Good day all!

CAUTION!! POSSIBLE INFECTION ATTACHED!!!

A suspicius email arrived this morning with an attachment. I viewed the source on the email and saw it had attachment “fotos.zip”. Saved the zip file to desktop and scanned it with Avast. Avast found it to be clean.

So in the interest of testing, I copied the file to two other machine to scan. One other has AVG, and the last is running Sophos. AVG and Sophos BOTH see this zip file to be infected with
"Results of Complete Test, date and time 8/31/2004 14:24:58 :
Testing C:\Documents and Settings\Administrator\Desktop serial 5064-E5BA C:\Documents and Settings\Administrator\DESKTOP\INFECTED.ZIP:\foto\foto.htm Virus found JS/IllWill

Test finished, duration 00:00:00.8 s
21 objects tested, 1 found infected

This is a 3 week old virus…why is Avast not reporting it? My Avast version/update info follows:
ver 4.1home(4.1.418), with def file from today (8-31-04)(0436-0)

I can point Avast RIGHT AT THE FILE, and it reports clean.

I have attached file for inspection.

Any thoughts???

Thanks!

Please send the file in a password protected zip file to virus@avast.com
Mention in the mail what you told us here (link to this thread may be usefull) and don’t forget to mention the password ofcourse. I’m sure they will investigate it and if release a update of the vps if needed asap.

If you like, please run a online scan HERE and tell us the result(s)

Thank you for letting us know this. Information like this really can help make Avast only better. [Is that possible :D]

Is Alwil working with virusscan.jotti.dhs.org into getting samples and new detections?

That scan yielded these results on zip file in question…zip file extracts into foto.html and foto1.exe.
AntiVir
TR/Bagle.AK.HTML, TR/Bagle.AL (2.48 seconds taken)
BitDefender
JS.Dword.dropper, Trojan.Dropper.Small.KU (5.76 seconds taken)
ClamAV
Trojan.JS.RunMe (11.33 seconds taken)
Dr.Web
Exploit.CodeBase, Win32.HLLM.Beagle.9728 (11.92 seconds taken)
F-Prot Antivirus
HTML/ObjData@exp, dropper for W32/Mitglieder.AA (1.70 seconds taken)
F-Secure Anti-Virus
HTML/ObjData@exp, Exploit.CodeBaseExec, W32/Bagle.AK@mm, TrojanDropper.Win32.Small.kv (7.47 seconds taken)
Kaspersky Anti-Virus
Exploit.CodeBaseExec, TrojanDropper.Win32.Small.kv (6.85 seconds taken)
Norman Virus Control
JS/IllWill.A, W32/Bagle.AK (1.26 seconds taken

All engines found infection. Avast still says this file is clean. Have set max everthing in scan parameters.

Here is text from log file on Avast scan (thorough scan with archives) (I have extracted the infected file to a folder and then scanned the folder)

• avast! Report
• This file is generated automatically
• Task ‘Simple user interface’ used
• Started on Tuesday, August 31, 2004 11:16:45 PM
• VPS: 0436-0, 08/31/2004

Infected files: 0
Total files: 2
Total folders: 1
Total size: 13.6 k

• Task stopped: Tuesday, August 31, 2004 11:16:45 PM
• Run-time was 0 second(s)

Hi,

I think the file you received is a new one. It was spammed on the 31st August. I guess Avasgt have not updated there VPS yet but I am sure they will in the next few hours.

Just check ourt http://www.f-secure.com/v-descs/bagle_ak.shtml

for more info.

Please also make sure you post the file to virus@avast.com (just in case they have not received it yet)

Cheers
Jlo

The update is already out…

I’ve been sent this twice, the 1st time it contained foto1.exe & the 2nd time calc.exe. Fsecure & Symantec are not reporting the calc.exe file

Yes, the CALC.EXE is another variant. It is detected by avast! with today’s update.

BTW: Another two variants were discovered several minutes ago, so please expect another update soon .

Pavel

If you mean 0436-2, it came in while I was reading this. Nice timing.

Hi Avast!

Thanks for the quick updates again!

Best wishes

Jlo

MikeBCda

If you mean 0436-2, it came in while I was reading this. Nice timing.