rss3.css, a password stealer, located during the last weeks on the servers of ASUS (the famous mainboard manufacturer) and installed itself hidden in the background while downloading patches from ASUS.
Yellow worm, or w32.sagevo (symantec description) is a problem especially for symantec users, but according to heise.de most of the other scanners don’t detect this also. http://www.heise.de/newsticker/meldung/82664
There will always be new viruses that take time to get samples to analyse and create signatures for and this is not going to be any different. However, it is possible to limit the damage from any zero-day virus.
You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
It’s something that I didn’t know yet and I will definitely give that a try.
I know that there can’t be 100% protection, and everything that can be done to prevent the damage should be done.
The intention of my post was to give this specific virus info to the avast tech team in case they didn’t hear about this yet, so that they can incorporate the protection into the avast software.
Having such a threat on a site like ASUS was quite disturbing to me, so I thought I let you know.
There are several lines of defense. Update your software, the yellow worm vulnerability was recently patched by Symantec’s. So update and patch regularly all that is on your computer. Download an online non-resident scan tool for the latest threats: e.g. stinger.exe and run that. Have additional av protection of another range of signatures like the non-resident ClamWin scanner. San your links online with the DrWeb’s av hyperlink add-on for Firefox, Flock or IE or put a stop to script running inside your browser, e.g. having NoScript installed inside Firefox or Flock browsers for sites that you are unfamiliar with or pose a malware threat.
For any malware to create havock you have to run it or let it start up. MS is very helpfull with that, think of ActiveX etc inside the IE browser or macro’s in the well known office products. So for instance do not download Word documents from the internet or removable hardware.