Author Topic: Blood-418  (Read 9251 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Blood-418
« on: May 23, 2004, 04:01:23 AM »
This virus is only detected by the following command:

"C:\Arquivos de programas\Avast\ashQuick.exe" "*MEMORY" "*MEMORY-SHORT" "*STARTUP"

It's not detected by the splash screen scan, neither by avast itself (even at High Sentivity, scanning archives and so on...)

What the hell is this?:  :(
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re:Blood-418
« Reply #1 on: May 23, 2004, 04:11:30 AM »
Screen shot  :P
The best things in life are free.

Offline SpeedyPC

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3398
  • Avast shall conquer the whole world
Re:Blood-418
« Reply #2 on: May 23, 2004, 08:25:57 AM »
I am getting very worry too and I am getting the same problem, and this is my first time catching a virus on HD which I never had a virus for 4 years straight. SHIT!.

When I run the Avast 4 Home and I do a full thorough scan with the archive file tick turn on scanning both drives C and D, no virus has been found.

Suddenly I went to Windows Explorer and do a manual quick scan high lighting the C drive, suddenly the quick scan had pickup a Blood virus the same problem as Technical.

Question how come the manual quick scan from Windows Explorer has pickup a virus, and the Avast 4 Home Anti-Virus software running a full thorough scan didn't pick it up.

Otherwise I am smelling a bug under my very own nose using the latest version, please advise.

I have set all my protection setting to High using Avast 4 Home, instend I don't have the Pro version for Script Blocking.
« Last Edit: May 23, 2004, 10:31:22 AM by SpeedyPC »
Gigabyte 670 LGA1200 Full ATX MB | Intel Core i9-13900 CPU/LGA 1700 | GeForce Nvidia RTX-4070/12GB | 32GB DDR4 | 2 x 1TB Samsung SSD | W11 Home 64bit | Avast Premium v23.11.6090 | Avast SecureLine VPN | Avast Secure Browser | Avast Driver Updater | Avast BreachGuard | Firefox 64bit | MalwareBytes Premium | Adguard Premium | CCleaner Portable | Macrium Reflect | 7-Zip

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9413
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Blood-418
« Reply #3 on: May 23, 2004, 09:22:09 AM »
Hm,i went to Virus List page (you can find it on my page) and i got this result for Blood-418:
http://www.viruslist.com/eng/viruslist.html?id=316

I think this is the point on which Alwil guys should help...
Visit my webpage Angry Sheep Blog

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re:Blood-418
« Reply #4 on: May 23, 2004, 04:28:58 PM »
Thanks RejZor:

Blood.418
It is a not memory resident not dangerous virus. The .COM-files of current directory gets infection when the virus starts. The virus from time to time types: "File infected by BLOOD VIRUS version 1.20".

But in my case I have a 'memory block' infected... I cannot map which file is related (infected) by it... Besides this, there is what SpeedyPC said  :'(
The best things in life are free.

whocares

  • Guest
Re:Blood-418
« Reply #5 on: May 23, 2004, 05:00:43 PM »
Hi,

I also get this with the above ashquick-options..

My guess is that this is a false alarm .. maybe avast stumbles over it's own Sigs in Memory ?

But alwil team should comment on this or better, rectify it ;)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re:Blood-418
« Reply #6 on: May 23, 2004, 05:29:56 PM »
Hi,

I also get this with the above ashquick-options..

My guess is that this is a false alarm .. maybe avast stumbles over it's own Sigs in Memory ?

