Just got an email directing me to a site pretending to be an e-greeting card site. I checked it out, and they have some program that they are claiming is the newest Flash player (it isn’t). They are using Javascript to attempt to get the user to install it. I downloaded the program and scanned it, but Avast did not recognize it as a virus or a worm, although I highly suspect that it is a phishing program. Domain is hosted and a non-reverse DNS’d address, newly registered, can’t figure out who the host is.
The site address and the program are located at: edited out
The executable is: edited out
What do you think? Is this something Avast should have in it’s virus definition?
I know it’s not what it purports to be though. It is not Flash, they are spoofing another website, it follows the behavior patterns of someone trying to install a trojan. I know it’s not getting picked up by AV programs, which is exactly why it concerns me. If it is a new virus and/or trojan, and neither my nor your AV is detecting it, then the spread threat would be fairly high, wouldn’t it?
Ok, zipped it up in a passworded protcted file and sent the details to them. I asked for confirmation as to whether or not it was actually a virus or trojan, do you know if they tend to reply to reports like that?
Our e-mail content detector has just been triggered by a message you sent:
To: virus@avast.com
Subject: Avast not recognizing this
Date: Wed Aug 9 12:42:35 2006
One or more of the attachments (install_flash_player.zip, install_flash_player.exe) are on
the list of unacceptable attachments for this site and will not have
been delivered.
Hm… any ideas?
-Michael
Edit - ok, renamed the .exe to .ex_ and used WinRAR instead of Winzip, seems to have worked.
Good find, possible a new variety of the Hanlo generic trojan downloader, with haxdoor characteristics as well. These new varieties are hardened against the detection of the big AV scanners, that is why MacAfee and Symantic did not alert.
But anyway good you have sent it to avast, they can bite their teeth at this new one, and protect us all from it.
If you have the Netcraft toolbar or the Trustwatch add-on, report this page as fraud/phishing to them, so surfers are aptly warned not to go there. Better safe than sorry,
For the future, you could also add the suspect files to the virus chest. Open the virus chest, User Files, then click File, Add, navigate to the files and add them to the User Files section of the chest. Once in the chest you can right click on the file and select email to Alwil Software, this way you don’t have to zip and password protect the files avast looks after this.
The ISP/Service/Site is kidding itself if it thinks restricting extensions is a security measure when it is so easily circumvented as to make the measure worthless.
Actually, I don’t have either. PM’ing you the url in case you have them, I hope you don’t mind.
Thank you, I did not know that, and yes, you are right. I hate it when hosts do that. It would be different if it were from an actual scan, but to base it on extensions is silly.
Do the tech teams read these boards? If that filtering is common practice then they should modify how the “report to Avast” functionality works in order to use a different extension…
Yes the Alwil team do monitor and participate in these forums, filtering on extension alone isn’t common and is stupid, if just changing the extension gets around the restriction if not backed up by a scan is an absolute waste if everyones time.
Strange that MS didn’t include .doc or .xls as potentially dangerous if they are going to say .tmp is, they are hardly going to restrict every MS Office file type so the double standard is amazing.
Microsoft Outlook Express, Microsoft Windows Messenger, Microsoft MSN Messenger, and Microsoft Internet Explorer use the Attachment Manager to handle e-mail attachments and Internet downloads.
So this is probably coming from Outlook Express and you can disable this restriction, Tools, Options, Security, untick Do not allow attachments ......... that is enabled by default, see image.
With this unticked hopefully you shouldn’t suffer from any restriction.
To-day I got a mail from Netcraft toolbar that they received notification, and they would look into the matter and take appropriate action to whatever they’ll find there. So you can be assured the matter will be tackled, and surfers be secure.
Hi MVandemar :