Author Topic: js-pdfka-TW [Expl] - Strange behavior in avast! mail scanner  (Read 3662 times)

0 Members and 1 Guest are viewing this topic.

Offline kraken

  • Newbie
  • *
  • Posts: 6
js-pdfka-TW [Expl] - Strange behavior in avast! mail scanner
« on: January 28, 2010, 01:30:50 AM »
Hi, I think I may have ran into a new variant or avast may not have completely stopped an infection.
I am using Avast 5 free with Vista 64 hp. I was using Vuze today when I received two pop-ups from Avast while browsing for files in Vuze. In the virus chest it shows that it blocked js-pdfka-TW [Expl] twice at the time when the pop-ups occurred. At the time Avast also notified me of a connection for techsavvy.com.  Great that it detected and stopped it but I think it may have missed part of it or another infection. It put a connection to techsavvy.com into the SSL account settings for the mail protection shield INSIDE AVAST!!! So avast thought that it was detecting a mail connection for some reason.

I do not use any mail account with techsavvy.com. I verified the IP whois info in question and it does indeed show that it is a techsavvy.com IP.

I deleted the mysterious techsavvy.com POP account in the mail shield for avast, it then came back a few minutes later leaving me to believe something was active in memory. I deleted the techsavvy account from the mail shield again and rebooted. It has not come back since so I think avast stopped most of the infection but some still was allowed through and was in memory. So it may be a new variant.
Techsavvy.com appears to be a tech consulting company in Canada. I'm in the USA so that is another red flag. The mail accounts I use are not related in any way to techsavvy.com.
After rebooting the problem APPEARS to have gone away. I have blocked their IP range for safety reasons.
I'm assuming this is some kind of email worm or similar if it's trying to setup an email connection in avast.

« Last Edit: January 28, 2010, 01:36:59 AM by kraken »