Recently, I mistakenly double clicked on a .scr file (I thought it was a video… duh…)
Fully up to date Avast did not react when I downloaded it or opened it.
When I clicked it, nothing happened… I soon realised my mistake & unplugged my network cable, then rebooted… and started all kind of malware / virus scans (sideloaded via USB)
2 days later, I received a registered letter from my ISP informing me that my PC was infected with a worm / trojan and that I have 48 hours to react or they will disconnect me.
The timestamp on the letter where they started to detect suspicous activity was exactly the same time I clicked on the .scr.
I know this because I have the timestamp in the logs of adwcleaner which I ran right after I rebooted.
So… basically, I have a 700mb .scr file which no malware or antivirus software seems to recognise… but which is 99% certain to be infected with something.
Since then, I have done a clean re-install of windows… because I didn’t trust the PC any more!
But, I really want Avast to detect this so I can scan the other PCs on my home network (I want to find out if it managed to spread).
I just created a ticket with Avast, but I wanted to know if there is something else I could / should do?
Hmm… I enabled PUP in avast settings and re-scanned the file.
Still “no threat found”
Ahh… update:
As the file was 700mb, I could not use any of the online scanners.
However, I just zipped the file and it shrank to under 1mb…
Now I am getting some positive matches on virustotal:
AVG Luhe.Fiha.A
Baidu Archive.Bomb
DrWeb Trojan.PWS.Multi.911
ESET-NOD32 a variant of MSIL/Injector.CVJ
Ikarus Trojan-Spy.MSIL
Invincea worm.msil.mofin.a
Sophos Troj/dnCreek-A
VBA32 suspected of ZIP.MailBomb
@ will.jones
This is certainly a strange one. Call me suspicious (OK I am). I would have been equally suspicious of the correspondence from your ISP (if it truly was) I just wonder why they went down the route of snail mail. That sort of thing also smacks of some sort of scam.
2 days later, I received a registered letter from my ISP informing me that my PC was infected with a worm / trojan and that I have 48 hours to react or they will disconnect me.
The timestamp on the letter where they started to detect suspicous activity was exactly the same time I clicked on the .scr.
Though, given the fact VT confirms the file to be malicious would tend to support the ISP letter, though that is damn strange it came by snail mail.
Hmm… I see what you mean, but I kind of went in the other direction… snail mail means serious… if they had sent an email I would have possibly ignored it.
TBH, kudos to my ISP (Cablecom Switzerland) for reacting quickly.
My PC was infected on the 5th Dec at 22:30, they sent a mail on the 6th, which I got on the 7th.
That is very good for a big corporation.
In any case I had already killed the virus on the 5th (I hope), but if they do this to all PCs on their network they could really make a difference.
I also received a notification from them saying the activity has stopped now, so the case is closed on my ISP’s side.
Now I just want confirmation that all my home network PCs are clean.
Yes there are lots of scams like this (so I’m always on the lookout for them), people telephoning you purporting to be Microsoft or sum such support to tell you you are infected. Or the email route to try and get you to visit a site to get cleaned up etc.
I had never come across an ISP actually sending you a letter. Most of the scams are normally email based.
The file ‘File.scr’ has been determined to be ‘MALWARE’. Our analysts named the threat TR/Dropper.Gen. The term “TR/” denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system. Detection is added to our virus definition file (VDF) starting with version 7.11.45.58.