false negative: directx.trojan

Iwas infected by the same virus this guy was:

http://www.computing.net/security/wwwboard/forum/19251.html

The name of the virus is directx.trojan. The current version of Avast does not detect it!!! I was able to remove it using Prevx.

Is there anyway I can report this virus to Avast so that it is included in the program’s database and detectable in future versions?

Prevx found the virus in DIRECTX.EXE at the system32 folder. I noticed I was infected when zone alarm detected a file named IEXPLORE.EXE trying to act as a server. I denied, but after that my MSN messenger wouldn’t connect. Firefox was working fine, but Internet Explorer wasn’t opening any websites. I checked the list of processes in the Task Manager and noticed IEXPLORE.EXE was running even though the browser was closed. So I terminated the process and now both MSN and MSIE would work fine. However, next time I restarted windows, the whole same thing happened again. I searched my computer for IEXPLORE.EXE and found it in a strange folder, other than the one in which the real browser is. I deleted it, but that didn’t fix the problem, and next time I restarted the file was back in a different folder with a similar name, causing the same problems. So I googled and found out the Prevx could remove this virus, so I installed it and it worked.

In case you don’t want to click on the link above, I’m copying his messages here. Notice that he had the exact same problems I had:

Name: Franball
Date: August 17, 2006 at 02:41:03 Pacific
Subject: Help! iexplore.exe all over!
OS: Windows XP
CPU/Ram: Athlon XP
Manufacturer/Model: AMD
Comment:

Hi... This is what happens from the begining. I turn on the computer. When Zone Alarm finishes loading at startup, it tells me that IEXPLORE.EXE is trying to act as a server on the internet. Of course the real iexplore.exe from c:\program files is not running. This one comes from "c:\windows\$MSI31Uninstall_KB893803v2$", just to name one, since every time I erase the file, another one comes out from a folder with a similar name. Then, after finding out that no antivirus/antispyware detects it, I go to regedit and start deleting the entries, but when I restart the computer, the registry entries are back, and IEXPLORE.EXE is trying to gain access to internet and act as a server again! ... PLEASE PLEASE HELP ME IT'S DRIVING ME CRAAZY! THANX

Name: Franball
Date: August 17, 2006 at 11:52:42 Pacific
Subject: Help! iexplore.exe all over!
Reply:

Thank you so much for trying to help me out murr but I've finally killed it. Apparently it was the trojan.directx malware that kept creating those explorer.exe files. I used PREVX since no other antivirus/antispyware detected it. Thanx again!

Can you send the samples to virus@avast.com ?
You can zip and password the files… Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks :wink:

What is "Chest "and “Alwil” and how do I send it to them?

I just ziped/passworded the file, I’ll send it to avast as you suggested.

The avast chest is a quarantine where infected or suspect files can’t do any harm. If you detect a virus, etc. one of the options is to send it to the chest (best option) ‘first do no harm’ don’t delete, send virus to the chest and investigate.

For files you believe are viruses or suspect but not detected by avast can be manually added to the Chest, User Files section by opening the avast Chest, User Files section then File, Add (see image).

Alwil is the company that makes avast and from the Chest you can send suspect/undetected files to Alwil Software, also in the image.

I emailed the virus (password protected) to virus@avast.com as you suggested, but it seems like avast is still unable to detect it. It’s been over 6 weeks now!

This virus keep coming back. Can anyone please help?

Only Alwil team could help… it’s a shame and a pity this detection was not update yet