But alwil team should comment on this or better, rectify it ;)

Thanks for posting whocares...
I read your thread (http://forum.avast.com/index.php?board=2;action=display;threadid=4679) but I cannot see a solution for the deactivation of avast  :'(
The best things in life are free.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11848
    • AVAST Software
Re:Blood-418
« Reply #7 on: May 24, 2004, 10:03:54 AM »
avast! certainly doesn't find its signatures in memory because the decrypted signatures are never present there (you can check what this process 552 is in Task Manager).
Anyway, it's probably just a false alarm. We'll try to do something about it.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re:Blood-418
« Reply #8 on: May 24, 2004, 01:47:44 PM »
Igor, thinking better, the process is:
BDSS.EXE
2024 (not more 552)
C:\Program files\Common files\Softwin\BitDefender Scan Server\bdss.exe

So, it's BitDefender (backup scanner)  :-\
The best things in life are free.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11848
    • AVAST Software
Re:Blood-418
« Reply #9 on: May 24, 2004, 01:56:21 PM »
Oh... in that case, maybe avast! found BitDefender's virus signatures in memory?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re:Blood-418
« Reply #10 on: May 24, 2004, 02:00:22 PM »
Oh... in that case, maybe avast! found BitDefender's virus signatures in memory?

Maybe, how can I be sure?
On-line scanning (trendmicro), on-demand and on-access scanning of avast do not detect it...  ::)
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re:Blood-418
« Reply #11 on: May 24, 2004, 02:04:29 PM »
Igor, does this help?

Process: BDSS.EXE Pid: 2024

Type   Name
Desktop   \Default
Directory   \Windows
Directory   \BaseNamedObjects
Directory   \KnownDlls
File   C:\WINDOWS\Temp\tmp00000802\tmp00000000
File   \Device\NamedPipe\net\NtControlPipe20
File   \Device\NamedPipe\svcctl
File   C:\WINDOWS\system32\
Key   HKLM
KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0013
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0014
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0015
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0016
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0017
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0018
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0019
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0020
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0021
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0022
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0023
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0024
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0025
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0026
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0027
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0028
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0029
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0030
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0031
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0032
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0033
Mutant   \BaseNamedObjects\XCOMM_ANONYMOUS_COUNT
Mutant   \BaseNamedObjects\XCOMM_CONNECTION_MUTEX_00065536
Mutant   \BaseNamedObjects\AVXSS-CSEC
Mutant   \BaseNamedObjects\AVXSS-CSEC3
Mutant   \BaseNamedObjects\AVXSS-CSEC2
Mutant   \BaseNamedObjects\AVXSS-CSEC1
Mutant   \BaseNamedObjects\AVXSS-CSEC0
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0000
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0001
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0002
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0003
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0004
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0005
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0006
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0007
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0008
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0009
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0010
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0011
Mutant   \BaseNamedObjects\XCOMM_QUEUE_MUTEX_0012
Section   \BaseNamedObjects\AVXCommunicator
Semaphore \BaseNamedObjects\XCOMM_EMPTY_QUEUE_SEM_0012
...
Semaphore \BaseNamedObjects\XCOMM_EMPTY_QUEUE_SEM_0033
Semaphore \BaseNamedObjects\XCOMM_FULL_QUEUE_SEM_0033
Semaphore \BaseNamedObjects\AVXSS-GETSEM
Semaphore \BaseNamedObjects\AVXSS-PUTSEM
Semaphore \BaseNamedObjects\XCOMM_EMPTY_QUEUE_SEM_0000
...
Semaphore \BaseNamedObjects\XCOMM_FULL_QUEUE_SEM_0011
Thread   BDSS.EXE(2024): 444
Thread   BDSS.EXE(2024): 436
Thread   BDSS.EXE(2024): 456
Thread   BDSS.EXE(2024): 496
Thread   BDSS.EXE(2024): 2028
Thread   BDSS.EXE(2024): 152
WindowStation   \Windows\WindowStations\Service-0x0-3e7$
WindowStation   \Windows\WindowStations\Service-0x0-3e7$
The best things in life are free.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11848
    • AVAST Software
Re:Blood-418
« Reply #12 on: May 24, 2004, 02:06:05 PM »
I am afraid it doesn't.
We would simply have to know what is inside the memory block where avast! detects the virus.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re:Blood-418
« Reply #13 on: May 24, 2004, 02:08:09 PM »
Can you test it, installing BidDefender 7.0 Free?
Is there any way to search into the memory blocks and see what is there at that time?
The best things in life are free.