Possible bug - issue - with scanning?

[Kobra]

I was running some tests on Avast today again. So I purposely downloaded a few trojan-droppers on my test machine to infect it.  Avast did reasonably well, missing a few things.  However, one of the main things it missed was the actually dropper itself. While picking up the trojans it dropped at the time, it missed the vehicle, leaving the vehicle on the computer, and in ram to keep dropping.

However, when I went to send a sample of the dropper to Avast, the email plugin Heuristics picked it up and blocked it.

I did notice a wierd, apparently debugger related message when I tried to manually scan the file, it said "UnnamedStream_1" and failed to recognize the dropper within.  Attached is the screenshot.



Comments? Anything going wrong here?   I know exactly how to remove this trojan dropper, so removal isn't an issue. I just want Avast to be able to find protocols like this, and deal with them, because right now its not!

[igor]

It's the e-mail heuristic - it didn't flag the file as infected, just as suspicious; I'd say it's simply because it has an .exe extension; check your heuristic settings for the e-mail provider to make sure.

UnnamedStream_1 comes from the NTFS Stream archiver module - it's an NTFS stream extracted from the file. Don't ask me how it got there... I noticed it occasionally in files saved from Outlook Express attachments. When I traced the code, the Windows API really returned information about an additional stream (it disappeared on reboot, however).

[Kobra]

Ahh, an ADS.. Ok, shoulda known..

As for that Trojan Launcher, i'll send it in via email, its quite malicious, and enjoys downloading trojans to your box.  

I sent in a further 22 samples yesterday, hopefully you guys got them.  Confirmed them to be malicious samples with KAV, RAV and DrWeb sweeps on them.

[RejZoR]

As a antivirusvirus "expert" you should know,that if you want to transport such objects you need to put them in container (usually ZIP archive with password "virus",or even stronger archive like 7-zip),so mail servers don't interfer with the sample while its being sent over multiple machines.

[Kobra]

As a antivirusvirus "expert" you should know,that if you want to transport such objects you need to put them in container (usually ZIP archive with password "virus",or even stronger archive like 7-zip),so mail servers don't interfer with the sample while its being sent over multiple machines.

Duh, you don't think I know that? LOL  I've sent out about 1200 samples in the last month, to various investigators and av companies.

Obviously in this case, I was too lazy to zip it, which was fine really, it tested Avasts outbound scanning to make sure it was working right.  

[RejZoR]

Yeah yeah excuses