ashDisp.exe infected.. :)

Viruses and worms
1

hi ya all howdy… ;D
hi Davidr,tech
i am still enjoying my vaction roaming,movies etc 8)
anyways i still have one more week left but i think this needed ur atmost attention… ::slight_smile:
ok here is a virus that i have that is exclusive made for avast…
AND THIS THING INFECTS JUS BY VISITING A HOST SITE …
READ THIS WHOLE THING PROPERLY COS THIS IS A ATTACK ON avast users
i was googling for something while comodo firewall warned that a program svicpa.exe
from C:\windows\temp is trying to connect to the net…i blocked it
then another file 14q…exe in C:.…\system32.exe tried to modify IE in the memory i blocked it also
then is all stated …all my browser windows closed automatically…
when i clicked on ie ashDisp.exe tried to do something which comodo warned …but i allowed it then
the malware stopped me from visiting avast.com AND virustotal.com and as suspected all othe related sites

i closed IE opened mozilla firefox … this time comodo warned me and i blocked it but alas
it damned malware …i could not open any site…
i later got a warning that a process RTHDCPL.exe… [realtec audio high def somthing that comes with my motherboard CD] is doing the same :frowning:

i ended both of them and tried ie … with no use
i figured that there is a rootkit
and scanned with
1>>panda anti root kit… no use
2>>avg anti root kit …no use
3>> fsecure backlight…now this thing hanged my system i had to restart and when i did

i got the follwing warning from avast :slight_smile:
i scanned my with backlight again and it caused a hangup again but the results were negative
now i killed RTHDCPL.exe and every thing is back to normal… for now
i cant find the exe in system32 now but i managed to save the svcipa.exe and i sent it to virus total… and seems that it is a malware…
so waiting for furthe advice guys …this thing was made to attack avast users :frowning: :frowning:

2

Antivirus Version Last Update Result
AhnLab-V3 2007.8.18.0 2007.08.18 Win-Trojan/Agent.26176
AntiVir 7.4.1.62 2007.08.19 TR/Crypt.ULPM.Gen
Authentium 4.93.8 2007.08.17 -
Avast 4.7.1029.0 2007.08.17 -
AVG 7.5.0.484 2007.08.19 BackDoor.Agent.LKL
BitDefender 7.2 2007.08.19 GenPack:Trojan.Patched.Constructor.A
CAT-QuickHeal 9.00 2007.08.18 Backdoor.Agent.ark
ClamAV 0.91 2007.08.19 -
DrWeb 4.33 2007.08.19 Trojan.DownLoader.29692
eSafe 7.0.15.0 2007.08.16 Win32.Agent.ark
eTrust-Vet 31.1.5069 2007.08.18 -
Ewido 4.0 2007.08.19 -
FileAdvisor 1 2007.08.19 -
Fortinet 2.91.0.0 2007.08.19 W32/Agent.ARK!tr.bdr
F-Prot 4.3.2.48 2007.08.17 -
F-Secure 6.70.13030.0 2007.08.17 Backdoor.Win32.Agent.ark
Ikarus T3.1.1.12 2007.08.19 Backdoor.Win32.Agent.ark
Kaspersky 4.0.2.24 2007.08.19 Backdoor.Win32.Agent.ark
McAfee 5100 2007.08.17 Generic BackDoor.m
Microsoft 1.2803 2007.08.19 -
NOD32v2 2469 2007.08.18 a variant of Win32/Agent.ARK
Norman 5.80.02 2007.08.17 W32/Agent.BYKE
Panda 9.0.0.4 2007.08.19 W32/ZLFake.A.drp
Prevx1 V2 2007.08.19 Trojan.Lozyt
Rising 19.36.60.00 2007.08.19 Trojan.DL.Win32.Agent.xry
Sophos 4.20.0 2007.08.12 Mal/HckPk-A
Sunbelt 2.2.907.0 2007.08.18 -
Symantec 10 2007.08.19 Trojan Horse
TheHacker 6.1.8.170 2007.08.17 -
VBA32 3.12.2.2 2007.08.17 Backdoor.Win32.Agent.ark
VirusBuster 4.3.26:9 2007.08.19 -
Webwasher-Gateway 6.0.1 2007.08.19 Trojan.Crypt.ULPM.Gen
Additional information
File size: 26176 bytes
MD5: b5a5dd46ac3e8fd9d485411f3ff462cd
SHA1: 8046d84f2d72d5188de89bd3762a812c8cd85eb6
packers: UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=FD62D28740F27F2166FC007712AC6C00DE4D7FD6

3

Are you saying that submitting ashdisp.exe to virustotal it’s reported as being infected? ???
If it is the original avast file it’s pretty clean for sure…

4

I just submitted mine and it’s clean. So something is amiss here.

