Trojan.VB-5075 not being detected by avast4workstation-1.3.0

Hi!

I’m using avast4workstation-1.3.0 on Linux. I mount my Windows drives in Linux and run avast scan on that. I was quite happy with the results until recently. When I plugged my USB disk, a new file called Hot Game.exe got created onto it. When I scanned it with avast4workstation-1.3.0, it reported no viruses but when I scanned it with clam antivirus (clamav-0.94.2), it immediately detected it as Trojan.VB-5075. I thought that it might be a new strain that would be recognized by Avast shortly, but this was over ten days ago and despite regular updates, Avast till date doesn’t recognize the virus. I’m a big fan of Avast and hate viruses! Should users submit samples of viruses that don’t get detected by Avast or something? Is there any way we as users can contribute to make Avast better?

Send the suspect file to VirusTotal, it could be a false alarm from Clam AV. Post the results http://www.virustotal.com/

The report from Virustotal.com is posted below:

File Hot_Game.exe received on 2009.07.02 13:20:17 (UTC)
Antivirus	Version	Last Update	Result
a-squared	4.5.0.18	2009.07.02	Trojan.Win32.Agent!IK
AhnLab-V3	5.0.0.2	2009.07.02	Win-Trojan/Xema.variant
AntiVir	7.9.0.204	2009.07.02	TR/VB.61440
Antiy-AVL	2.0.3.1	2009.07.02	Trojan/Win32.VB.gen
Authentium	5.1.2.4	2009.07.01	W32/Trojan2.AYWB
Avast	4.8.1335.0	2009.07.01	-
AVG	8.5.0.386	2009.07.02	VB.CYG
BitDefender	7.2	2009.07.02	Trojan.Generic.126314
CAT-QuickHeal	10.00	2009.07.02	Trojan.VB.cre
ClamAV	0.94.1	2009.07.02	Trojan.VB-5075
Comodo	1538	2009.07.02	TrojWare.Win32.Trojan.VB.~ABD
DrWeb	5.0.0.12182	2009.07.02	-
eSafe	7.0.17.0	2009.06.29	-
eTrust-Vet	31.6.6593	2009.07.02	Win32/Axmap.A
F-Prot	4.4.4.56	2009.07.01	W32/Trojan2.AYWB
F-Secure	8.0.14470.0	2009.07.02	Trojan.Win32.VB.cre
Fortinet	3.117.0.0	2009.07.02	-
GData	19	2009.07.02	Trojan.Generic.126314
Ikarus	T3.1.1.64.0	2009.07.02	Trojan.Win32.Agent
Jiangmin	11.0.706	2009.07.02	Trojan/VB.dsl
K7AntiVirus	7.10.768	2009.06.19	Trojan.Win32.VB.cre
Kaspersky	7.0.0.125	2009.07.02	Trojan.Win32.VB.cre
McAfee	5663	2009.07.01	Generic VB.b
McAfee+Artemis	5663	2009.07.01	Generic VB.b
McAfee-GW-Edition	6.8.5	2009.07.02	Trojan.VB.61440
Microsoft	1.4803	2009.07.02	Trojan:Win32/Vorus.AK
NOD32	4209	2009.07.02	probably a variant of Win32/VB
Norman	6.01.09	2009.07.02	W32/VBWorm.ROZ
nProtect	2009.1.8.0	2009.07.02	Trojan/W32.Agent.61440.AU
Panda	10.0.0.14	2009.07.02	Suspicious file
PCTools	4.4.2.0	2009.07.02	-
Prevx	3.0	2009.07.02	High Risk Cloaked Malware
Rising	21.36.34.00	2009.07.02	Worm.Win32.VB.zal
Sophos	4.43.0	2009.07.02	Mal/VB-F
Sunbelt	3.2.1858.2	2009.07.01	-
Symantec	1.4.4.12	2009.07.02	Trojan Horse
TheHacker	6.3.4.3.359	2009.07.02	-
TrendMicro	8.950.0.1094	2009.07.02	TROJ_VB.CD
VBA32	3.12.10.7	2009.07.02	Trojan.Win32.VB.cre
ViRobot	2009.7.2.1816	2009.07.02	Trojan.Win32.VB.61440
VirusBuster	4.6.5.0	2009.07.01	Trojan.VB.FYDA
Additional information
File size: 61440 bytes
MD5   : 2a57ebc8c24b5a0bea94f2402574e605
SHA1  : d3a5c0c3f8521a9a6be0c81452d0b17126f1bc49
SHA256: e217f1b2fa6238f733d181e574c4646dd4ff465159aa55e197268ed6113cdb89
PEInfo: PE Structure information
 
