Hello guys!

I would like to alert you of a weird problem that avast had with Win32:Banker-AJJ [Trj]. This file (should be at least) is already being detected by Avast.

I was testing avast with the mentioned trojan.

Here are the facts in order:

1- I downloaded a file called makemsg.exe

2- Webshield didnt alerted me in anything

3- The file was saved in my HD

4- Standard shield didnt alerted me as well

5- I uploaded the file to virustotal and Jotti. Both sites Avast detected the file as Win32:Banker-AJJ [Trj]

6- I made a scan by demand in the file, avast detected it as Win32:Banker-AJJ [Trj] in my machine.

7- I decided to execute the trojan in my machine to check the behavior of Avast.

8- The file was executed, avast didnt alerted me… Conclusion: The malware was activate and created 2 files lsass32.exe in system32 folder and startup folder. Also, the registry was configured to auto start both files in next startup.

9- Kerio Firewall asked permission to connect to internet, wich I denied.

10- I restarted my computer to see the behavior of Avast. After the restart, the trojan was loaded, and avast didnt alerted me, and suddendly it closed it self without any error, the proccess was ended…

11- I made a demand scan, avast found two instances of the mentioned trojan in memory, and asked for a boot time scan. Wich I did, after the scan, it didnt alerted me about any malware. But, when the windows was running again, I could verify that both files were succefully removed from the system and both registry modifications were removed as well… In other words, boot scan made a full clean of the malware in my system…

The question is, why avast allowed my system to get infected? If it had the signatures of this specific trojan, shouldnt it avoid the infection of it in my system? Why web shield and standard shield didnt do anything?

Additional information:

→ Windows XP
→ Standard shield and web shield were active with the defaul settings (they detected eicar test normally)
→ Avast was fully updated.
→ When I allowed the avast updater in kerio firewall for the first time, I got a blu screen of death. It never happened in my system. The second time I allowed without problems…

Thanks for your time,

Elminster

Are you sure it isn’t a false positive?

Does it detect all types of the download eicar test virus? (text, archive, etc.) www.eicar.org

Which is your sensitivity level? I mean, I think the default is High…

Is your avast updated, I mean, both program and virus database?
That sites use the avast Linux version and, sometimes, the detection is not the same as the Windows version.

Bad things :-\

Better than nothing… layered defense 8)

It’s scaring :o :-\

This is not strange… sometimes the low level intercepting/blocking of Kerio could give you blue screens even to legit programs trying to connect. I won’t be scared by ‘this’ particular thing.

Are you sure it isn’t a false positive?

→ Yeah, I am sure! I have tons of malwares, and this specific file is detected by at least other 5 Avs… Its behavior, and the content of the file makes me sure that its a malware.

Does it detect all types of the download eicar test virus? (text, archive, etc.)

→ Yeap, detected zip, zip (2x), text and .com

Which is your sensitivity level? I mean, I think the default is High…

→ I dont believe was high, I believe was medium. (I cant be sure, because I am back with avg now after this weird fact… lol) I am almost sure that was not high…

→ Good to know that the blue screen, was not fault of Avast… =-P

Thanks for your time,

Elminster

Are you sure you do not have a messed installation with two antivirus in conflict?

Yeap, I am sure… [;)]

I never install 2 avs at the same time.

I uninstall one first, use ccleaner, dust buste, disk clean, etc… and after that I install the other AV…

I never had this kind of problem before with any other av… [:(]

Well… we need further help from the technical staff of Alwil :-\

Was there anything in avast logs? Maybe you did not check and now it’s uninstalled…
Any other security program that could interact with avast?

Nope… :-\

I have ewido installed in my system… But its not active… I nor even installed the active protection… I just use it to do demand scans…

Besides it, I just have kerio firewall active in my system.

By the way, In my system, the only two things that are active normally is the AV (in that case avast) and the kerio firewall… Nor other stuff are auto loaded…

Oh, about the logs… No error, no warning… nothing…

???

Rejzor explained better (and correct) here: http://forum.avast.com/index.php?topic=21446.msg179059#msg179059

Yeah, I realized that…

But I tested with Virus Total too… Not just Jotti…

Also, avast demand scan in my system detected it…

A lot of other Avs have detected it as well…

Do you still have the original file (makemsg.exe) and can possible send it to me?

Hello!

Sorry, I usually keep the malwares with me… But this time, after this problem, I forgot to keep it and just deleted it from my machine without burn to a cd… [:(]

The link where I downloaded is not active anymore:

EDIT: link removed

Hello guys!

I finally got another sample of this same trojan…

I will email to avast… I hope you guys could find out what happened…

Cause it really scared me… [:(]

Thanks for your time,

Elminster

Hi Elminster,

You should not put links to live trojans here. The un-educated may be tempted to get themselves infected. The link has gone active again:
Dr.Web (R) daemon for Linux v4.33 (4.33.0.09211)
Copyright © Igor Daniloff, 1992-2005

Last update time: 2006-06-08,20:20:46

File size: 828.4K

msgmaker.exe packed by UPACK
In file >msgmaker.exe found virus Trojan.PWS.Banker.based

So here you got your verification, here is a description of the workings: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_HEARSE.A

polonus