Avast! Home not picking up 

system · 2007-01-20T12:43:34.000Z

Hello Folks - I need some advice.

I received one of the infected emails as described at The BBC New website.

Avast! Home allowed me to save the attached exe (after warning me about a suspicious attachment) and a manual virus scan deems it to be clean. An on-line scan from the Avast site also deems it to be clean. If I attempt to attach it to a Yahoo mail it informs me that the exe contains the Trojan.Packed.8 virus.

I sent two copies of the infected email (one with the attachment zipped and the other unzipped) to virus@avast.com over 24 hours ago. Avast! Home build 4.7.942 and VPS database 704-0 still do not detect it; neither does the on-line scan I undertook just now (20/01/07 at 12.30)

AVG 7.5 also traps the virus, referring to it as Downloader.Tibs

I am somewhat surprised at the lacklustre response to this threat. Am I doing something wrong, or is Avast well behind the opposition on this one?

Lisandro · 2007-01-20T13:14:53.000Z

jingarfield post:1:

I am somewhat surprised at the lacklustre response to this threat. Am I doing something wrong, or is Avast well behind the opposition on this one?

The time frame of updating for virus submition could vary a lot depending if the virus is on-the-wild, available virus analysts resources, etc.
Of course, we all want it as fast as possible. Oh, another tip, Alwil team does not answer submitted emails. The priority is the database update.

system · 2007-01-20T14:17:05.000Z

The priority is the database update

I quite agree. However, at this point the database update has not occurred, whilst it seems that your major opposition has been able to achieve such an update.

Trend also detects the virus, referring to it as troj_small.edw

As an aside, an automated response to emails sent to virus@avast.com might be useful; that way people would know that their emails containing a potentially nasty payload had not been stopped en route.

DavidR · 2007-01-20T14:29:48.000Z

You say you sent one zipped and the other not, but you don’t mention password protecting the zipped file, so there is every likelihood that neither got to avast.com, just as your Yahoo mail experience shows. Email servers on route are likely to have anti-virus scans which can open zipped files to scan, applying a password stops that.

You could also add it to the avast chest, User Files section (File, Add) and send it from there, it will be sent encrypted, submissions sent from the chest are detected upon receipt and filtered from those coming in in the way you sent yours. This should help as over 4000 email are received at the virus@avast.com address.

system · 2007-01-20T14:58:06.000Z

David, thanks for the response.

No, I did not password protect the zip file - I will do so in future.

Thanks for the tip about adding the file to the vault and sending that way - now done!

However, all this makes it sound as though I am on the cutting edge of a virus outbreak. The fact that the BBC has had time to cover it suggests that I am in the second wave at least. In this instance it does seem as though Avast! is somewhat behind the level of performance of other AV suppliers.

DavidR · 2007-01-20T16:00:41.000Z

If this is the storm warning issue 230 killed in Europe, etc. there are always going to be this type of social engineering attempt to get people to open emails and attachments or click links, etc. So the usual common sense approach applies don’t open unsolicited emails, attachments or click links on the same unsolicited email.

Whilst there doesn’t seem to be a direct identification by avast don’t forget that even without it avast did alert you to the suspicious attachment. Before avast can do anything it first has to obtain a sample and there is no cross anti-virus company co-operation in the sharing samples.

system · 2007-01-21T09:30:34.000Z

I received another suspicious file this morning. This executable was deemed clean by Avast! and also clean by the Yahoo Mail and Trend Housecall AV scanners.

Using my new-found knowledge I have submitted this file to Avast via the Chest.

Perversely, I am happier having had this result as it suggests that perhaps Avast! are not as far off the mark as my experience the other day suggested.

Lisandro · 2007-01-21T12:14:54.000Z

jingarfield post:7:

This executable was deemed clean by Avast!
Using my new-found knowledge I have submitted this file to Avast via the Chest.

