The name is a1g.exe or Atak.b.
I find it in my computer but AVAST can find it, I removed it by myself but still don’t know if its over or not.
I attach it as a txt file, but need to change to a1g.exe.
I hope AVAST can take a look of this worm.
Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest.
I uploaded this file to virustotal and only one detected it by signature and on classed it as suspicious out of 32 different scanners.
The file name a1g.exe could be designed to look like the alg.exe in windows\system32 folder.
What detected it or where you just suspicious ?
Where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Hi glm,
Atak.b has been around quite some time now (2003), so it might well be it is no longer in the Avast cocktail, because there is not a single AV product that protects against the full range of malware (that is why I also use additional non-resident scanning with other AV scanners (Dr.Web, ClamWin etc.).
Here is some additional information on this particular malware, that also might be interesting for our other forum members: http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39655
polonus
Hi, guys.
I know it’s not a new worm and I found lots of info about it on google, that’s the reason I question why avast can’t kill or find it. I scan all of my disks. btw, I’m using home edition.
I detect it by my Netlimiter(can view all the traffic through my pc), I found a1g.exe try to connect to an IP, and I don’t know what a1g is, so I google it then I know its a worm. I think its more like a trojan, I don’t know whether it sent any of my password to that IP or not, cuz I didn’t use sniffer when I found it.
I found a1g.exe at C:\windows\system32\ it pretend to be a system protected file and hidden.
I deleted it and removed all the related key in REG. So far, I don’t see it again.
anyway thanks for your help.
As you can see avast isn’t alone in not detecting this with only 2 out of 30 AVs detecting it on virustotal and one of those detecting it only as suspicious. So I believe this may be a new variant of an old virus. This is why I suggested sending the sample to avast so that it can be analysed and the VPS updated.
It is a common tactic to place files in the system folders to confuse people into not deleting it. You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
Welcome to the forums.