Two viruses Avast! didn't detect

People. I’ve had two viruses in the last two days that Avast didn’t detect but other AV apps did

Are these really viruses or am I seeing something generic that other AV apps are classifying as viruses when they’re not.

Below are the reports I sent to virus@avast. If you want I can post the actual exe’s as well (the 2nd email has the link to the web site that has the virus that tries to convince you it’s a flash updater to get you to download it and install it if you want to download and scan it

Thanks for any help



Hi

Attached is a virus Avast! doesn’t detect. It arrived as a zip file in an email with Subject [RE] UPS Tracking Number 5988367489

You need to unzip it (password = virus) and then rename it to have .exe at the end (Google doesn’t allow sending .exe in zip files)

See http://www.virustotal.com/analisis/52b78cba74517513f4d2946a0cbd4722 for how other virus checkers pick up this virus

The results from your online scanner were
UPS_INVOICE_187271.exe
clear
* VPS version: VPS 080723-0 23.07.2008
* Scaner version: 3.0.1
* Scanned files: 1
* Scanned directories: 0
* Archives count: 0
* Infected files:
* Errors: 0
* File count: 55.5 kB
* Scan time: 0s 5ms
* Scanned speed: 10.7 MB

The email headers on the mail it arrived in were

Return-path: tymridsmmie@boldermarketing.com
Envelope-to: MYADDRESS-REMOVED
Delivery-date: Wed, 23 Jul 2008 08:05:34 -0500
Received: from [81.80.139.189] (port=30704)
by MYMAILSERVER-REMOVED with esmtp (Exim 4.69)
(envelope-from tymridsmmie@boldermarketing.com)
id 1KLe28-00062A-2w
for MYADDRESS-REMOVED; Wed, 23 Jul 2008 08:05:34 -0500
Received: from [81.80.139.189] by mailavas1.pacific.net.au; Wed, 23 Jul 2008 14:05:33 +0100
From: “United Parcel Service” tymridsmmie@boldermarketing.com
To:
Subject: [RE] UPS Tracking Number 5988367489
Date: Wed, 23 Jul 2008 14:05:33 +0100
Message-ID: 01c8eccd$2bf53480$bd8b5051@tymridsmmie
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=“----=_NextPart_000_000E_01C8ECCD.2BF53480”
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Importance: Normal

*  What operating system are you using? (e.g. Windows 2000 Server...) = WinXP
* What version of avast! are you using? (e.g. 4.0.160 - you can find this information in the "About avast!..." dialog) = 4.8
* What version of VPS file are you using? (e.g. 0303-10, 04/15/2003 - you can find this information in "About avast!..." dialog) = 080723-0 23/07/2008
* What is your e-mail client? (e.g. Outlook, Outlook Express, IncrediMail...) = Thunderbird
* Do you use other security software? Which one? (e.g. Norton Antivirus...) = nope


Hi

Virus atatched. Zip password is virus. It needs renaming to .exe

It arrived in a spam email with a link to a web site that then popped up and tried to install it

Virus Total (http://www.virustotal.com/analisis/1a3dfe338be88b758e0b8cbda17a6dda) detects it as