Am I correct to think that you’ve sent the file to Chest manually as avast did not detect it?
To know if a file is a false positive, please submit it to JOTTI or VirusTotal and let us know the result.

system · 2007-01-21T13:22:10.000Z

Hello Tech,

Thanks for taking the time and trouble to reply - I am learning a lot through this process

Result from Jotti:
Scan taken on 21 Jan 2007 13:17:06 (GMT) AntiVir Found TR/Small.DBY.G ArcaVir Found nothing Avast Found nothing AVG Antivirus Found Downloader.Tibs BitDefender Found Trojan.Spambot.EE ClamAV Found Trojan.Downloader-656 Dr.Web Found Trojan.Spambot F-Prot Antivirus Found W32/Downloader.AYES F-Secure Anti-Virus Found Trojan-Downloader.Win32.Agent.bet Fortinet Found nothing Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.bet NOD32 Found Win32/Fuclip.B Norman Virus Control Found nothing VirusBuster Found Trojan.DL.Tibs.Gen!Pac16 VBA32 Found nothing

It is a nasty!

Lisandro · 2007-01-21T13:31:06.000Z

jingarfield post:9:

Thanks for taking the time and trouble to reply - I am learning a lot through this process

No. We thank you because you’re helping to improve avast detection.

jingarfield post:9:

It is a nasty!

Almost sure…
I hope Alwil take a look here soon…

DavidR · 2007-01-21T13:55:32.000Z

I find that VirusTotal is better as it uses the Windows version of avast and has currently 29 different AVs. Jotti uses the Linux version which has less supported packers I believe and Jotti has fewer AV scanners.

system · 2007-01-21T14:30:19.000Z

Email response from VirusTotal:
`* name: Read News.exe

size: 31395
md5.: 562d6dad245497e6c95d1bb33e4bedda
sha1: 9c034ab17d66dfb346cc0c261b031161ec52ef19

[ scan result ]
AntiVir 7.3.0.26/20070121 found [TR/Small.DBY.G]
Authentium 4.93.8/20070120 found [W32/Downloader.AYES]
Avast 4.7.936.0/20070118 found nothing
AVG 386/20070121 found [Downloader.Tibs]
BitDefender 7.2/20070121 found [Trojan.Spambot.EE]
CAT-QuickHeal 9.00/20070120 found nothing
ClamAV devel-20060426/20070121 found [Trojan.Downloader-656]
DrWeb 4.33/20070121 found [Trojan.Spambot]
eSafe 7.0.14.0/20070121 found [Win32.Agent.bet]
eTrust-InoculateIT 23.73.118/20070120 found nothing
eTrust-Vet 30.3.3336/20070119 found nothing
Ewido 4.0/20070121 found nothing
F-Prot 3.16f/20070121 found [security risk named W32/Downloader.AYES]
F-Prot4 4.2.1.29/20070121 found [W32/Downloader.AYES]
Fortinet 2.82.0.0/20070121 found nothing
Ikarus T3.1.0.27/20070109 found nothing
Kaspersky 4.0.2.24/20070121 found [Trojan-Downloader.Win32.Agent.bet]
McAfee 4943/20070119 found nothing
Microsoft 1.1904/20070121 found nothing
NOD32v2 1994/20070121 found [Win32/Fuclip.B]
Norman 5.80.02/20070120 found nothing
Panda 9.0.0.4/20070121 found nothing
Prevx1 V2/20070121 found [Win32.Email-Worm.Gen]
Sophos 4.13.0/20070120 found nothing
Sunbelt 2.2.907.0/20070112 found nothing
TheHacker 6.0.3.152/20070121 found [Trojan/Downloader.Generic]
UNA 1.83/20070119 found nothing
VBA32 3.11.2/20070120 found nothing
VirusBuster 4.3.19:9/20070121 found [Trojan.DL.Tibs.Gen!Pac16]`

As DavidR suggests, it does seem as though VirusTotal checks more sources.

Edited to add for Tech;

Yes, I manually added the suspect file to the vault after it was passed clean by Avast! and then emailed it from there.

system · 2007-01-22T14:25:02.000Z

Both files now flagged as infected by VPS 704-1

DavidR · 2007-01-22T14:37:57.000Z

Thanks for the feedback, looks like the sending from the chest gets quicker attention ;D

Lisandro · 2007-01-22T16:22:20.000Z

Thanks avast team 8)

system · 2007-01-22T16:29:34.000Z

Yes Indeed

I don’t think that I have received a virus that was unknown to Avast! before; I have found this a most informative experience.

Announcements