I have came across a file that appears to have some kind of virus, it has similar properties to viruses reported in several posts on this forum.
It seems to do the following.
1: removes the safe mode registry entries for windows.
2: removes the *.exe files of various virus scanners preventing them from functioning.
3: affects explorer.exe and IExplore.exe causing them to run incredibly slow.
I remotly maintain a few pc’s for friends and noticed the avast service wasnt running on one. when i checked into it i found the file that started this virus. I am not sure where it came from origionaly altho due to its location on the infected machine i suspect p2p program called emule.
I have confirmed on a test machine that this file is a source of this infection, i do not know what name this virus has as the only solution i have found is to re-image the infected machine. I didnt notice any damage to other *.exe files or any other traces of problems only whats listed above.
If the avast team would like a copy of this file please let me know.
I tried submitting it via the avast program but i received the following in my mail box.
Your message did not reach some or all of the intended recipients.
Subject: avast!
Sent: 28/10/2007 22:41
The following recipient(s) could not be reached:
'virus@avast.com' on 28/10/2007 22:41
None of your e-mail accounts could send to this recipient.
i will keep the file around for a few days to await a response.
Thanks.
PS: i also tried the micro trend house call online scanner, norton antivirus, pc cillin, and avg, non of these detected this virus. i also tried several of the programs suggested on this forum i.e blacklight etc, the problems persisted. i have resolved the issues i have with this by re-imaging. and just wish to inform the community and supply an example file so this can be checked and added to the Avast antivirus.
Thinking better, maybe you could upload to Alwil FTP server as a second way to transfer files. Upload them to ftp://ftp.avast.com/incoming (please, note that you won’t have READ access to the ftp server, just write - so you won’t even be able to see what you’ve just uploaded).
This is a better option than having to upload or scan at multiple sites.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the quarantine/chest, you will need to move it out.
What domain are you using to send your email some might block avast.com as some block inbound email from avast.com (registration emails) ?
I have just sent a sample to avast via the chest and that looks like it got through.