Win 32: Vitro virus -- why didn't Avast catch it?

[starrigger]

I am now going through the prolonged process of reinstalling Windows and all the software, and doing the updates, on my laptop.  Reason?  The Vitro virus, which ran through my system like wildfire. 

Here's my question: Why didn't Avast catch the virus and stop it when it first appeared? 

I was running fully updated Avast Professional, on Win XP SP3 with all the security updates, and the latest version of Firefox.  (I believe--but am not certain--that it came in from a website.  My daughter was looking for a TV program online, and she visited some sites that apparently do not fall under the heading of safe surfing.) 

Anyway, Avast identified the infection once it was present, and tried to rid my system of it, but the barn was already burning by then.  I ultimately used a boot CD with Linux and BitDefender to clean out the drive.  But Windows and my software were gone. 

So I'm wondering--why didn't the active protection stop the virus?  I'm not looking to assign blame, I'm trying to figure out whether I should keep using Avast or switch to another antivirus program.  I'd rather not go through this again.  Maybe nothing would have caught it.  But could someone enlighten me as to how these things slip by a much-touted system of protection? 

And while I'm asking--why doesn't Avast offer a boot CD for emergencies like this?  (Yes, I know there's a pricey one for sysadmins, but other antivirus companies offer free rescue CD downloads, and I could find nothing like that for Avast.  Yet it's Avast that I paid my money to.)

Thanks.

[starrigger]

Oh--just one more data point.  When I first got the virus warning, I fired up Malwarebytes Antimalware and started it on a scan.  (Because on my other computer, it did a bangup job on a recent malware infestation.)  As MBAM was running I kept getting virus popup warnings from Avast--I guess as MBAM checked files, that somehow triggered a response that Avast noticed. 

I don't know if it was a mistake to run MBAM first, then Avast, or if that even matters. 

[Tarq57]

I don't know the mechanics of why this wasn't detected, except in very general terms.
Vitro is a polymorphic virus. This means it mutates frequently (and I believe, in a non-predictable manner). What this means is that a scanner checking for a particular footprint probably will not detect the new variant- which may be several generations removed from the detection algorithm - until it's installed and running.

Prevention is better than cure, of course; once it's running this particular one is considered pretty much near impossible to successfully remove.

Here is a bit more information, from Pondus (one of the forums' malware researchers) about some of the things it does.
I don't know if there is a successful cleanup routine or program that is recommended. I've read about a few users who have it, and most appear to have had to re-format. I can't say if the users of other AV's have the same sort of issues with this one, but I wouldn't be at all surprised. The type of behaviour the virus demonstrates looks like it would be able to overwhelm most cleaners. And if it overwhelms a highly regarded trojan killer like MBAM, you have to ask yourself: what hope is there?

All I can suggest is using the Noscript add-on with Firefox, keeping software up to date (especially flash players, and Java) and if prompted by a website to install the latest flash player to watch a movie, when you know you already have the latest player installed, leave that site never to return. (Ditto if a site offers you a codec to enable your embedded media player to work, or wants you to install a plugin for its own player. Some will be legit. No movie is worth it, to me, to do this, without a bit more research, at least. And probably not even then, unless it's a popular, well known, and highly regarded player.)

What else? Use a hosts file. (I use the MVPS hosts file, and Hostsman to manage it. See Here.)
SpywareBlaster does a similar sort of job in a different way.
(The similar job is that of blocking known bad sites from connecting/loading.)

These need updating from time to time, and will not block unknown bad sites. The noscript option in Firefox is one of the best preventers, requiring anything you don't whitelist approval to be run. (Then you just need to let your daughter know not to allow all scripts that want to run on a page, for the sake of convenience.
Consider giving her a limited user account to use, and password protect your own user profile.

[BRANDONN2008]

Hello. What are the symptoms of a computer infected with Vitro, assuming you don't have an AV that detects it.

[Tarq57]

Dunno, never had it  or seen it.
But the reports I've seen (try searching the forum) indicate that executables fail to open, including Windows system files as they are called upon, control panel and other features (like system restore, regedit, ability to boot into safe mode) are disabled, malware cleanup programs fail to install/run, and as the infection spreads, many if not most of the files on the machine become corrupted and unable to be used, including pictures and .mp3s in some cases.
The more attempts that are made to clean it, seems that the more files it infects. An infected file then does not do what it is supposed to.

I think you would know if you had something like this.

[BRANDONN2008]

Oh, I was thinking my last computer might have had it but it froze after a few minutes of being on, virus scanners would freeze mid-scan, and it had to be completely rebooted. If I waited long enough, it would sometimes unfreeze and any scan I was running would jump to the end like it had been scanning the whole time and it would say it found nothing which was bs. I would also try to run other programs after that and they said the exe didn't exist or something.