Changelog 07.06.2010.zip (Malware not detected?)

[Saffron_Blaze]

I received an obvious attempt at infecting our computer. Typical email with a short note offering a file we never requested from someone we don't know. The attached zip file had the file name given in the subject heading. I am curious as to how the file even made it to our inbox. Avast is scanning incoming emails so why did it not detect the virus/worm in the email attachment?

[DavidR]

Well I don't know if avast scans .zip attachments by default as they are inert until the user saves the attachment to disk, extracts the files and tries to run an executable. At the point of extraction and certainly before they are executed the File System Shield would scan the contents.

So if you save the attachment to your hard disk (no risk) and then right click on the .zip file and have avast scan it, does it detect it then ?

[Asyn]

Maybe it's a new threat..!!?
You can send it to avast: virus(at)avast.com
asyn

[DavidR]

Before getting carried away, lets see if it has even been scanned by avast.

[Asyn]

Before getting carried away, lets see if it has even been scanned by avast.

All right, David..!
Let's wait for a reply first.
asyn

[Maxx_original]

we've seen this nasty already.. it was an e-mail worm coded in Visual Basic and packed with PECompact using a double extension (.doc.exe).. all known variants were detected afaik... if this is a new variant, we would appreciate to have an sample.. btw: v5 should detect it in your mailbox heuristically

[Saffron_Blaze]

I saved the file and then did a scan of it. Avast did detect the malware at this point as Win32:Malware-gen. I am still not certain why avast isn't scanning these attachments as they come in. It certainly ups the risk level in that I have to rely on every user of the computer to be fairly knowledgeable about malware.

[YoKenny]

Maybe if you posted your operating system and Service Pack level and email client it would help. 

[Saffron_Blaze]

Vista SP2, Outlook 2003.

When I open Outlook the Avast MS Office plugin splash shows on start up.
Mail shield is running and both inbound and outbound messages are selected for scanning.
Attachment scan is also checked off.
Heuristics is set to normal.

[Asyn]

When I open Outlook the Avast MS Office plugin splash shows on start up.
Mail shield is running and both inbound and outbound messages are selected for scanning.
Attachment scan is also checked off.
Heuristics is set to normal.

So did you send the sample to avast yet..??
If not, please do so..!!
Thanks..!
asyn

[Saffron_Blaze]

Oddly enough when I sent it to Avast the scanner detected the malware and blocked it.

[Saffron_Blaze]

Oddly enough when I sent it to Avast the scanner detected the malware and blocked it.


Note in the original email it reports the email as clean.

From: Nettie Beatty [mailto:henpeckedbg26@rollover.com]
Sent: June-08-10 8:10 PM
To: [deleted]
Subject: Changelog 07.06.2010

 

Hello,
as promised,
Nettie




--------------------------------------------------------------------------------

avast! Antivirus: Inbound message clean.

Virus Database (VPS): 08/06/2010
Tested on: 08/06/2010 7:40:40 PM
avast! - copyright (c) 1988-2010 ALWIL Software.

[Asyn]

Oddly enough when I sent it to Avast the scanner detected the malware and blocked it.

That's not so odd, but if avast already dedects it, there's no need to send it..!!
asyn

[Saffron_Blaze]

I think you are missing the point. Avast is NOT detecting these virus laden attachments when the email comes inbound to my mailbox. If it were the attachment would have been blocked. I suppose the virus variant might not have been in the database when it was sent but is now? Just looking to understand.

[Asyn]

I think you are missing the point. Avast is NOT detecting these virus laden attachments when the email comes inbound to my mailbox. If it were the attachment would have been blocked. I suppose the virus variant might not have been in the database when it was sent but is now? Just looking to understand.

Well, the point is avast dedects it now..!
There are thousands of new threats every! day, so we (users) have to participate..!!
And that's what you did, so thank you for that...!!
asyn