New viruses - Are avast users protected?

www.heise.de reported new threats.

  1. rss3.css, a password stealer, located during the last weeks on the servers of ASUS (the famous mainboard manufacturer) and installed itself hidden in the background while downloading patches from ASUS.

VirusTotal reported, that most of the scanners could not detect this file, including avast. http://www.heise.de/newsticker/meldung/82637

Is Avast capable of detect this file now?

  1. Yellow worm, or w32.sagevo (symantec description) is a problem especially for symantec users, but according to heise.de most of the other scanners don’t detect this also. http://www.heise.de/newsticker/meldung/82664

eEye has a description here http://research.eeye.com/html/alerts/AL20061215.html

(The Heise.de reports are in german), but some of the links there lead to english sites.

Thanks for any info.

There will always be new viruses that take time to get samples to analyse and create signatures for and this is not going to be any different. However, it is possible to limit the damage from any zero-day virus.

You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

Thanks for this info, DavidR.

It’s something that I didn’t know yet and I will definitely give that a try.

I know that there can’t be 100% protection, and everything that can be done to prevent the damage should be done.

The intention of my post was to give this specific virus info to the avast tech team in case they didn’t hear about this yet, so that they can incorporate the protection into the avast software.

Having such a threat on a site like ASUS was quite disturbing to me, so I thought I let you know.

The info in itself without a sample wont allow for analysis and creating a signature unfortunately.

You should also consider multi-application/level protection.

If you haven’t already got this software (freeware), download, install, update and run it.

  1. Ewido, a.k.a. avg anti-spyware If using winXP. or a-Squared free if using win98/ME.
  2. Ad-Aware SE Personal Edition
  3. Spybot Search and Destroy
  4. Spywareblaster Don’t install this until you are clean.

Hi blue-moon,

There are several lines of defense. Update your software, the yellow worm vulnerability was recently patched by Symantec’s. So update and patch regularly all that is on your computer. Download an online non-resident scan tool for the latest threats: e.g. stinger.exe and run that. Have additional av protection of another range of signatures like the non-resident ClamWin scanner. San your links online with the DrWeb’s av hyperlink add-on for Firefox, Flock or IE or put a stop to script running inside your browser, e.g. having NoScript installed inside Firefox or Flock browsers for sites that you are unfamiliar with or pose a malware threat.
For any malware to create havock you have to run it or let it start up. MS is very helpfull with that, think of ActiveX etc inside the IE browser or macro’s in the well known office products. So for instance do not download Word documents from the internet or removable hardware.

polonus