I’m new to avast and pretty new to the forums. I just downloaded email in PocoMail and I got one with the subject “Email account utilization warning” from the email address “noreply@mydomain.com” (The “mydomain.com” was actually my domain – the one at which I actually have my email account.) It has the attachment named “TextFile.zip” on it, the attachment shows as being 12,720 bites in size.
It came in right past avast Pro, which I’m currently evaluating. I right-clicked and scanned the zip file in PocoMail’s attachment directory. It never tripped an alarm then, either.
Am I being paranoid? There absolutely is no email address “noreply@mydomain.com” I own the domain and know exactly what email addresses I’ve created there. >:(
what happens if you unzip the file(s) in the archive ?
what are their names and extensions ?
Does the Resident Shield or the mainscanner detect it then ?
is the RS active ?
scan it with other scanner like online scanners from KAV & Trend (See below)
if it really is a virus/worm and it is not detected by uptodate avast, please send it in a password-protected zip-archive to
virus (at) asw (dot) cz
include a system/problem description and the password in the mailtext
My avast is indeed updated. Matter of fact, it just did 2 auto updates today and I’ve scanned and rescanned the file.
Do I really want to unzip it and look at the contents?? If it is a virus – and it certainly shows the signs of being Mydoom – won’t that launch the virus?
How do I send it in a password-protected zip file? I’m not sure how to do that?
Thanks for your response and suggestions, but I really am hesitant to unzip it.
Anybody have other suggestions? Instructions for getting the thing to avast without having to unzip?
MyDoom-A is 20,5 KB (21.019 bytes) in size (ZIP archive/Maximal Compression). I doubt that your “virus” is a MyDoom except if it has different size in each mail…
I’m perfectly willing to take suggestions on this thing.
I thought of Mydoom because 1) it’s an “error message” type subject line, and, 2) the attachment is named “textfile.zip,” which is one associated with Mydoom.
It certainly might be something else? What makes me totally suspicious that it’s not legitimate and might be some sort of virus/worm is that it comes from a non-existant address on my own domain besides all of the above stuff.
Sure. I’ll send it to the address in your post. It’s titled “suspect-virus.zip” protected by the password “virus” as you suggested. It’ll be coming from news@gsezines.com
I’d appreciate it if you could look at it. My hope is that it’s just some sort of nutty hoax and not a virus at all.
BTW – I’m going to send it to avast. And I’m also going to try that online virus scan.
: Duh. How dumb was that? I just resent it and this time I remembered to send the file.
BTW – I explained this in my email this time, but for anyone else following this thread: I did the online scan at microtrend and it immediately identified the “textfile.zip” in question as the Bagle.gen-I worm. Haven’t looked that up anywhere to see what it is.
Why would avast have missed that? While I was at it, I uninstalled the evaluation avast 4.1 Pro I was running and installed AVG Pro 7. I tried that and it TOO missed the worm.
Grrrrrr. I really DON’T want to go back to NAV. It’s so invasive of my whole computer – and NAV missed 6 variants of a different worm last week when I was running it.
Is it your avast! well-configurated?
I mean: sensitivity, standard shield extensions…
The Internet Mail provider scans each file to see if it is not an archive file with ‘changed’ extension. Your file has the .zip extension, it should be caught by avast! at normal conditions and good configuration… :
Yeah, I had avast configured to high sensitivity in all categories. As I said earlier in this thread, I know it was scanning email because it was insterting the messages in the end of emails.
In fact, I checked email with it one last time before uninstalling avast and it DID catch a virus that time – don’t recall which one it was.
So I’m very concerned that it will catch some viruses and not others? If I want that kind of problem, I already have that dreaded NAV I can reinstall.
Can you wait until tomorrow and ‘talk’ with Igor and/or Vlk?
I’m sure they can handle this… Anyway, today we have 2 VPS updates and maybe this thing was corrected right now… :
I got one of those latest Bagle ones yesterday morning (the new variation with the password-protected zip attached, with of course the password included in the main message). My ISP’s VirusGuard caught it and quarantined it before avast even got to see it.
Since because of discussions about it here the last couple of days, I already knew it was infected, I was tempted to “deliver as is” just out of curiosity to see at what point avast would catch it. But I played it extra-safe and just deleted it still “out there”, without downloading.
We’ll be releasing a solution for this during tomorrow.
It’s a specific fix to the Beagle worm – to do this generally is impossible as ZIP passwords of reasonable length are generally immune to attacks, and to extract the password from the rest of the mail cannot be done generally (imagine e.g. the GIFs that are used to protect some web registration forms to prevent automatic filling by webbots).