Virus not detected

Firstly

I recieved a suspicious e-mail
checked - it - saved it . no problems
scanned it with avast - no problems
opened the entire mail in flat ascii and looked at it …
SURE its a virus
scanned it with
NAV AVG PANDA TRUST MACAFEE and about 7 other online scanenrs
All negative…

Im Still sure its a virus
Scanned it with
Kaspersky
Infected I-Worm-Swen variant.

Hmmm …
Reasons I was suspicious

Message body


Hi.
Message from america.com

Undeliverable mail to kjmlsfshf@america.com

Message follows:


so it looks wrong

Checked header info

–cpthpherex
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

Hi.

Message from america.com

Undeliverable mail to kjmlsfshf@america.com

Message follows:

–cpthpherex
Content-Type: audio/x-wav; name=“fedkv.com
Content-Transfer-Encoding: base64
Content-Id:

Followed by the hex code

Copied out the hex and saved it
(still nothing from any of them )
except kaspersky again .

Trust me the hex IS a varient of swen that attempts to autorun on ms mail systems
Have sent it to avast for them to inspect

Secondly
I have avast ( which I am truly happy with)
I have it on maximum settings and the pop scanner on.

The incoming pop scanner says it scans messages but doesn’t ever find a virus – the virus’s are caught only if I try to launch/save them by the standard shield.

Hi,

What Win do you have ?
you rechecked your Email-settings/avast-config ?
did you try runnind the mailprotection wizard again ?

is the Mailscanner module shown as active/running ?
What Mailprogram do you use ? how are the options set there ?

did you try sending yourself the eicar.com testfile ? (from www.eicar.com ) … what happens then ? :wink:

What Win do you have ?

Win2k Pro

you rechecked your Email-settings/avast-config ?

Yes

did you try runnind the mailprotection wizard again ?

No , it doesn’t work for mozilla 1.6 properly did it manually

is the Mailscanner module shown as active/running ?

Yes

What Mailprogram do you use ? how are the options set there ?

Mozilla 1.6 - set as per instructions

did you try sending yourself the eicar.com testfile ? (from www.eicar.com ) … what happens then ?

Yes - it catches it when I send it - catches it if i try to launch it but ignores it when it is sent to me .

That is point 2 of my mail covered :slight_smile: - but I hope I can get it fixed .
Point 1 is a real problem - sent the file to all the av vendors it failed on and I have decomplied the file and im 99% sure its a swen variant - doesnt effect anyone using standard mail clients - only if they use outlook / exchange

Kaspersky detected this but none of the others did? hmm strange
Kaspersky’s unknown virus detection module must have found it.
how are you sure it is a swen variant??? ???

its in c and i decompiled it

Kaspersky is very rarely wrong - not knocking avast - im personally singing its praises all over the net now that ive found out about ti last :slight_smile:

any idea about the other problem ? - it happens with every virus i get and has done ever since i got avast.

I have it on maximum settings and the pop scanner on.

The incoming pop scanner says it scans messages but doesn’t ever find a virus – the virus’s are caught only if I try to launch/save them by the standard shield.

What mail client do you use?
Have you completed the Mail Protection Wizard? (Start menu → avast antivirus group)

Vlk

Replied to this earlier :slight_smile:

What mail client do you use?

Mozilla 1.6

Have you completed the Mail Protection Wizard? (Start menu → avast antivirus group)

It doesn’t work on mozilla 1.6 so I configureed it manually as per the instructions ( ie these are the changes etc etc.)
Mail scanner is running .
I watch it - little icon flashes and i see the file names and it puts its footer on all outgoing messages and detects viruses on them … I watch it recieve messages the box comes up and if you watch the scanner it says the right file names but … doesn’t actually seem to do anything apart from that … no footer no virus detection - it has the file name as the last scanned but every virus gets through – they are ALL caught by the standard shield if attempted to be launched or saved … Extremely impressed with the standard scanner … it caught 7 mydooms that were went / arrived 2.00am GMT on day 1 … ( pop scanner missed them though ) and its stopping the general swens ( apart from the one i mentioned above) brilliantly … the standard scanner cant be faulted !!

Vlk

So the last scanned file of the Internet Mail provider does show the infected e-mail, but the virus is not detected? :o That’s VERY strange…

Are you sure you have the INCOMING server set to 127.0.0.1 and it’s coming through avast? (i.e. the last scanned file doesn’t refer to an outbound message)?

