Author Topic: Why Avast can't detect this virus? (paint.exe)  (Read 10554 times)

0 Members and 1 Guest are viewing this topic.

.NeXus.

  • Guest
Why Avast can't detect this virus? (paint.exe)
« on: April 20, 2010, 07:58:37 PM »
Hi!

I have some problem with this virus [ru lang]:
http://www.virustotal.com/ru/analisis/5209e0a7a7cc4fae87f411825192c4f74b509cdea2d61599b9b6c6b6a42fdb08-1271785885

I sent this file named "Paint.exe" two times (month ago and one-two weeks ago), but Avast still not detect this virus.

P.S. strange that Avast heuristic doesn't detect this file.

Sorry for my bad English.

Thx.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Why Avast can't detect this virus? (paint.exe)
« Reply #1 on: April 20, 2010, 08:44:39 PM »
How did you send it to avast ?

If email to virus (at) avast (dot) com, was the sample zipped and password protected and Undetected Malware in the email subject ?

I have tried to draw attention to this topic.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: Why Avast can't detect this virus? (paint.exe)
« Reply #2 on: April 20, 2010, 08:57:18 PM »
Hi .NeXus,

It is cloaked malware and it is being described here:
http://www.prevx.com/filenames/2126489705135194034-X1/PAINT.EXE.html
and related: http://www.prevx.com/filenames/X1209231862433248165-X1/IMAGES+.EXE.html
A hack like cheat garena maphack is the one leading unto the paint.exe virus infection.
Number of reports: 41
Number of positive reports: 1
Positive report percentage: 3%
Entry time: 2009-10-07
File name:  Paint.exe 
File size:  92 KB (94209 bytes) 
Md5:  176288f6f22a80c76329853f8535d45b 
Loading point information
Execution type: REGISTRY
Registry section: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Entry: mspaint
Look for these in the start-up list: paint.exe / shnlog.exe should not be running there.

Brief description of process
paint.exe is process associated with malicious software Backdoor.Win32.Agent.ah. Backdoor.Win32.Agent.ah is a Trojan for the Windows platform. Troj/Agent-GG includes functionality to access the internet and communicate with a remote server via HTTP. Use antivirus software to protect computer against virus attacks.
What to do with this process?
System process “paint.exe” is reported as a Virus and Trojan!
Your personal data stored in computer are in danger!
Kill or disable process “paint.exe” and try to remove it from your computer.
After successfull removal try to scan your computer with an updated antivirus and antispyware application,
like MBAM and SAS,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

windward

  • Guest
Re: Why Avast can't detect this virus? (paint.exe)
« Reply #3 on: April 21, 2010, 02:45:33 AM »
Just wondering if this is different than the Windows program paint.exe? I imagine it is. If it is will the program paint.exe be removed when the virus is removed?


Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Why Avast can't detect this virus? (paint.exe)
« Reply #4 on: April 21, 2010, 08:07:11 AM »
Hello,
thank you for notice, detection will be added. This sample runs the original mspaint, but additionally it puts itself to registry key "Run" and wait for something.

Milos

cinchez

  • Guest
Re: Why Avast can't detect this virus? (paint.exe)
« Reply #5 on: April 21, 2010, 11:08:58 AM »
Hello,
thank you for notice, detection will be added. This sample runs the original mspaint, but additionally it puts itself to registry key "Run" and wait for something.

Milos
Run and wait something huh..sounds dangerous^^

Good thing its added in the database^^

-AnimeLover^^

.NeXus.

  • Guest
Re: Why Avast can't detect this virus? (paint.exe)
« Reply #6 on: April 21, 2010, 06:52:37 PM »
The second question - why heuristic not detect this virus? Other anti-virus software can detect the virus by using heuristics, and Avast failed this test.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: Why Avast can't detect this virus? (paint.exe)
« Reply #7 on: April 21, 2010, 08:17:08 PM »
Hi .NeXus,

Yes, that is strange because GData reports it as Trojan.Generic.3191429.
GData also uses avast heuristics and finds it. Avast as such missed it.
I have no explanation for this behavior of the avast scanner.
Did you send it to avast to add to their detection?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Why Avast can't detect this virus? (paint.exe)
« Reply #8 on: April 21, 2010, 08:33:12 PM »
GData is finding it but that signature name is from the Bitdefender scanner element of GData.

Heuristics are a somewhat strange beast to define and much less so when you also have to consider their sensitivity, too high and you get FPs, too little and you miss some, the balance is the problem.

Also, given what Milos said, perhaps this could be sitting dormant until someone actually uses paint.exe so it may not be scanned by the Code Emulation in the Heuristics part of the File System Shield and Code Emulation.

I don't know if code emulation is set in the Heuristics of the on-demand scans, it seems this is only in the Custom Scan options, Sensitivity, Heuristics, Use code emulation.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: Why Avast can't detect this virus? (paint.exe)
« Reply #9 on: April 21, 2010, 08:37:16 PM »
Hi DavidR,

Heuristics and behavioral scanning are becoming more and more vital specially in the light of the arising new threat of so-called "one-liners or singletons",

polonus
« Last Edit: April 21, 2010, 08:38:58 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Why Avast can't detect this virus? (paint.exe)
« Reply #10 on: April 21, 2010, 08:43:21 PM »
Yes they may well be becoming more important, but setting the right balance is also essential.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

.NeXus.

  • Guest
Re: Why Avast can't detect this virus? (paint.exe)
« Reply #11 on: April 22, 2010, 05:55:26 PM »
I have heuristic on max level - I want maximum detection rates with costs of FP. But I can't say what virus Avast can detect with heuristic.

If you found virus detected by Avast heuristic only, plz tell us abut that.