I am a big fan of Avast! It’s been very efficient ever since I first used it, but recently it failed me.
I noticed my Firewall (Comodo) logging suspicious behavior:
Explorer.exe was constantly trying to connect to the Internet, with an attempt every second. The external port Explorer.exe was trying to connect to was incremented with every attempt. When I first noticed it, the external port was 1346, which incremented after every attempt. The IP remained constant: 38.97.225.166.
Why would Explorer.exe constantly be trying to connect to 38.97.225.166? I thought. It could only be malicious.
I further noticed that every time I plugged a USB drive into my PC (Windows XP SP2), I new autorun.inf was created, together with a hidden folder called “Driver”. This “Driver” folder contained a “Files” folder which resembled the Recycle Bin. This folder was empty, yet when I viewed its properties, it listed 2 files. I promptly deleted the autorun.inf and Driver folder, which was promptly recreated 2 seconds later. I scanned the USB drive, to no avail.
I did a complete boot-time scan of my PC, which came up clear. Avast! could find no threat.
I got Kaspersky Internet Security 2009. Needless to say I had to uninstall Avast! when I installed Kaspersky. When I scanned the USB drive with KIS it found a Trojan known as Backdoor.Win32.VB.iqo.
On Threatexpert.com it is described as:
A malicious backdoor Trojan that runs in the background and allows remote access to the compromised system: http://www.threatexpert.com/report.aspx?md5=2adcaf95e8bda37bbb92e8e5f43e99bd
A malicious Trojan horse or bot that may represent security risk for the compromised system and/or its network environment: http://www.threatexpert.com/report.aspx?md5=bcbd8ec75e1f60cf73415c4dbf8af1d6
No one program is going to catch 100% of all malware, which is why protection in depth as advisable, and your firewall is part of that to block unauthorised outbound connections. I block all connections for explorer.exe even though you can technically type a URL in the windows explorer address bar.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.
If you haven’t already got this software (freeware), download, install, update and periodically run them.
MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later. - 2. SUPERantispyware On-Demand only in free version.
-= A layer of protection will help catch what the first, second, or so, layer missed…
(1) On-Access Antivirus [e.g. avast!]
(2) Firewall
(3) Anti-spyware/anti-malware [e.g. malwarebytes antimalware; SuperAntiSpyware]
(4) Other On-demand scanners & Utilities [e.g. Hijack This]
(5) You are also part of the protection layer since you are the one who controls the computer…