Thanks
Vlk

I think I may have found the problem - and its my fault - not quite sure how to fix it yet .

I have spampal running and i tried at first to get avast to run with it using the help/config options and i may have hurt my ini file ( i changed the default pop server to 9110 ) - but as i couldnt get my mail to send or recieve i used the config setup in spampal to cahne its listening ports as the config is easier and they have a rather good explaination on how to get spampal working with avast
http://www.spampal.org/usermanual/antivirus/avast/avast.htm

  • i had assumed that logging etc. was disabled in home version so have just been using firewall and spampal logs to try to find error - but im thinking now that its what i did to the inin file maybe thats causing a problem ?

Can i get another one or do i have to just reinstall ? - reinstall wont hurt as the outoconfig for mozilla didnt pick up any of my accounts anyway but i thinks thats due to the new structure of prefs.js that has been implementeed in 1.6

okay - i now have avast to the state where it says
wont be able to protect incoming mail pop error code 10049 - can you point me in right direction to resolve ??

It’s because it’s trying to listen on a port that’s already in use (most likely by Spamhilator).

You need to reconfigure either avast or Spamhilator to use other port numbers.

It has already been discussed for a number of times here, see e.g. http://www.avast.com/forum/index.php?board=2;action=display;threadid=2351

CHecked that -

Here is the report

ashmaisv.exe:1076 TCP 127.0.0.1:25 0.0.0.0:0 LISTENING
ashmaisv.exe:1076 TCP 127.0.0.1:110 0.0.0.0:0 LISTENING
ashmaisv.exe:1076 TCP 127.0.0.1:143 0.0.0.0:0 LISTENING
BTSTAC~1.EXE:1376 UDP 0.0.0.0:1029 :
BTTray.exe:1132 UDP 0.0.0.0:1030 :
BTTray.exe:1132 UDP 0.0.0.0:1031 :
BTTray.exe:1132 UDP 0.0.0.0:1032 :
BTTray.exe:1132 UDP 0.0.0.0:1033 :
BTTray.exe:1132 UDP 0.0.0.0:1034 :
BTTray.exe:1132 UDP 0.0.0.0:1035 :
BTTray.exe:1132 UDP 0.0.0.0:1036 :
BTTray.exe:1132 UDP 0.0.0.0:1037 :
BTTray.exe:1132 UDP 0.0.0.0:1038 :
BTTray.exe:1132 UDP 0.0.0.0:1039 :
BTTray.exe:1132 UDP 0.0.0.0:1040 :
mozilla.exe:788 TCP 0.0.0.0:1309 0.0.0.0:0 LISTENING
mozilla.exe:788 TCP 0.0.0.0:1343 0.0.0.0:0 LISTENING
mozilla.exe:788 TCP 0.0.0.0:1477 0.0.0.0:0 LISTENING
mozilla.exe:788 TCP 127.0.0.1:1308 0.0.0.0:0 LISTENING
mozilla.exe:788 TCP 127.0.0.1:1308 127.0.0.1:1309 ESTABLISHED
mozilla.exe:788 TCP 127.0.0.1:1309 127.0.0.1:1308 ESTABLISHED
mozilla.exe:788 TCP 192.168.2.2:1343 194.168.222.8:119 ESTABLISHED
mozilla.exe:788 TCP 192.168.2.2:1477 204.1.226.226:119 ESTABLISHED
mozilla.exe:788 TCP 0.0.0.0:1627 0.0.0.0:0 LISTENING
mozilla.exe:788 TCP 127.0.0.1:1627 127.0.0.1:8080 ESTABLISHED
MSTask.exe:652 TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
persfw.exe:624 TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
persfw.exe:624 UDP 0.0.0.0:44334 :
Proxomitron.exe:1180 TCP 127.0.0.1:8080 0.0.0.0:0 LISTENING
Proxomitron.exe:1180 TCP 127.0.0.1:8080 127.0.0.1:1625 TIME_WAIT
Proxomitron.exe:1180 TCP 127.0.0.1:8080 127.0.0.1:1616 TIME_WAIT
Proxomitron.exe:1180 TCP 127.0.0.1:8080 127.0.0.1:1614 TIME_WAIT
Proxomitron.exe:1180 TCP 127.0.0.1:8080 127.0.0.1:1543 TIME_WAIT
Proxomitron.exe:1180 TCP 127.0.0.1:8080 127.0.0.1:1623 TIME_WAIT
Proxomitron.exe:1180 TCP 127.0.0.1:8080 127.0.0.1:1621 TIME_WAIT
Proxomitron.exe:1180 TCP 0.0.0.0:1628 0.0.0.0:0 LISTENING
Proxomitron.exe:1180 TCP 127.0.0.1:8080 127.0.0.1:1627 ESTABLISHED
Proxomitron.exe:1180 TCP 192.168.2.2:1628 62.252.0.4:80 ESTABLISHED
rsvp.exe:1700 TCP 127.0.0.1:1608 0.0.0.0:0 LISTENING
rsvp.exe:1700 TCP 127.0.0.1:1608 127.0.0.1:1609 ESTABLISHED
rsvp.exe:1700 TCP 127.0.0.1:1608 127.0.0.1:1610 ESTABLISHED
spampal.exe:1172 TCP 127.0.0.1:9025 0.0.0.0:0 LISTENING
spampal.exe:1172 TCP 127.0.0.1:9110 0.0.0.0:0 LISTENING
spampal.exe:1172 TCP 127.0.0.1:9143 0.0.0.0:0 LISTENING
svchost.exe:364 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
System:8 TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
System:8 TCP 192.168.2.2:139 0.0.0.0:0 LISTENING
System:8 UDP 0.0.0.0:445 :
System:8 UDP 192.168.2.2:137 :
System:8 UDP 192.168.2.2:138 :
WinMgmt.exe:716 TCP 127.0.0.1:1609 0.0.0.0:0 LISTENING
WinMgmt.exe:716 TCP 127.0.0.1:1609 127.0.0.1:1608 ESTABLISHED
WinMgmt.exe:716 TCP 127.0.0.1:1610 0.0.0.0:0 LISTENING
WinMgmt.exe:716 TCP 127.0.0.1:1610 127.0.0.1:1608 ESTABLISHED

