I was running some tests on Avast today again. So I purposely downloaded a few trojan-droppers on my test machine to infect it. Avast did reasonably well, missing a few things. However, one of the main things it missed was the actually dropper itself. While picking up the trojans it dropped at the time, it missed the vehicle, leaving the vehicle on the computer, and in ram to keep dropping.
However, when I went to send a sample of the dropper to Avast, the email plugin Heuristics picked it up and blocked it.
I did notice a wierd, apparently debugger related message when I tried to manually scan the file, it said “UnnamedStream_1” and failed to recognize the dropper within. Attached is the screenshot.
Comments? Anything going wrong here? I know exactly how to remove this trojan dropper, so removal isn’t an issue. I just want Avast to be able to find protocols like this, and deal with them, because right now its not!
It’s the e-mail heuristic - it didn’t flag the file as infected, just as suspicious; I’d say it’s simply because it has an .exe extension; check your heuristic settings for the e-mail provider to make sure.
UnnamedStream_1 comes from the NTFS Stream archiver module - it’s an NTFS stream extracted from the file. Don’t ask me how it got there… I noticed it occasionally in files saved from Outlook Express attachments. When I traced the code, the Windows API really returned information about an additional stream (it disappeared on reboot, however).
As a antivirusvirus “expert” you should know,that if you want to transport such objects you need to put them in container (usually ZIP archive with password “virus”,or even stronger archive like 7-zip),so mail servers don’t interfer with the sample while its being sent over multiple machines.