EXEs being changed

Viruses and worms
1

Hello,
I downloaded a file: “CD Utils” and scanned it with Avast (home edition, recently updated). It showed no problems. When I ran the “run” exe I immediately got a balloon saying Avast was disabled and I had no virus protection. I tried running Avast and got a message saying, “ashAvast.exe is not a valid Win32 application.” I took a look at the file and saw that the ‘modified’ date was just now. In fact, watching it, I saw that it was being modified every few seconds!
So I tried a couple of other scanners I have with the same results. It’s even happening to Hijack This.
So I tried rebooting in safe mode; Nope. My PC keeps rebooting until I choose Normal Mode. Also, when I boot up an explorer window come up showing my documents and settings. I looked in msconfig and saw nothing unusual in the startup. I know because I had been looking at the startup entries recently.
So . . . does anyone know anything about this? Am I doomed to format my C:?

Ken

2

show the file on virustotal plz

3

Pardon my noobness but what is virustotal? Also, I deleted the file (scared of it). I could try to find it again.

4

www.virustotal.com

  1. It uses the Windows version of the AVs so avast has more unpackers for windows and that is the version most are using.
  2. There are 27 different scanning engines greater than the others.
  3. It also has an email submission option for periods when they are busy and you get a reply.
  4. It can cue the submission and you can carry on browsing and you will eventually (not to long) get your result displayed.
5

Ok, I did that. There were lots of results. Now, will it be possible to get rid of the virus(s)?

6

I’m afraid it isn’t particularly good news - Your system is infected, probably by a variant of beagle that tries to disable anti-virus programs, the error you mentioned appears to be one of the signs of that.

I tried running Avast and got a message saying, "ashAvast.exe is not a valid Win32 application."

I took a look at the file and saw that the ‘modified’ date was just now. In fact, watching it, I saw that it was being modified every few seconds!

So because of this modification it may indicate that it has got past the self-defence module and this is another pointer to a variant of beagle.

As you are finding it is disabling other security applications also.

Commonly this is hidden by a rootkit, so you can try these tools.

Then try, DrWeb CureIt! - See http://www.freedrweb.com/cureit/ - Download ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe (Free) Fairly effective against file infectors, Virut (infects .exe, .scr, .mp3 & .wmv), more so when used in safe mode.

DrWeb also do a Live CD if you are unable to get into your system see, http://www.freedrweb.com/livecd/?lng=en, documentation ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf

  • How to restore Safe Boot.
    The malware may have deleted the SafeBoot registry keys.
    Here are some options to restore them:

http://didierstevens.wordpress.com/2006/06/26/restoring-safeboot/
http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/
Also see http://forum.avast.com/index.php?topic=26554.msg216924#msg216924

7

What was the URL of the VirusTotal results page ?
That information helps us to help you.

8

http://www.virustotal.com/analisis/ba68d890d53b8f31fdc840841f057ba6

Thanks for you efforts!
Ken

9

I forgot to mention - System Restore does not work either.

10

I tried Panda Root Kit. It is also effected: " . . not a valid Win32 application."

11

it’s Beagle…

12

Ok, how do I get rid of it?

13

Read the instructions, download and burn (maybe from another computer), finally use one of this rescue CD’s:

  1. Avira
  2. Kaspersky
  3. BitDefender
  4. F-Secure
  5. Dr. Web
14

Oh, if that fails, try full computer on-line scanning:
Kaspersky
ESET NOD32
Trendmicro housecall
F-Secure
BitDefender

15

That is just one of the tools, keep trying in the hope one gets through, you should also send this to avast.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

16

I’m wondering here, how come Self-Defense didn’t help here? I know it can still be bypassed like any other thing out there but this easy?
Or maybe he turned off Self-Defense…

17

There is one beagle variant that I know of that can get past most AVs including avast’s self-defence. Hopefully they will get the sample to analyse and combat the element that is effectively disabling avast.

18

Some Beagle variants just make self defense a joke… it’s sad, but it’s true.

19

First of all, I didn’t turn Self Defense or anything else off.

Ok. Here are the results of my efforts thus far.

Online scanners:

Kaspersky - Scans but does not repair anything.

ESET - Found the virus but only in the file I downloaded, “CD Utils.rar”.
It deleted that file but did nothing for the system which is still infected.

Bit Defender - I cannot get to their online scanner. It shows a EULA with an “Accept” button but clicking that does nothing. I am awaiting a response to my email to their support service. They acknowledged the email and said I will be contacted within 48 hours.

Trendmicro house call - Another app that scans only; no repairs.

F-Secure - Will not load and run. Says I don’t have some authority needed. (I am the administrator of this PC)

Bootable CDs:

Dr. Web - Boots but doesn’t do anything. Am I missing something here?

Bit Defender - Boots and goes through its installation process until it gets to “Trying to update Bit Defender Scanner . . .” then hangs for a bit before rebooting itself to normal Windows.

F-Secure - This one ran successfully. It took a few hours and it did find a couple of viruses hidden in some things I don’t ever use (got them in case I ever needed, glad I didn’t). But it did not detect the Beagle or Bagle virus.

I have not yet tried the other bootable CDs but will be doing so as you read this. I also will get another copy of the Cd Utils file and send it to Avast in a password protected RAR. I’m not sure how I would put it in the Chest without the use of Avast.

If there is ANYTHING anyone can think of for me to try I am able and willing. I would REALLY rather not format my C: and have to reinstall 111 gig of applications that I need daily. I really appreciate your efforts and whatever further assistance you might have for me.

Thank you,
Ken

20

sepulchre, you did a huge job trying to cleaning…
I wish avast team take a look in this dangerous virus that, for years, is the weakness of avast installation, destroying it.
The better would be trying to improve avast detection of this particular variant of Beagle.
Do you have any known file that is infected with it?