Author Topic: why doesnt avast catch this?  (Read 8133 times)

0 Members and 1 Guest are viewing this topic.

snark

  • Guest
why doesnt avast catch this?
« on: March 03, 2004, 11:52:04 PM »
Hello everyone.

My virus definition is up to date. I received an email with this subject

"Notify about using the e-mail account"

and this body (see below).

The email has an attachment with a zip file and inside the zip is an exe file. Of course I deleted it. But first I saved the zip file and scanned it manually.  I am concerned that AVAST does not catch anything in it. It is clearly a virus. A little searching makes me think it is "W32.Beagle.J@mm" ... see this link...

http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@mm.html

So why doesn't Avast catch it? Should I report this somewhere?

Thanks!

====================
"Dear user of  "Lycos"  mailing system,

Your e-mail account  has  been temporary disabled because  of unauthorized  access.

Pay  attention  on  attached file.

For security purposes the attached  file is password protected. Password is "83252".
====================
« Last Edit: March 03, 2004, 11:53:19 PM by snark »

silicon

  • Guest
Re:why doesnt avast catch this?
« Reply #1 on: March 03, 2004, 11:57:20 PM »
I had the same thing, here's what I got from Karel from Alwil:

the mail was originated by one of the last version of the Beagle
worm, the F version or latter (Beagle-J in this case). Those version are
able to send password protected (=encrypted) zip files. The password for
virus decryption is in the mail text. Of course, no virus detection is
possible in the ecrypted files.
   After decryption (= un-zipping with the proper password supplied) the
virus is in the executable form and Avast can detect it and prevent
infection of the computer, but Avast cannot spot the virus in the mail
(because of encryption).


--
Regards,

Karel Divis
Virus analyst
Alwil software

snark

  • Guest
Re:why doesnt avast catch this?
« Reply #2 on: March 04, 2004, 12:01:18 AM »
Wow thats what I call a quick response. That makes sense actually. I tried to extract the file from winzip to see, but the password in the email does not work! LOL I will assume that avast would have caught it then.

Thanks!

silicon

  • Guest
Re:why doesnt avast catch this?
« Reply #3 on: March 04, 2004, 12:03:43 AM »
No problem, glad to have helped.

gaptastic

  • Guest
Re:why doesnt avast catch this?
« Reply #4 on: March 04, 2004, 06:49:29 PM »
We use Avast as the Virus scanner in our mail server (Merak).

One of our customers sent us an email which turned out to be a W32.Beagle.J@mm virus email.

The thing is - the attachment had been removed - but by Norton AntiVirus on the customers own PC.

So, it must be possible to scan inside password protected ZIP files! When will Avast be able to do this?

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:why doesnt avast catch this?
« Reply #5 on: March 04, 2004, 07:02:07 PM »
Maybe with CRC validation? Or by some pattern which is known only for this virus inside ZIP archive. Someone notified me today that avast! catched virus inside encrypted ZIP archive...
Visit my webpage Angry Sheep Blog

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:why doesnt avast catch this?
« Reply #6 on: March 04, 2004, 07:44:27 PM »
The file inside the archive is different each time - it has a random data appended. So, it's not possible to detect it either by CRC, or even by size.
avast! will include the detection of those password-protected ZIP; it may cause some false alarms, however.

whocares

  • Guest
Re:why doesnt avast catch this?
« Reply #7 on: March 04, 2004, 10:49:35 PM »
Hi Igor,

Kaspersky and AVPE claim to be able to detect those encrypted Zips ?

Isn't it possible at least for the avast mailscanner, to read the password from the mail text ?

I guess brute force would significantly slow down the scanner even if the pwd is just 5 numbers   ;D ;D ;)

EDIT:

Ok, I just saw here:
http://forum.avast.com/index.php?board=2;action=display;threadid=3076;start=15
that this is soon solved hopefully
« Last Edit: March 04, 2004, 10:53:53 PM by whocares »

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
If at first you don't succeed, then skydiving's not for you.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:why doesnt avast catch this?
« Reply #9 on: March 04, 2004, 10:53:37 PM »
Yes, claim  ;D
According to what I have seen, Kaspersky simply detects password-protected ZIPs containing executable files (well, it's a little more specific than that, but not much). If you create your own password-protected ZIP that matches the criteria, it will be detected as well. No content scanning occurs (yet).

whocares

  • Guest
Re:why doesnt avast catch this?
« Reply #10 on: March 04, 2004, 11:06:04 PM »
Hey,

two Alwil experts at once

that's lightning quick, although I guess you're pretty busy at present with the worm war

 ;)

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:why doesnt avast catch this?
« Reply #11 on: March 04, 2004, 11:09:58 PM »
Grrr guess i'll have to use 7-zip's 256bit AES encryption for virus transport now :-\ Or RAR with encrypted filenames :P
Visit my webpage Angry Sheep Blog

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:why doesnt avast catch this?
« Reply #12 on: March 04, 2004, 11:40:31 PM »
Sure, and also start sending WinRAR together with the worm so that the lammas on the other end can open and run it... :P
If at first you don't succeed, then skydiving's not for you.