 ( base data )
 entrypointaddress.: 0x1700
 timedatestamp.....: 0x470FD9D2 (Fri Oct 12 22:32:18 2007)
 machinetype.......: 0x14C (Intel I386)
 
 ( 3 sections )
 name viradd virsiz rawdsiz ntrpy md5
 .text 0x1000 0x6E58 0x7000 5.74 cf3986811b104619859d7e23ce1c19e7
.data 0x8000 0xC60 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x9000 0x14000 0x6000 3.32 1eeacb6f65d7b67a554b5128ab95d552
 
 ( 1 imports )
 
> msvbvm60.dll: __vbaVarSub, _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, __vbaLineInputVar, -, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaLsetFixstr, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, -, -, __vbaExitProc, -, __vbaOnError, __vbaObjSet, __vbaStrLike, -, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaStrFixstr, _CIsin, __vbaChkstk, -, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaObjVar, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaFixstrConstruct, __vbaRecUniToAnsi, EVENT_SINK_Release, -, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaPrintFile, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, -, -, -, __vbaFPException, __vbaInStrVar, __vbaStrVarVal, __vbaVarCat, __vbaI2Var, -, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, -, _adj_fdivr_m32, _adj_fdiv_r, -, __vbaVarSetVar, __vbaI4Var, -, __vbaVarAdd, __vbaLateMemCall, __vbaStrToAnsi, __vbaVarDup, __vbaFpI2, -, -, _CIatan, __vbaStrMove, __vbaStrVarCopy, -, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr, -
 
 ( 0 exports )

TrID  : File type identification
Win32 Executable Microsoft Visual Basic 6 (86.2%)
Win32 Executable Generic (5.8%)
Win32 Dynamic Link Library (generic) (5.1%)
Generic Win/DOS Executable (1.3%)
DOS Executable Generic (1.3%)
ssdeep: 768:9eMAqXM7tJWqJlyYzatA4F0duCxS8RTCN2BNtW4wnebSdV:95BYt84zIA4F0hbzbo
Prevx&nbsp;Info: <a href="http://info.prevx.com/aboutprogramtext.asp?PX5=5A0F8F3600CC0C4BF012005337233C0002867BA5" target="_blank">http://info.prevx.com/aboutprogramtext.asp?PX5=5A0F8F3600CC0C4BF012005337233C0002867BA5</a>
PEiD&nbsp;&nbsp;: -
RDS&nbsp;&nbsp;&nbsp;: NSRL Reference Data Set
-

Wow, thats definitely one missed by Avast.You can send them a sample,zipped, to virus@avast.com. Thank you for that
Did you infect the pc ? Or is it just on the usb device

I use PC Tools Firewall and avast! Antivirus and both of them miss this trojan. :-\

You should start a fresh thread, of your own. What Trojan has Avast missed ?

No, I think the entire machine has a full-blown infection. I’m going to run it through a fine toothed comb, for sure, with ClamAv, and Antivir which I just downloaded and installed. Is there any other way to send them the virus sample? My mailserver scans even archive files and will trash it in all probability.

I think you can only submit by email or from the chest

I would not have installed another AV, i would have used there rescue disc, along with MBAM and SAS

http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130

http://filehippo.com/download_malwarebytes_anti_malware/

http://filehippo.com/download_superantispyware/

If you got this of a flash drive, I would use AutorunEater, to search for bad autorun files

http://download.cnet.com/Autorun-Eater/3000-2239_4-10752777.html

Hey Micky! I did mean Avast!!! Why would I want to send it to Antivir???! I wanted to know how else I could send the infected file to the guys at Avast as my mailserver will have the attachment for lunch! Maybe I should use gmail or something like that, but I’m sure they scan your attachments thoroughly too?

