avast! webshield did not stop, "Trojan.Ransom"

I almost got infected with ‘Trojan.Ransom’. According to the link below a pretty nasty one that encrypts “Doc, DB, XLS, jpg and txt” files so they won’t load. Then the Trojan tries to hold you ransom by asking for $100 to break the encryption.

I ran a quick and FULL scan with avast and it didn’t detect anything. This Trojan has been out for quite some time. Why wasn’t avast able to catch this? Thankfully Malwarebytes detected it and quarantined it.

Description of “Trojan.Ransom” per Panda description here:
http://www.pandasecurity.com/homeusers/security-info/214317/Ransom.K

Background…
My wife was looking at a website for her quilting hobby and tried to download a pattern. I can’t find exactly which site she was at and honestly afraid I might find MORE than I want to since avast doesn’t detect it. All of a sudden my wife calls me, “Honey, there’s a pop-up that says we have 8 Trojans on our computer!”. I came in the room and saw that it wasn’t an avast warning, but a web-page. I suspected it was a rogue AV being offered and clicked cancel. Then a pop-up says, “You’ve chosen to run so-and-so exe file”. I knew right away that whatever mouse click I did, the file would probably run. So I locked the internet access (ZoneAlarm firewall) then cleanly shut down the computer and rebooted.

I ran quick and full scan with avast - nothing detected.

Ran quick scan with Malwarebytes - found ‘Trojan.Ransom’ (File ‘7KbAfdav.exe.part’ located in \local settings\temp directory. The date and time stamp was the time my wife called me into the room.

I still have that file… but it’s quarantined in Malwarebytes area so don’t know how to get it to avast without ‘restoring’ the file.

Suggestions on how to submit this to avast? Never had any luck using the ftp site upload.

Thanks.

I guess there’s no way to submit this file to avast if it’s quarantined in Malwarebytes?

You Signature says you are using an outdated version of Avast. Perhaps that is why you have difficulty uploading to Avast. Why don’t you update Avast to the current version of 5.0.677?

What I would do regarding the malware issue is to make sure your Avast definitions are current, run an Avast FULL scan, then a boot-time scan (32-bit only). If anything shows up, keep it in the Virus Chest and you can upload from there to Avast.

Then update MBAM and run another scan. If you come out clean, then you should be fine, but do NOT delete the quarantined item in MBAM.

Thanks SafeSurf for replying,

My definitions for avast AND Malwarebytes are both up to date. I ran a quick scan and full scan with avast and neither avast scans was able to detect it. Avast should be able to detect this as it’s been out for awhile… unless this is a recent variant. If this is a recent variant, my question is how to submit the quarantined file (that’s quarantined by Malwarebytes) to avast for analysis. Maybe this can’t be done — don’t know. Since the file was located in local settings\temp directory, I don’t see where it is necessary to run a boot time scan.

I know I don’t have the latest avast program, but I’m waiting till they fix the ‘hover over icon’ issue – which is coming out soon. The definitions for 5.0.594 are still updating.

Thanks again.

I would run a boot scan, just in case that trojan came with friends or invited some over to play. It will probably be clean, but you never know.

If Avast! does not detect, you can extract it from Mbam chest to a folder you can find again. Then zip and pass protect the file, attach it to an email and send file to virus[at]avast[dot]com. Make the password something simple like “trojan”, and include the password you used in the email body.

Thanks,

I’ll run a boot time scan just to be sure. But Malwarebytes - which found this infection - didn’t find anything else when I ran it again after rebooting.

There’s only one choice for getting a file out of quarantine area of Malwarebytes and that is ‘restore file’. So it would go back in my ‘local settings\temp’ subdir. Will that be safe since avast can’t detect it? You can see my concern. The file name has two extenders… 7KbAfdav.exe.part. Not sure but I suspect since I stopped the load of another file that my wife was trying to download, maybe that second file was going to change extender? Don’t know.

Thanks again.

Sure, anytime you do this there is a certain amount of risk. Extracting it might start the whole thing over again, might not. Someone more knowledgeable would have to answer that one. But if anything bad happens or you have any lingering doubts of it all being gone from your system, there is always essexboy and his assorted malware meat-grinders. :wink:

I carefully restored the file from Malwarebytes, zipped it, protected it with a password (trojan) and attached to email to avast. I included a link to this discussion thread. I then deleted the file. Ran Malwarebytes again to be sure there was nothing lurking anywhere. All was clean. Boot time scan was also clean.

Thanks for the help. Hopefully avast will be able to add this to the virus definitions.

Keep your definitions up to date on both Avast and MBAM and see how your machine behaves over the next few days. If anything starts acting strange, let us know right away and I will give you another diagnostic tool to run for malware detection. Thank you.

I will. Thanks.