avast as a subject of an email

[sagitta]

I'm just reporting a message received with avast subject that is probably a virus. I didn't open it, just copy in the notebook to report at the forum. I think it is helpful for somebody else and avast manager.

Elenir

See bellow

Return-Path: <teste@avast.com.br>
Received: from sinai6-1.uol.com.br (sinai6.srv.intranet [172.27.64.27])
    by samba13-a with LMTPA;
    Tue, 02 Dec 2008 01:27:55 -0200
Received: from localhost (localhost [127.0.0.1])
   by starfury14.uol.com.br (Postfix) with ESMTP id CB2D629E
   for <------>; Tue,  2 Dec 2008 01:27:55 -0200 (BRST)
Received: from linuxserver.midiaimpressa.com.br (revdns.midiaimpressa.com.br [67.205.89.71])
   by starfury14.uol.com.br (Postfix) with ESMTP id 40BC229F
   for <------->; Tue,  2 Dec 2008 01:27:55 -0200 (BRST)
Received: from 189-31-58-126.gnace704.dsl.brasiltelecom.net.br ([189.31.58.126] helo=avast.com.br)
   by linuxserver.midiaimpressa.com.br with esmtpa (Exim 4.69)
   (envelope-from <teste@avast.com.br>)
   id 1L7Kv6-0007Qp-9u
   for ---------; Mon, 01 Dec 2008 23:23:24 -0300
Message-ID: <20081202022321031.7GQcdhPx1X2whwmyyGmV@revdns.midiaimpressa.com.br>
From: "Avast te ajudando" <teste@avast.com.br>
To: "-------------" <----------->
Subject: Teste nosso anti virus
Date: Tue, 2 Dec 2008 00:23:21 -0200
MIME-Version: 1.0
Disposition-Notification-To: "Avast te ajudando" <teste@avast.com.br>
Content-Type: text/html;
   charset="iso-8859-1"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - linuxserver.midiaimpressa.com.br
X-AntiAbuse: Original Domain - uol.com.br
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - avast.com.br
X-SIG5: f238daf0eb4072dc76979e80d0778c0f
Content-Transfer-Encoding: quoted-printable
X-Antivirus: avast! (VPS 081201-0, 01/12/2008), Inbound message
X-Antivirus-Status: Clean


<a href=3D"http:  //w w w.osbrasilleiros.com.br/avast.exe">download</a>.=

[Lisandro]

Shame on .br spreading spam :'(

[DavidR]

Tech, this isn't from any official avast or distributor the from is easily faked and if you check out the full info it comes with an link which they are trying to pass off as avast, either an update or download of avast.exe no doubt to infect unwary recipients of the email. It is too small to be either at 42.5KB.

DrWeb link checker confirms sagitta suspicion the link is to an infected file, see image
wXw.osbrasilleiros.com.br/avast.exe

So you did well to avoid this as avast doesn't detect anything.

[DavidR]

Update:

Virustotal gives 21 of 36 scanners finding something they didn't like mostly it looks like another banker variant that seems very frequent in Brazil, http://www.virustotal.com/analisis/8d3a736de4f278e25485bc116087739d

I have submitted the sample to avast (real )

[Lisandro]

Virustotal gives 21 of 36 scanners finding something

Did you download the file and submit it? How? Does virus total allow scanning of files in the web?

[DavidR]

Yes, I downloaded it as my b1971.gif image shows in my first reply.

So VirusTotal doesn't allow scan on-line files, though DrWeb link checker did confirm a trojan.downloader, also in my first post.

I added the file to the user files section of the chest after downloading and submitted to avast from there with the new submission. I then did a manual iAVS update so it kicked off the submission upload right after the update check.