clearly spampal is on the right ports and avast seems to be too

bump

Look into the headers of an incoming message, are there these lines ?
X-Antivirus: avast! (VPS 26.6.2003), Inbound message
X-Antivirus-Status: Clean

How did you set the username in Mozilla mail account ?

Not in incoming it doesnt
header on inc
7bit
X-Bayesian-Result:
Spam (100)
X-Bayesian-Words:
7bit 99 about 99 against 99 attached 99 available 99 clicking 99 delivered 99 description 99 enterprise 99 free 99 help 99 impact 99 install 99 latest 99 linux 99
X-RegEx-Score:
35.9
X-RegEx:
[35.9] UNSUB_PAGE URL of page called “unsubscribe”
X-SpamPal:
PASS

on outgoing
X-Mozilla-Status:
0001
X-Mozilla-Status2:
06000000
User-Agent:
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.5) Gecko/20031007 Netscape/7.1
X-Accept-Language:
en-gb, en, en-us
MIME-Version:
1.0
Content-Type:
text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding:
7bit
X-Antivirus:
avast! (VPS 29/01/2004), Outbound message
X-Antivirus-Status:
Clean
X-Bayesian-Result:
Spam (100)
X-Bayesian-Words:
7bit 99 alwil 99 antivirus 99 avast 99 avast! 99 clean 99 copyright 99 dominic 99 dominicmd 99 en-gb 99 en-us 99 excalibur 99 fairfax 99 mime-version 99 mta03-svc 99
X-RegEx-Score:
63.5
X-RegEx:
[109.6] FROM_AND_RECEIVED_DO_NOT_MATCH FQDN in From and Received header do not match
X-RegEx:
[-49.8] USER_AGENT_MOZILLA_UA User-Agent header indicates a non-spam MUA (Mozilla)
X-RegEx:
[0.0] X_ACCEPT_LANG Has a X-Accept-Language header
X-RegEx:
[3.7] TO_HAS_SPACES To: address contains spaces
X-SpamPal:
PASS A-WLIST EMAIL
X-Wlist-Pattern:

working fine

In mozilla
Server name
Localhost
Port 9110
username localhost#username@popservername

It just keeps on coming up with password incorrect

Have also tried it with
port 110
to see if bypassing spampal works

Same result

If avast uses port 110 and SpamPal uses port 9110, mozilla account should be set to
Server name: localhost
Port: 9110
Username: username#popservername@localhost

THANK YOU

THANK YOU

THANK YOU

;D ;D ;D

It all %“$&”%&^ works now … I have a superb antivirus and a superb spam trasher and I’m a very happy bunny

what kind of dance LOL