A worm (Worm.Sifiliz) and a Trojan (Wsgame) ignored by avast

Trojan.PWS.Wsgame
Worm.Sifiliz (DRWEB classification)

Opening my flash drive with Total Commander I found a read-only system file mvxm.cmd and similiarly attributed autorun.inf . These files weren’t shown in Windows explorer, regardless of the setting to see hidden-system files. I’ve already come across trojans that write such files to root directories, so I immediately performed a checkup. Avast didn’t find anything. And then I checked root dirs of all local drives to discover the same situation there. Clearly malware activity- so I downloaded Drweb CUREIT (Drweb.ru) scanner and used it. Cureit found Trojan.PWS.Wsgame, and additionaly a Worm.Sifiliz in a html file on my harddrive. Sad that avast ignores the trojan (which thanks God is for stealing passwords for online games, which I dont play), and the worm (which as I found has appeared in 2007, see http://www.antivirus.ru/VirAnaliz71024.html if you can read Russian), some antiviruses have improved, here are the results of VIRUSTOTAL.COM scan:

Antivirus Version Last Update Result
AhnLab-V3 2008.4.15.1 2008.04.15 -
AntiVir 7.6.0.85 2008.04.15 -
Authentium 4.93.8 2008.04.14 -
Avast 4.8.1169.0 2008.04.15 -
AVG 7.5.0.516 2008.04.15 Downloader.Agent
BitDefender 7.2 2008.04.15 -
CAT-QuickHeal 9.50 2008.04.14 -
ClamAV 0.92.1 2008.04.15 -
DrWeb 4.44.0.09170 2008.04.15 Worm.Sifiliz
eSafe 7.0.15.0 2008.04.09 -
eTrust-Vet 31.3.5700 2008.04.15 -
Ewido 4.0 2008.04.15 -
F-Prot 4.4.2.54 2008.04.15 -
F-Secure 6.70.13260.0 2008.04.15 Trojan-Downloader.JS.Remora.w
FileAdvisor 1 2008.04.15 -
Fortinet 3.14.0.0 2008.04.15 -
Ikarus T3.1.1.26.0 2008.04.15 -
Kaspersky 7.0.0.125 2008.04.15 Trojan-Downloader.JS.Remora.w
McAfee 5274 2008.04.15 Exploit-IFrame
Microsoft 1.3408 2008.04.14 -
NOD32v2 3029 2008.04.15 -
Norman 5.80.02 2008.04.15 -
Panda 9.0.0.4 2008.04.14 -
Prevx1 V2 2008.04.15 -
Rising 20.40.11.00 2008.04.15 -
Sophos 4.28.0 2008.04.15 -
Sunbelt 3.0.1041.0 2008.04.12 -
Symantec 10 2008.04.15 -
TheHacker 6.2.92.278 2008.04.15 -
VBA32 3.12.6.4 2008.04.14 -
VirusBuster 4.3.26:9 2008.04.15 -
Webwasher-Gateway 6.6.2 2008.04.15 JavaScript.CodeUnfolding.gen!High (suspicious)

So now six antiviruses recognise it instead of 2, in a half-year’s time, but avast isn’t among them. Alas.

AVAST version: 4.8, WIN XP SP2 and further updates.

I placed the malware RAR-packed here if anyone wants to check them:
http://dfsite.narod.ru/siloxane_rubbers.rar
http://dfsite.narod.ru/virus.rar
Password for both archives - virus

avast! detects mvxm.cmd with a generic definition.

The Sifiliz worm is described by McAfee as an IFrame exploit.

McAfee 5274 2008.04.15 Exploit-IFrame

Previously WebShield has detected exploits on web pages where avast! on VirusTotal detects nothing. I wonder if WebShield would detect the exploit when trying to view the HTML page via the web? I feel an experiment coming on…

Unfortunately, WebShield doesn’t warn about the HTML page when viewed: one for the avast! team to add.

LinkScanner sees it as an ActiveX exploit: