Hello All!
I think I need help here, This worm has been found by Avast in my Opera browser cache directory. I have put the infected file to the virus chest immediately.
Am I safe now, or is there something else I need to do.
Thanks in advance, Rostik.
How was it detected, regular on-access scan or on-demand scan ?
You didn’t mention the suspect file name, which can help ?
Firstly I would wonder why the web shield didn’t detect it ‘before’ it got in your opera cache. Unless this is as a result of an update of that signature now catching a variant in the feebs family signature.
If this is the case perhaps you should periodically clear your browser cache.
Secondly I would confirm it is a good detection using virustotal and jotti you have to move the suspect file out of the chest to do this.
It was web-shield message, and after that an on-access scanner
The file name is “opr02JIP.htm”
Thankyou for your suggestion. I’ll do that
If I were you, I’ll scan with avast at boot time, plus with antitrojans (a-squared and AVGas).
I wonder how this can happen. I experienced similar several months ago
http://forum.avast.com/index.php?topic=18914.msg178729#msg178729
Yes very strange that the web shield detects this and aborting the connection is the only option so it shouldn’t arrive in your cache. The file name looks like come opera generated file name as in ‘opr’ unless it does some sort of pre-fetch behind the scenes.
I doubt that anything has been generated otherwise avast would likely be jumping all over that to, but a boot-time and other scans as Tech mentioned are a wise precaution.
I would however, want to confirm the detection was good as I have already mentioned.
Ok, Possible infected file is now in quote on VirusTotal, L’ll be back soon with the result of it.
As I promiseed I’m back with the results. It seems to be a false positive : as only Avast detected it :
Complete scanning result of "opr02JIP.htm", received in VirusTotal at 03.24.2007, 17:21:40 (CET). Antivirus Version Update Result AhnLab-V3 2007.3.24.1 03.24.2007 no virus found AntiVir 7.3.1.44 03.23.2007 no virus found Authentium 4.93.8 03.24.2007 no virus found Avast 4.7.936.0 03.23.2007 JS:Feebs family AVG 7.5.0.447 03.23.2007 no virus found BitDefender 7.2 03.24.2007 no virus found CAT-QuickHeal 9.00 03.23.2007 no virus found ClamAV devel-20070312 03.24.2007 no virus found DrWeb 4.33 03.24.2007 no virus found eSafe 7.0.14.0 03.22.2007 no virus found eTrust-Vet 30.6.3506 03.23.2007 no virus found Ewido 4.0 03.24.2007 no virus found FileAdvisor 1 03.24.2007 no virus found Fortinet 2.85.0.0 03.24.2007 no virus found F-Prot 4.3.1.45 03.23.2007 no virus found F-Secure 6.70.13030.0 03.24.2007 no virus found Ikarus T3.1.1.3 03.24.2007 no virus found Kaspersky 4.0.2.24 03.24.2007 no virus found McAfee 4991 03.23.2007 no virus found Microsoft 1.2306 03.24.2007 no virus found NOD32v2 2142 03.24.2007 no virus found Norman 5.80.02 03.23.2007 no virus found Panda 9.0.0.4 03.24.2007 no virus found Prevx1 V2 03.24.2007 no virus found Sophos 4.15.0 03.23.2007 no virus found Sunbelt 2.2.907.0 03.24.2007 no virus found Symantec 10 03.24.2007 no virus found TheHacker 6.1.6.080 03.23.2007 no virus found UNA 1.83 03.16.2007 no virus found VBA32 3.11.2 03.24.2007 no virus found VirusBuster 4.3.7:9 03.24.2007 no virus found Webwasher-Gateway 6.0.1 03.24.2007 no virus foundAditional Information
File size: 14485 bytes
MD5: f8079f25cd824ccd871763c9f7ccac29
SHA1: d2dd0510ef0d04d65d54b1696505b886204515f5
So now I have another question : What to do now?
Hi Rostik :
Have you read through the other Feebs family thread at
http://forum.avast.com/index.php?topic=27169.0 !?
Since this is primarily a "worm" and not a "virus", it would be best to get
a "2nd Opinion" from programs that SPECIALIZE in these, such as
AVG Antispyware from www.ewido.net and the FREE version of
SUPERantispyware from www.superantispyware.com ;
have you done that ?
I had my suspicions with the file name and the fact that it was detected by what I think is a generic signature (JS:Feebs family) when you try to catch multiple viruses with the same signature there is a possibility it might get it wrong.
I would now submit this sample to avast as a false positive, using this topic (URL) as a reference. This should help to adjust this signature so there is less likelihood of this happening in the future. Other than this there is nothing else you need to do as it related to a temporary file (cache) and you have cleared that out.
@ Spiritsongs
You will notice that Ewido is in the VirusTotal (VT) list of scanners (not sure if this is valid since the AVG takeover though) 30 at the last count, but there are also other scanners, like DrWeb and Sunbelt and others that also do a reasonable job detecting anti-spyware. This is why I prefer sending people to VT rather than Jotti
It does in fact sound like it may have been prefetched. I haven’t used Opera for a long time, so I don’t know if it using prefetching by default, but the symptoms sound similar to a problem that cropped up when I used the prefetching option in Fasterfox. The thread describing this is here:
@DavidR:
Thankyou again for your help and assistance 8) , I’ve sent the email to Avast like you mention it before.
@Tech and @Spiritsongs: I have scanned my PC with AVG AS in addition to online scanning on v"Virus Total" and it found to be clean.
@OrangeCrate What do you mean with “prefetched” files?
I meant to add in my post above, that I would be interested in what a scanner would show that specializes in worms, but failed to do so. The scan with AVG AS confirms that it is a false positive. Second opinions are good…
Prefetching means that the browser loads and caches all of the links on the page you are browsing, anticipating that you’ll be following them. If you’re on a broadband connection, it just uses idle bandwidth, and it works.
If you’re on dial-up, it actually slows down your browser. After my experience with Fasterfox prefetching a Trojan into cache from a Google search, I no longer use the extension on my Windows partition.
Like I said earlier, I don’t remember whether Opera uses prefetching behind the scenes to give it a speed increase.
Glad you solved the puzzle.
No opera don’t use prefetch method.
Thankyou for your explanation and participation.
Your welcome, besides what has been correctly said by OC, pre-fetch can speed browsing and slow if you haven’t got the bandwidth. But even if pre-fetching were enabled, I would have thought it would still use the http port and be scanned by web shield. However, as you say opera doesn’t use pre-fetch so it is a bit of a mystery how it got on to the system.
Well, yes it’s weird to me too :o, but anyway my PC is clear now, thanks again. 8)