, 2004, 03:06:17 AM »
Grrrrrr. I really DON'T want to go back to NAV. It's so invasive of my whole computer -- and NAV missed 6 variants of a different worm last week when I was running it.
Gary Speer

Please, don't do it with yourself  ;D

Why would avast have missed that? While I was at it, I uninstalled the evaluation avast 4.1 Pro I was running and installed AVG Pro 7. I tried that and it TOO missed the worm.

Is it your avast! well-configurated?
I mean: sensitivity, standard shield extensions...
The Internet Mail provider scans each file to see if it is not an archive file with 'changed' extension. Your file has the .zip extension, it should be caught by avast! at normal conditions and good configuration...  ::)



Yeah, I had avast configured to high sensitivity in all categories. As I said earlier in this thread, I know it was scanning email because it was insterting the messages in the end of emails.

In fact, I checked email with it one last time before uninstalling avast and it DID catch a virus that time -- don't recall which one it was.

So I'm very concerned that it will catch some viruses and not others? If I want that kind of problem, I already have that dreaded NAV I can reinstall.

*Sigh*

Gary Speer