Sorry i realised that ;D The suns going to my head, were not used to it here

Well, since I was installing it on Linux, I didn’t see any problems. The Avast though was installed in Windows itself. After finding the virus-like behavior in Windows, I booted into Linux (dual boot machine) and scanned it using Clam on Linux. I have now installed f-prot and antivir also on linux, just to get a little bit anal when it comes to hunting for viruses! :wink:

Micky, I did mail the file to virus@avast.com from gmail. Though the file was gzipped, gmail said it would not allow an exe so I renamed it to .blah and sent it across. By the way, f-prot is currently scanning my windows partitions and I came across another virus ignored by Avast. I ran it through virustotal again and it said it had already been checked in the past. I’m going to have a nervous breakdown if more viruses unseen by Avast pop up! :frowning: The results are below:

File fakedel.exe received on 2009.02.26 19:07:27 (UTC)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.02.26 Joke.Win32.FakeDelete!IK
AntiVir 7.9.0.93 2009.02.26 JOKE/DelWindows
Authentium 5.1.0.4 2009.02.26 W32/Hupigon.HEG
Avast 4.8.1335.0 2009.02.25 -
AVG 8.0.0.237 2009.02.26 -
BitDefender 7.2 2009.02.26 Application.Joke.Fakedel.A
CAT-QuickHeal 10.00 2009.02.26 -
ClamAV 0.94.1 2009.02.26 Joke.DelWindows.A
Comodo 986 2009.02.20 -
DrWeb 4.44.0.09170 2009.02.26 Joke.WinDel
eSafe 7.0.17.0 2009.02.26 Suspicious File
eTrust-Vet 31.6.6375 2009.02.26 -
F-Prot 4.4.4.56 2009.02.26 W32/Hupigon.HEG
F-Secure 8.0.14470.0 2009.02.26 -
Fortinet 3.117.0.0 2009.02.26 Joke/Fakedel
GData 19 2009.02.26 Application.Joke.Fakedel.A
Ikarus T3.1.1.45.0 2009.02.26 Joke.Win32.FakeDelete
K7AntiVirus 7.10.648 2009.02.26 -
Kaspersky 7.0.0.125 2009.02.26 -
McAfee 5537 2009.02.26 potentially unwanted program Joke-FakeDel
McAfee+Artemis 5537 2009.02.26 potentially unwanted program Joke-FakeDel
Microsoft 1.4306 2009.02.26 Joke:Win32/FakeDelete
NOD32 3893 2009.02.26 probably a variant of Win32/Hupigon
Norman 6.00.06 2009.02.26 GrayBird.HWQ
nProtect 2009.1.8.0 2009.02.26 -
Panda 10.0.0.10 2009.02.26 Joke/Fakedel.A
PCTools 4.4.2.0 2009.02.26 Backdoor.Hupigon.CDDG
Prevx1 V2 2009.02.26 Medium Risk Malware
Rising 21.18.32.00 2009.02.26 -
SecureWeb-Gateway 6.0.0 2009.02.26 Joke.DelWindows
Sophos 4.39.0 2009.02.26 Joke Delete
Sunbelt 3.2.1858.2 2009.02.25 Trojan-Dropper.DelWindows.A
Symantec 10 2009.02.26 Backdoor.Graybird
TheHacker 6.3.2.5.265 2009.02.25 -
TrendMicro 8.700.0.1004 2009.02.26 -
VBA32 3.12.10.0 2009.02.26 -
ViRobot 2009.2.26.1625 2009.02.26 -
VirusBuster 4.5.11.0 2009.02.26 Backdoor.Hupigon.CDDG
Additional information
File size: 141312 bytes
MD5   : 2edf16a6e60f469d80f7a4a727ecfc84
SHA1  : bbca32df725b02488d4ab92cf9cf6a333dc8281c
SHA256: bd0adc9a502064de070a1df1ecbb4158e41c101afc451aba339e3d82cb292756
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2C97
timedatestamp…: 0x33CCCD55 (Wed Jul 16 15:32:05 1997)
machinetype…: 0x14C (Intel I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x397E 0x3A00 6.32 14981ff00f715b4a029db820c6c0320e
.rdata 0x5000 0x93 0x200 1.82 b8a1d35f2839a820a1cc4fcec23bdeb4
.data 0x6000 0x14F5 0xC00 6.63 be1ff45607a9903bdf488698ed6c58c7
.idata 0x8000 0x868 0xA00 4.57 07f838824e87dc7d9eb95d01d83b4969
.rsrc 0x9000 0x504 0x600 3.11 ae2f69aa92dbc0b37b47923f376a027f
.reloc 0xA000 0x76C 0x800 5.98 8b37d9be627e11b3c87d414194283818
winzip 0xB000 0x1D000 0x1C400 8.00 ce9a307ba763308e9652bdedf16bdd05