Antivirus Version Last Update Result
AhnLab-V3 2008.7.26.0 2008.07.27 -
AntiVir 7.8.1.12 2008.07.26 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.07.27 -
Avast 4.8.1195.0 2008.07.26 -
AVG 8.0.0.130 2008.07.26 I-Worm/Nuwar.V
BitDefender 7.2 2008.07.27 -
CAT-QuickHeal 9.50 2008.07.25 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.07.27 -
DrWeb 4.44.0.09170 2008.07.27 -
eSafe 7.0.17.0 2008.07.24 Suspicious File
eTrust-Vet 31.6.5983 2008.07.26 Win32/Collet!generic
Ewido 4.0 2008.07.27 -
F-Prot 4.4.4.56 2008.07.26 -
F-Secure 7.60.13501.0 2008.07.27 Trojan-Downloader.Win32.Exchanger.hk
Fortinet 3.14.0.0 2008.07.26 W32/PolyZlob!tr.dldr
GData 2.0.7306.1023 2008.07.27 Trojan-Downloader.Win32.Exchanger.hk
Ikarus T3.1.1.34.0 2008.07.27 Trojan-Downloader.Win32.Exchanger.hk
Kaspersky 7.0.0.125 2008.07.27 Trojan-Downloader.Win32.Exchanger.hk
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.27 -
NOD32v2 3301 2008.07.27 -
Norman 5.80.02 2008.07.25 -
Panda 9.0.0.4 2008.07.27 -
PCTools 4.4.2.0 2008.07.27 -
Prevx1 V2 2008.07.27 Suspicious
Rising 20.54.61.00 2008.07.27 -
Sophos 4.31.0 2008.07.27 Mal/EncPk-DA
Sunbelt 3.1.1536.1 2008.07.25 -
Symantec 10 2008.07.27 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.26 -
ViRobot 2008.7.26.1311 2008.07.26 -
VirusBuster 4.5.11.0 2008.07.26 Trojan.DL.Exchanger.BP
Webwasher-Gateway 6.6.2 2008.07.27 Trojan.Crypt.XPACK.Gen
Additional information
File size: 78848 bytes
MD5…: c81b29a3662b6083e3590939b6793bb8
SHA1…: d513275c276840cb528ce11dd228eae46a74b4b4
SHA256: 037d48a1fdcfc95ca4576d1cab3b8b1cced5e191aadd253e9a9154132237f32d
SHA512: 07d76ee77591c75079ad1edb9e8870652c533b108154e21658988f9e38c04014
08167ba4297a2e145eb2853081fc87b288040130ace133d33cf403b125dc44a8
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4057ff
timedatestamp…: 0x482ea8c7 (Sat May 17 09:43:35 2008)
machinetype…: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xdf88 0xc200 8.00 c022f73d70ca77ed6ef5ab8cb4684da1
.rdata 0xf000 0x3df8 0x2200 7.98 09b16ab667efc4bc7a01307960dceac7
.data 0x13000 0x6000 0x4000 4.86 f229a7bb130002438c84d2fe09f55f25

( 3 imports )

USER32.DLL: DrawIcon, DestroyCaret, FillRect, GetActiveWindow, GetMonitorInfoW, GetShellWindow
ADVAPI32.DLL: ReportEventW, RegFlushKey, DecryptFileW, ReadEventLogW, OpenThreadToken
WININET.DLL: FtpGetFileW, GopherFindFirstFileA, GopherOpenFileW, FreeUrlCacheSpaceA, HttpQueryInfoA

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=B74B67E3006C2AD834CA01BBEDF6C600EC76F2DD
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=c81b29a3662b6083e3590939b6793bb8

The email was

Return-path: <nedietna_1952@100anosdemusica.com.br>
Envelope-to: REMOVED@REMOVED.com
Delivery-date: Sun, 27 Jul 2008 07:14:30 -0500
Received: from [87.243.139.101] (port=3280)
    by REMOVED.com with esmtp (Exim 4.69)
    (envelope-from <nedietna_1952@100anosdemusica.com.br>)
    id 1KN58v-0005JB-Py
    for REMOVED@REMOVED.com; Sun, 27 Jul 2008 07:14:30 -0500
Message-ID: <13D82F07.C4871822@100anosdemusica.com.br>
Date: Sun, 27 Jul 2008 14:24:17 +0200
From: Fortin <nedietna_1952@100anosdemusica.com.br>
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
MIME-Version: 1.0
To: REMOVED@REMOVED.com
Subject: Angry man shoots lawnmower
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
Steve Jobs suffers a sudden heartache and is in critical condition <a href="http://kwhgs.ca/hotnews.html">http://kwhgs.ca/hotnews.html</a>

</html>