Avast can't find W32/Sdbot.worm.gen.ai transmitting through MSN messenger

My friend’s MSN messenger got infected by W32/Sdbot.worm.gen.ai, as called by McAfee (or Backdoor.Win32.IRCBot.yc by Kaspersky), but Avast can’t find it.

I’ve downloaded the malware and submitted it to virustotal and indeed, Avast can’t find it. Here’s the link (but I’m not sure if the result is stored in virustotal for a long time):
http://www.virustotal.com/vt/en/resultadof?2262a11552806b4d9b772a475aeace11

I’m going to send this malware to Avast anyway.

Send the sample to virus@avast.com zipped and password protected with password in email body and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest and send it from there (right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest.

Yesterday, I’ve seen your post in
http://forum.avast.com/index.php?topic=26502.0
and I tried to send it through Avast Virus Chest, but it didn’t work! Avast kept on saying there’s something wrong but I couldn’t find the reason. My SMTP settings are all correct. I had even tried to use a wrong password and I could see that the error message is different. I had also tried several SMTP servers: Yahoo’s and my ISP’s, etc. The same problem! So I gave up and sent it to virus@avast.com using Thunderbird.

Notice the image it shows the default setting ‘Protocol to use,’ MAPI did you change this to SMTP ?
If you did this may be the problem, if I do that it fails.

Yes, of course. I’ve changed MAPI to SMTP and then supplied the SMTP parameters, because using MAPI would imply using Outlook (or Outlook Express) that I don’t use. I’m supposed to change MAPI to SMTP, am I not???

No leave the default setting as it is, set to MAPI I use OE6 also and no problem with the MAIP setting, but errors if I change the default to SMTP. This compiles the email and an encrypted attachment and places it in your Outbox awaiting you sending it.

The Program Settings, SMTP should have your default SMTP details.

You didn’t understand what I said. I don’t use Outlook Express nor Outlook. And I would never use these vulnerable and virus-attracting softwares.

Then you can’t send the sample as avast doesn’t have an email client, it sets-up the email and attachment ready for you to send using your email client.

The only other way to submit a sample if you don’t use an email client is by FTP. You can use the ftp server to upload big files. Upload them to ftp://ftp.avast.com/incoming

I’ve been using OE for years and I have never had a problem with it there are many way to harden any email client, keep it up to date, install security updates and as I do use DropMyRights so you aren’t using it with administrator privileges. This limits any potential virus in what it can do assuming it gets through your other defences.

Your email address is what attracts the virus not your email client, the sender of the virus neither knows or cares what email client you use.

Whilst most infection is email borne for the most part you have to open and execute the attachment in an unsolicited email or click on a link in an unsolicited email to arrive at a malicious site. Now the email client does none of that, the user exercising reasonable care can avoid these types of attack if their other protection doesn’t detect it. If you are concerned with vulnerabilities in email, browsers can make that pale into insignificance.

I said I had sent the virus by using Thunderbird. I’d suggest you to use this email client rather than Outlook Express. They are both free, butt Thunderbird is not only free, it’s secure!

But we’re diverting from the main point of this thread! It’s about the W32/Sdbot.worm.gen.ai worm.

After a little search on the Net, I realised that this worm and its variants are really old. They first appeared in 2003 or 2004. How come Avast still can’t detect their presence!!?

There is absolutely no way I will use Thunderbird in its present incarnation, I have too much invested in my current email folders, etc. and thunderbird doesn’t allow me to work as I wish, I have tried several times to see if things have changed, but it cocks up the import of my folders but worst of all I don’t want the folders in its default location. It allows you to change the default location but promptly leaves all the imported folders behind. Thanks but No Thanks, it has nothing to do with security it is about being able to work with it and I’m more than capable of making OE secure.

There are 4087 variants of sdbot on the avast virus database and as an avast user like yourself I don’t know why this variant (old or not) isn’t detected.

Hmm, I suppose you’ve never heard or come across virii like “I love you” or “Melissa”, virii that no matter how hard you’ve done to make your OE (or Outlook) secure, your effort is useless. You must be a young and unexperienced users and haven’t had such bad experience with OE. Lucky for you :slight_smile:

But he seems to be catching on rather quickly. ;D

Not only have I heard of them, I have also never caught them. So my efforts would seen to be far from useless.

You show your own level of experience ;D by making judgements without knowing anything about who you judge or the steps that I take to secure OE and my system or choose to ignore them. I tire of this yours must be rubbish because I don’t use it tit for tat, I guess I must be getting old ;D so I will call it a day on this futile exchange.

Hi horinius,

I can fully understand your reserve where the MS software is concerned. It is called: “Once bitten, twice shy!”. If you come from using an OS like Win 98 SE or Win ME, like me, I know fully what you are talking about. I lost one complete OS because a person sent me the wrong mail once through Outlook, and I had to do a complete reinstall, because 20-30% of my system files were eradicated, yes. Had to start all over, driver installation, etc. etc. the works from A to Z.
That was the time I joined this forum. Now I have learned the way to even make an old OS secure installing the right protective proggies (AV, AT, ID, FW). These old experiences is also the reason that I use my own hardened version of the Flock browser over IE7 from a separate USB stick, only run script when I cannot do without it, and started to make my own components files to be able to handle events better and more smoothly, without all the mem leakages, and try other tweaks, because I experience also that all on the Internet seems to be “broken”. Well I leave it there for now, because there are other scary aspects, but this is not the place, but apparently you know what I am hinting at. Have a gorgious & malware free day, and keep spreading your personal opinions. We all learn from those.

polonus