Undetected virus, is it new?

Hi Guys,

Recently, I mistakenly double clicked on a .scr file (I thought it was a video… duh…)

Fully up to date Avast did not react when I downloaded it or opened it.
When I clicked it, nothing happened… I soon realised my mistake & unplugged my network cable, then rebooted… and started all kind of malware / virus scans (sideloaded via USB)

2 days later, I received a registered letter from my ISP informing me that my PC was infected with a worm / trojan and that I have 48 hours to react or they will disconnect me.
The timestamp on the letter where they started to detect suspicous activity was exactly the same time I clicked on the .scr.

I know this because I have the timestamp in the logs of adwcleaner which I ran right after I rebooted.

So… basically, I have a 700mb .scr file which no malware or antivirus software seems to recognise… but which is 99% certain to be infected with something.

Since then, I have done a clean re-install of windows… because I didn’t trust the PC any more!

But, I really want Avast to detect this so I can scan the other PCs on my home network (I want to find out if it managed to spread).

I just created a ticket with Avast, but I wanted to know if there is something else I could / should do?

Any advice?

Thanks
Will

Could have been a PUP and detection for that is by default disabled in avast (for legal reasons).

I just created a ticket with Avast, but I wanted to know if there is something else I could / should do?
Do you still have the scr file?

Upload and test it at www.virustotal.com and post link to scan result here

That won’t work.
Maximum file size: 128MB
According to the OP the file is 700Mb (which should already make all alarms start)

Would be really large screensaver :wink:

what size if zipped ?

alternative submit to avast ftp >> https://www.avast.com/faq.php?article=AVKB160

Hmm… I enabled PUP in avast settings and re-scanned the file.
Still “no threat found”

Ahh… update:
As the file was 700mb, I could not use any of the online scanners.
However, I just zipped the file and it shrank to under 1mb…
Now I am getting some positive matches on virustotal:
AVG Luhe.Fiha.A
Baidu Archive.Bomb
DrWeb Trojan.PWS.Multi.911
ESET-NOD32 a variant of MSIL/Injector.CVJ
Ikarus Trojan-Spy.MSIL
Invincea worm.msil.mofin.a
Sophos Troj/dnCreek-A
VBA32 suspected of ZIP.MailBomb

But still 50 AV companies are finding nothing.

as said, post link to scan result, lots of vital info is missed in a copy paste

Sorry, I missed the “post link” part… tbh your posts came in while I was posting my reply so we seem to be working in parallel :slight_smile:

https://www.virustotal.com/en/file/06c3c252403aaad3d31e5d517f66d864aa764698c75e5817d5b79b8025850592/analysis/1481230304/

The link part was in my first post :wink:

anyway not important, now we have MD5 and more info so avast can fetch it from VT

I will notify somone

McAfee doesn’t detect it when scanned with VT, but sure does recognize this tojan.
https://home.mcafee.com/virusinfo/virusprofile.aspx?key=8987303#none

if it helps, my ticket with avast is #624098

@ will.jones
This is certainly a strange one. Call me suspicious (OK I am). I would have been equally suspicious of the correspondence from your ISP (if it truly was) I just wonder why they went down the route of snail mail. That sort of thing also smacks of some sort of scam.

2 days later, I received a registered letter from my ISP informing me that my PC was infected with a worm / trojan and that I have 48 hours to react or they will disconnect me. The timestamp on the letter where they started to detect suspicous activity was exactly the same time I clicked on the .scr.

Though, given the fact VT confirms the file to be malicious would tend to support the ISP letter, though that is damn strange it came by snail mail.

Hmm… I see what you mean, but I kind of went in the other direction… snail mail means serious… if they had sent an email I would have possibly ignored it.
TBH, kudos to my ISP (Cablecom Switzerland) for reacting quickly.
My PC was infected on the 5th Dec at 22:30, they sent a mail on the 6th, which I got on the 7th.
That is very good for a big corporation.

In any case I had already killed the virus on the 5th (I hope), but if they do this to all PCs on their network they could really make a difference.

I also received a notification from them saying the activity has stopped now, so the case is closed on my ISP’s side.

Now I just want confirmation that all my home network PCs are clean.

Yes there are lots of scams like this (so I’m always on the lookout for them), people telephoning you purporting to be Microsoft or sum such support to tell you you are infected. Or the email route to try and get you to visit a site to get cleaned up etc.

I had never come across an ISP actually sending you a letter. Most of the scams are normally email based.

I had never come across an ISP actually sending you a letter.
I know of one here that do, and will notify you of suspicious activity

This is what Avira say

=============================================================

Filename Result
File.scr MALWARE

The file ‘File.scr’ has been determined to be ‘MALWARE’. Our analysts named the threat TR/Dropper.Gen. The term “TR/” denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system. Detection is added to our virus definition file (VDF) starting with version 7.11.45.58.