Important message for Vlk, Igor and the Avast team!

Dear Avast Team,

I have sent you a file infected with a virus which disables and destroys Avast 5.0.507. The name of the file is ‘wyskq6lt.exe’ (I unsuccessfully renamed it to wyskq6lt.333.exe).

It completely destroyed Avast 5.0.507 and MBAM 1.45 on my friend’s computer. I became suspicious when I inserted a USB stick into my computer from his and, whilst holding left shift down, noticed an ‘autorun’ file which pointed to wyskq6lt.exe.

This is really worrying and I am writing this message in the hope that Avast will be able to detect this virus in the future and help other users. That is, I hope they will not suffer the same fate as my friend. He was left with no other choice but to format his computer and reinstall everything. He lost a lot of valuable data.

  • If you could kindly confirm Avast’s receipt of the sample I sent that would be great.

  • In addition, if you could kindly advise how I will know that wyskq6lt.exe in my chest has now been identified that would be much appreciated.

  • Finally, if you could please briefly let me know whether wyskq6lt.exe is safe in the Avast chest, I would be very grateful.

Thank you and I hope that I have helped other Avast users. This is a particularly nasty virus and it would be terrible to see other people have to go through the agony which my friend had to go through.

Thank you and I look forward to your response.

Best regards,

Avastfan1

PS: I am bricking it that my system is infected and have started a separate thread here http://forum.avast.com/index.php?topic=58584.0;topicseen

wow deadly virus

Absolutely! Hence the reason for this post.

Hope it will help other Avast users!

Thanks Avastfan,
I have notified our virus lab team. They shall look into this shortly. Have you sent the file to virus (at) avast (dot) com ?

Hello,
can you please, post here the virustotal report, to see the sha checksums to find it in our database.

Milos

Hi Kurt and Milos,

Thank you for the prompt replies. When Avast finally recognised the file as Win32:Malware-gen, I selected the ‘submit file to Avast’ option and pressed ok. So I assume that the file has been submitted as I pressed the ‘update program’ button yesterday.

Can you please confirm receipt of the file? (wyskq6lt.exe)

I stupidly didn’t print or save the virustotal report. However, I can confirm that around 20 of the other virus scanners listed on the page flagged it as a specific virus or a suspicious file. Unfortunately, neither Avast nor MBAM was one of them!

If you were happy to guide me (a novice!) safely through the extraction process and how to send it to you or rename it to .333 or whatever, so that my system wasn’t compromised, I would of course be more than happy to work with the Avast team. In addition, I would like to help other Avast users not become by this nasty virus.

Thanks and look forward to hearing from you!

Avastfan1

Hello,
we received 54 “false positive” submisions of file from location “C:\wyskq6lt.exe”, but this is detected as “Win32:Rootkit-gen [Rtk]” not “Win32:Malware-gen”. And and some “malware” submisions, but I don’t know how to identify the submit which is yours.

Milos

Hi Milos,

Thank you for the reply. I am running Avast 5.0.507 with Virus def: 100416-0 and Avast has identified the file ‘wyskq6lt.exe’ in the chest as ‘Win32:Malware-gen’.

Perhaps the file I sent is different? The location I sent it from was E:\ not C:. Could you possibly check your submissions for E:\wyskq6lt.exe ?

Thank you!

Avasfan1

Hello,
there are 4 submisions form “[Chest] E:\wyskq6lt.exe” but none of them form avast! 5.0.507, all are from 5.0.462.

Milos

Hi Milos,

I don’t understand that then. I sent it yesterday. In addition, I just re-sent it from C:\suspect as I was trying to extract it to that directory, rename it and zip it up. However, Avast detected it and I made double sure that the option ‘Sent to Avast’ was checked before I pressed ok.

Perhaps you have received it now?

Regards,

Avastfan1

Hi,
in dialog you can only choose “type” (potential malware/false positive), checkBox “I know what I am doing”, and some optional fields.

Milos

Hi Milos,

I have done as you instructed.

I just realised that the file I sent was renamed to ‘wyskq6lt.333.exe’. I must have unsuccessfully tried to rename it to .333.

Please confirm receipt of this file by Avast.

Kind regards,

Avastfan1

Hi Avastfan1

as I am not a member of avast team I can largely say what I want, without compromising the good name of avast
and firstly I want say that I mean no disrespect towards yrself or yr friend

Now for antivirus to run at optimal performance, computer itself must run at good performance level

let’s say Java program is not updated and is not fault of user ???

  • I need fix PC wit Java could not update as required elevation as runonce task to install updates - special case
  • elevation means that install must be run by overall administrator, which is hidden on Normal Mode desktop
  • user has no comprehension of this issue, and first time for me too - I do this fixup tomorrow so still new to me

let’s say PC still runs SP2, lets say Adobe reader is well out of date, let’s say Flash Player is broken, and so on ???

These kind of things makes very hard on antivirus to perform at optimal level and prevent infection on computer ???

  • regardless, avast does perform commendably even within these imperfect, ‘broken’ environments :slight_smile:

And on top of that no antivirus is 100%, and bear in mind also that malcreants are infinitely deceiving ???

So it is not always the case that the antivirus is at fault - though this is not to defend avast under any possible argument

regards

Mark :slight_smile:

Hi Mkis,

Thank you for your reply. No disrespect or offence taken at all. Quite the contrary actually. I agree with your response: prevention is always better than cure. An anti-virus programme will never detect malware and viruses with a 100% success rate.

Moreover, I do not believe the fault lies with Avast at all. Rather, I think the fault lies in my stupidity of not disabling the Autorun feature on my computer. Thank Christ I held down the left shift key out of habit.

I hope to God that this has spared my computer from infection! I am currently working with some of the Avast Forum experts to ensure my PC is free from infection.

I am a happy Avast user and in my five plus years of using the programme, I have never seen anything which would make me want to change.

Avast is a fine piece of software and, more importantly, the people behind the software and the user community make it my first choice.

To sum up, I hope that by submitting the file that Avast are able to specifically identify it and prevent further infections from the arseholes who make/write/program these nasty things.

Avastfan1

:slight_smile:

And that piece of malware destroys MBAM too??

Hi JoeBlack,

It did. Although my friend was running the latest versions of MBAM and Avast, this nasty piece of work completely nuked his computer.

That is why I have gone to so much effort in trying to provide Avast and MBAM with a sample. My friend was devastated due to the loss of valuable data. Moreover, the blood, sweat and tears involved in reformatting and reconstructing his computer…

That agony I would like to spare other Avast and MBAM users. Hopefully Avast will now be able to specifically identify this virus and kill it.

I would again like to stress, as per my previous post, that the blame lies with my friend and I. Avast does a brilliant job and is my number one choice for anti-virus software. Our stupidity cannot be made up for.

Best regards,

Avastfan1

Hi Alwil Avast Team,

Could somebody please confirm receipt of the file I sent wyskq6lt.333.exe?

Were you able to analyse, classify and create a specific identification signature for this nasty piece of work?

Kind regards,

Avastfan1

Oh yes, rest assured that avast team will be aware that this horrible beastie is in circulation.

Well done Avastfan1, and I’m sure they will appreciate yr concern - is a horrid piece of work

Hi Avastfan1

Thank you for your quick response.I just wondering,Comodo with D+ could stop this,if get passed by Avast and MBAM,or whatever AV?
I’d like to think that it could do it. It’s a HIPS after all.

Sorry for your friend’s computer :cry: