Trojan Dropper/Downloader not detected by Avast

system · August 26, 2010, 11:32pm

Yet one more trojan undetected by Avast. What is happening to Avast?

FEDEXInvoiceEE967113OP.zip came as an attachment in an obviously spoofed email from FedEx, and Avast did not alert. I use TBird, and this came in on a non-SSL account. The nature of the email caused me to be suspicious and second opinion onboard scanner Clamwin AV confirmed a positive detection for Trojan.GenericAD.

VT reports a 26/42 positive result:
http://www.virustotal.com/file-scan/report.html?id=d9d2f1c4fd4817029afcfb6592f32ae41e47a4f20b0e17a95682c381b854288b-1282826445

Sample will be submitted to Avast shortly for inclusion in their db.

system · August 26, 2010, 11:41pm

PS Just submitted to SAS.

system · August 27, 2010, 5:24pm

Avast has now been updated to include this trojan.

VT result is currently 33/41, including Avast.
http://www.virustotal.com/file-scan/report.html?id=d9d2f1c4fd4817029afcfb6592f32ae41e47a4f20b0e17a95682c381b854288b-1282926650

essexboy · August 27, 2010, 5:41pm

Must be a new variant - they change almost daily

system · August 27, 2010, 5:58pm

Yes, most likely. A Google search for the file name only reveals this topic.

DavidR · August 27, 2010, 6:09pm

Yes, that’s why most of them are detected on the Win32:Malware-gen signature.

system · August 31, 2010, 6:37pm

Well, it looks like my malware spammer friend has been busy again.

FEDEXDocEE041488OP.zip MD5 2F8D3CAF1EA25BA1AC4F6383A190F6DD 18/43
http://www.virustotal.com/file-scan/report.html?id=47b1c245a9e2b1b2ab6d5d31902f697e7962ef881959779e41cd5e0bd03db796-1283265090

I will send to Avast, SAS, and ClamAV shortly. Comodo AV already detects this as MalCrypt.Indus!.

system · September 1, 2010, 9:53am

Today’s Avast update detects this as Win32:Hottrend-B.

29/43
http://www.virustotal.com/file-scan/report.html?id=47b1c245a9e2b1b2ab6d5d31902f697e7962ef881959779e41cd5e0bd03db796-1283333025

Yanto.Chiang · September 1, 2010, 10:44am

Hi Jahn,

This happened also in my country, a lot of phising mail contains of attached file like Fedex documents which user download this file will be infected.

And this sample of malware has been update to virus@avast.com.

cheers,

system · September 1, 2010, 4:40pm

Hi Yanto, it would appear this individual/group is spreading new and undetected variants of older malwares. In both of these cases the VT scan had much lower results the first time I ran it. Then, as vendors added definitions for the new variants the positive detections increased.

I’ve added the sender to Thunderbird’s Junk filter, but that’s not helping as the sender is spoofing his address. This is a pain.

Trojan Dropper/Downloader not detected by Avast

Announcements