The original file size is 108160 bytes. what is yours?

5

no guys i uploaded
svcipa.exe … not ashdisp.exe… my bad
now that u guys mentioned it i’ll upload ashdisp.exe

6

DAMN it is infected man… ???
File ashDisp.exe received on 08.19.2007 17:37:53 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 15/32 (46.88%)

Antivirus Version Last Update Result
AhnLab-V3 2007.8.18.0 2007.08.18 Win32/Duel.B
AntiVir 7.4.1.62 2007.08.19 -
Authentium 4.93.8 2007.08.17 -
Avast 4.7.1029.0 2007.08.17 -
AVG 7.5.0.484 2007.08.19 Win32/PEPatch
BitDefender 7.2 2007.08.19 Win32.Cuter.A
CAT-QuickHeal 9.00 2007.08.18 W32.Luder.C
ClamAV 0.91 2007.08.19 W32.Cuter
DrWeb 4.33 2007.08.19 Trojan.Inject.351
eSafe 7.0.15.0 2007.08.16 -
eTrust-Vet 31.1.5069 2007.08.18 -
Ewido 4.0 2007.08.19 -
FileAdvisor 1 2007.08.19 -
Fortinet 2.91.0.0 2007.08.19 -
F-Prot 4.3.2.48 2007.08.17 -
F-Secure 6.70.13030.0 2007.08.17 Trojan.Win32.Patched.af
Ikarus T3.1.1.12 2007.08.19 -
Kaspersky 4.0.2.24 2007.08.19 Trojan.Win32.Patched.af
McAfee 5100 2007.08.17 W32/Resourcer
Microsoft 1.2803 2007.08.19 -
NOD32v2 2469 2007.08.18 Win32/Agent.AB
Norman 5.80.02 2007.08.17 -
Panda 9.0.0.4 2007.08.19 W32/ZlFake.A
Prevx1 V2 2007.08.19 -
Rising 19.36.60.00 2007.08.19 Virus.Win32.Agent.b
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.18 VIPRE.Suspicious
Symantec 10 2007.08.19 -
TheHacker 6.1.8.170 2007.08.17 -
VBA32 3.12.2.2 2007.08.17 -
VirusBuster 4.3.26:9 2007.08.19 Trojan.Patched.S
Webwasher-Gateway 6.0.1 2007.08.19 Virus.Win32.FileInfector.gen (suspicious)
Additional information
File size: 83584 bytes
MD5: ff3298b4283fb6e7dbd796bbcb4158ab
SHA1: b39ed1025e648c3fe237aaa7b12e855f60908a24
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

ashDisp.exp IS infected :frowning:

7

If you haven’t already done so send the sample to avast for svcipa.exe, 14q…exe and ashDisp.exe.
Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

I suggest that you rename ashdisp.exe to ashdisp.old and try an avast repair to see if that will replace the missing file.

8

Looking at the file size, I’d say it’s been replaced. It seems to have targeted avast as you mentioned in your first post.

edited add

It would be intersting to see if the file is replaced/reinfected again after the repair, if there is still something hidden there.

9

Yes that would be helpfully, especially if you have put the other two files in the avast chest and deleted files in the original location. It would indicate that there is something else going on.

10

guys could u please direct me on how t repair avast :slight_smile:
i cant find the option anywhere :frowning:

11

Follow this …

MyComputer > Control panel > Add or remove programs > scroll down & click on avast! antivirus > click on Change/Remove button > scroll down to Repair & click to select > click on Next > follow instructions

You must be on-line for this to work.

12

hi guys really sorry … … my comp was totally screwed… got infected buy rootkitS… torjans …
they would not let me access the net i had so… well i sent it to avst for analysis :slight_smile:
n i had to install a freah copy of xp on my system… and well i sent al the other samples i could salvage to avast :slight_smile:

13

This is quite scary that the virus has targetted Avast and replaced its files :o, is there someway this can be covered in an update to make Avast immune against it.

14

It is nothing new that malware targets anti-virus and firewalls and not just avast.

The key is to try and prevent rootkits/malware get established, for most of this to happen they usually need to place files in system folders and create registry entries.

You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

  • Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP. Check Bob’s, setup instructions and importantly the dropmyrights.msi file needed as MS have now cleared the original link.
    http://mysharedfiles.no-ip.org/dropmyrights