I am a big fan of Avast! It's been very efficient ever since I first used it, but recently it failed me.
I noticed my Firewall (Comodo) logging suspicious behavior:
Explorer.exe was constantly trying to connect to the Internet, with an attempt every second. The external port Explorer.exe was trying to connect to was incremented with every attempt. When I first noticed it, the external port was 1346, which incremented after every attempt. The IP remained constant: 38.97.225.166.
Why would Explorer.exe constantly be trying to connect to 38.97.225.166? I thought. It could only be malicious.
I further noticed that every time I plugged a USB drive into my PC (Windows XP SP2), I new autorun.inf was created, together with a hidden folder called "Driver". This "Driver" folder contained a "Files" folder which resembled the Recycle Bin. This folder was empty, yet when I viewed its properties, it listed 2 files. I promptly deleted the autorun.inf and Driver folder, which was promptly recreated 2 seconds later. I scanned the USB drive, to no avail.
I did a complete boot-time scan of my PC, which came up clear. Avast! could find no threat.
I got Kaspersky Internet Security 2009. Needless to say I had to uninstall Avast! when I installed Kaspersky. When I scanned the USB drive with KIS it found a Trojan known as Backdoor.Win32.VB.iqo.
On Threatexpert.com it is described as:
A malicious backdoor Trojan that runs in the background and allows remote access to the compromised system:
http://www.threatexpert.com/report.aspx?md5=2adcaf95e8bda37bbb92e8e5f43e99bdA malicious Trojan horse or bot that may represent security risk for the compromised system and/or its network environment:
http://www.threatexpert.com/report.aspx?md5=bcbd8ec75e1f60cf73415c4dbf8af1d6McAfee also has some info:
http://vil.nai.com/vil/content/v_156344.htmWhy did Avast! not detect this Trojan.
I am writing this post just to inform those who can do something about this, so that Avast! users can be safe.
Kapersky Report (Not exhaustive):
C Drive:
- 2009/06/01 03:27:48 PM Detected: Backdoor.Win32.VB.iqo File C:\driver\files\ dt.exe
- 2009/06/01 03:28:01 PM Deleted: Backdoor.Win32.VB.iqo File HKLM\Software\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-01WE-AAX5-314CCA322142}\ {67KLN5J0-4OPM-01WE-AAX5-314CCA322142}
- 2009/06/01 03:28:21 PM Deleted: Backdoor.Win32.VB.iqo File C:\driver\files\ dt.exe
- 2009/06/01 05:17:15 PM Detected: Backdoor.Win32.VB.iqo File C:\System Volume Information\_restore{7A9E6E3C-536F-4108-AA0D-0A202ECEBB41}\RP134\ A0157323.exe
USB Drive:
- 2009/06/03 08:02:13 PM Deleted: Backdoor.Win32.VB.iqo File F:\Driver\Files\ DT.exe
- 2009/06/03 08:02:13 PM Deleted: Backdoor.Win32.VB.iqo File F:\Driver\Files\ DT.exe