Antivirus 2009 Variant?

[havildar]

Just a heads-up, really, and a request to know if Avast! is aware of something called the
A9installer which seems to have some connection with Antivirus 2009?

There seems to be some confirmation on theses sites:

http://www.virustotal.com/analisis/0cb18fdb5331eea0e56b70e8c352b942

http://malwaredatabase.net/blog/index.php/2008/10/01/antivirus-2009-3-domains-added-8-files-added-0of36/

[Soure73]

 It seems that Avast doesn't detects this, if you have a sample send it to Alwil team!

[DavidR]

The signatures are a couple of days out of date on VT, but you should still send the sample to avast.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

avast does detect some of these variants as win32.fraudo and also possibly as win32.trojan-gen.

[timcan]

Avast web scanner does not detect this. Sorry, didn't get a sample of the file to send. My hips program running in locked mode won't let me download it.    I can't believe people click on this crap.

[havildar]

Thanks for your replies.

I am unable to send a sample to Avast! since my system is not infected with it. The information came from a friend (not an Avast! user despite my best efforts), who uses MySpace and clicked on a link to an outfit called *privateonlinescanner*, which I`ve never heard of before but perhaps someone else has?

Best regards.

[Maxx_original]

the virustotal scan is from february 2008, that's quite old... i believe this file is detected already as Win32:Fraudo, but wasn't rescanned.. we can match the hash against our internal set of samples..

[DavidR]

The scan isn't from February but this month unfortunately they are using the US Date notation of Month/Day/Year in the Header information.

File A9installer_880221.exe received on 10.02.2008 15:09:58 (CET)

If you look at the scanner info, as in the date of the signature files this is reported in the Day/Month/Year notation.

AhnLab-V3    2008.10.2.0    2008.10.02    -
AntiVir    7.8.1.34    2008.10.02    -
Authentium    5.1.0.4    2008.10.02    -
Avast    4.8.1248.0    2008.10.02    -
AVG    8.0.0.161    2008.10.02    -
BitDefender    7.2    2008.10.02    -
CAT-QuickHeal    9.50    2008.10.01    -
ClamAV    0.93.1    2008.10.02    -
DrWeb    4.44.0.09170    2008.10.02    -
eSafe    7.0.17.0    2008.10.01    -

[havildar]

Maxx, David,

Thanks for your responses.

This month/day/year notation is certainly the cause of some confusion. I does seem to be an odd way to write the date but perhaps that`s just because I`m not used to it.

I can confirm, though, that this A9installer thing I referred to earlier dates from Thursday or Friday of last week when the incident happened; an ill-advised click on a pop-up I`m told, which resulted in the fake anti-virus being installed.

Since Avast was not installed on the machine at the time the question of whether or not it would have stopped the malware did not arise.

Needless to say, it is now.

[Spiritsongs]

   Hi all :

 The most complete Info about this "Rogue" program I know is at

 www.bleepingcomputer.com/malware-removal/uninstall-antivirus-2009 .