( 3 imports )

> gdi32.dll: SetBkColor, SetTextAlign, GetTextExtentPoint32A, GetBkColor, SetTextColor, DeleteObject, ExtTextOutA, CreateDCA, GetDeviceCaps, CreateFontIndirectA, DeleteDC, SelectObject
> kernel32.dll: CreateDirectoryA, _lwrite, RtlUnwind, SetFileTime, GetModuleHandleA, SetErrorMode, GetCommandLineA, GetTempPathA, GetModuleFileNameA, GetVersion, GetWindowsDirectoryA, LocalFree, GlobalUnlock, LocalAlloc, GlobalFree, GlobalAlloc, GlobalHandle, GetProfileStringA, lstrcmpiA, GlobalLock, _llseek, _lclose, WinExec, lstrlenA, _lread, _lopen, FindClose, FindFirstFileA, SetCurrentDirectoryA, _lcreat, lstrcpyA, lstrcatA, LocalFileTimeToFileTime, DosDateTimeToFileTime
> user32.dll: DefWindowProcA, GetClientRect, GetSystemMetrics, BeginPaint, GetSysColor, SetWindowWord, SetRect, EndPaint, RegisterClassA, UpdateWindow, GetWindowWord, LoadCursorA, OemToCharA, OemToCharBuffA, EnableWindow, SetWindowTextA, SendMessageA, ShowWindow, PostMessageA, GetLastActivePopup, KillTimer, SetTimer, GetWindowRect, DialogBoxIndirectParamA, SetCursor, SetWindowPos, GetDlgItemTextA, EndDialog, GetKeyState, PeekMessageA, TranslateMessage, DispatchMessageA, GetParent, SetDlgItemTextA, SendDlgItemMessageA, GetDlgItem, InvalidateRect, wsprintfA, MessageBoxA

( 0 exports )

TrID  : File type identification
Winzip Win32 self-extracting archive (generic) (53.3%)
Win32 Executable Generic (19.7%)
Win32 Dynamic Link Library (generic) (17.5%)
Generic Win/DOS Executable (4.6%)
DOS Executable Generic (4.6%)
ssdeep: 3072:DzQt5Vbfm4xP/LNcyoj7VTyIzXZ6llUjqneMav55dlO3jJp0fZiSGuYQ:8/bu4xP/DWT/6laOnsqzJerFY
Prevx Info: http://info.prevx.com/aboutprogramtext.asp?PX5=83E53D670032BEC5D6EF01EAA2FBA50031E7590C
PEiD  : WinZip (32-bit) 6.x
packers (Kaspersky): ASPack
packers (F-Prot): ZIP
CWSandbox: http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=2edf16a6e60f469d80f7a4a727ecfc84
packers (Authentium): ZIP
RDS   : NSRL Reference Data Set

I think Avast! will add it to their base if you guy send it to the chest and click send to ALWIL Software.

Mr.Agent