W97M.Thus macro virus and ALWIL Software support

Hi.

Last November, then again in December, I informed ALWIL Software support that avast! does not detect the “W97M.Thus” macro virus. Each time, per their request, I forwarded the infected file to them. However, each time I received no further response nor has the hole been patched.

So, why would ALWIL Software allow this hole in avast!'s coverage to exist? Are they too busy? Is it too difficult to fix? Is it simply a bug? Other?

I generally like avast!, but now I am concerned not only about the hole itself, but also about ALWIL Software support.

I’m curious how others view this situation. Am I expecting too much? Or is it time to find and recommend another antivirus solution?

Thanks.

avastman,

I am at a loss to explain why the Support team has not examined your query.

The virus activates its payload on December 13th, when it deletes most of the files from the root of “C:” drive and from all its subdirectories. Only files with system, read-only or hidden attribute set are left. After deletion the system cannot be restarted any more.

Maybe the Support team feels they have time. I would hope this is not the case or attitude that users of Avast expect.

The “Support” issue has popped up here in the forum on occasion and we have yet to resolve it satisfactorily. I can say that the Avast Team usually “jumps” on new threats and gets them into the next update.

In reviewing the VPS History going back to October of 2004, I did not see the W97M included. Maybe I missed it.

I can try and contact one of the other forum members who has more “inside” knowledge to see what he can find out.

Would you mind waiting a day or two for more info?

Contact me via Im if you don’t see a post from me here by them.

I’ll do my best to get an answer for you. :slight_smile:

What do you want me to say…
It’s a shame…
Karel, why don’t you even answer the user…
Vlk, Pavel, what’s going on with VPS update? :stuck_out_tongue:

Yes, we should get an answer to this. Alwil claims that Avast! catches 100% of ITW viruses, doesn’t it? Wouldn’t this virus be considered to be in the wild? If so, it should be added to the VPS as soon as possible.

Just for kicks, I uploaded the infected file to “Jotti’s Online Malware Scanner” at http://virusscan.jotti.org/ and was presented with the following results:


Status INFECTED/MALWARE

AntiVir               / W97M/Thus.AH
Avast                 / No viruses found
AVG Antivirus         / No viruses found
BitDefender           / W97M.Thus.EW
ClamAV                / W97M.Thus.gen-2
Dr.Web                / W97M.Thus
F-Prot Antivirus      / No viruses found
Fortinet              / No viruses found
Kaspersky Anti-Virus  / Virus.MSWord.Thus.aa
mks_vir               / No viruses found
NOD32                 / W97M/Thus.A
Norman Virus Control  / Thus.A
VBA32                 / W97M.Thus

By the way, thanks to all for your shared interest. I’m happy to see I’m not the only one with concern. :slight_smile:

Not all currently-spreading malware (virus, worm, trojan-like, adware, spyware, etc.) considered to be ITW by the WildList Organization’s methodology, avast! surely can detect many malware that are not ITW but not detect them all. If malware are spreading very rare or it bring no danger to avast!'s users so I think they are ignored.

Other interesting threat - http://forum.avast.com/index.php?topic=12403.msg104639#msg104639

But I for one that don’t believe in the WildList Organization’s methodology I think that if malware are spreading somewhere in the world (even it spreads very rare) so an antivirus must detect them as soon as possible when malware samples reach to virus lab!!!

We never know that as soon as malware are added into VPS so how many avast!'s users are saved from the bad things it’s worth even a single user somewhere in the world.

For example, I sent the sample of Win32:Crawop [Wrm] in last December (if I remember correctly) this worm was added into VPS 0511-0 at 15/3/2005, is it too long? even this worm can be considered as Zoo but you can now get infected by this worm on P2P so we don’t know how many users (espacially users of an AVs that still don’t detect this worm) have been infected. :frowning:

No, that would be stupidest move I’ve ever heard in my whole life… abandoning one of the greatest antivirus programs just because it doesn’t recognize something yet is equal to nonsense. You think you will find some other antivirus that catches all viruses and other nasties in the world ? Wrong. You will search whole of your life, and you won’t find such a product. Migrating from one to another, and then to third, and forth, and so on, and so on… will just bring you additional headaches. When you fill your system registry with all those different antivirus engine leftovers, especially if you don’t know how to properly uninstall some of them, all you’ll get is additional troubles…

So… no. Switching to another product just because of this is not quite clever. Of course, you are free to decide whatever makes you happy, but telling that forum support is not good, is something that can not pass unnoticeable. These forums have their weaknesses as every other forums on the internet, but also, these forums are well known by it’s friendly atmosphere, helpful people, and not so usual for other forums of this kind, by it’s love, friendship and understanding…

Alwil guys work hard, they have a lot of stuff to deal with, so please… have a little patience, I’m sure someone will answer this question soon. They have so many requests, I feel free to say, literally thousands… do you think just few Alwil guys can please every single soul in the World as soon as they requested something ? No… so, please give them some time.

They gave us one of the best freeware antiviruses in the world, in my eyes it is the best ! They give you 24/7 free technical support by phone, e-mail and through these forums. No one can say, avast! support is lousy. I, first won’t let that happen !

Yes, they made mistake, they didn’t consider that macro-virus as a threat quick enough, but I’m sure they will do everything possible to correct that. They always do. So, I don’t see what’s all this yelling about…

Everybody makes mistakes, no one is perfect… some people makes huge mistakes, some makes minor mistakes. The good thing is, mistakes can be corrected.

Cheers !

that would be stupidest move I've ever heard in my whole life
telling that forum support is not good, is something that can not pass unnoticeable
have a little patience
No one can say, avast! support is lousy. I, first won't let that happen !
I don't see what's all this yelling about...

OK…

Sash@,

I’m not quite sure where you’re coming from. Did you actually read my posts? You seem rather full of hyperbole and to be the only one yelling. Perhaps it would be best for me to ignore you altogether, but here I go. :wink:

I did not say anything at all about these forums, and I did not say ALWIL support was lousy.

As for patience, it has been 4 1/2 months since I informed ALWIL of the hole, and I’ve yet to get any response, not even an acknowledgement that they are working the issue.

Please forgive me, however, if I seem a bit concerned. This virus had the potential to wreak havoc on my system, and it was through only luck that I found it before it could. My only agenda is to find the “best” antivirus solution, and although “best” is largely a matter of context and opinion, this situation certainly makes me question whether or not avast! is even a contender.

Hi avastman,

I agree this should of been fixed/added some time ago, i too had to wait a while for 3 sample i sent to be added to the avast VPS database (2 virus/worms and 1 trojan horse), but they are added now, so its all good.

Also i know that avast doesn’t reply to emails, this is something they choose to do, they have there own reasons for this, but they will occasionally reply to a malware sample if they deem it necessary. (remember they they receive alot of samples)

Also what email address did you send these samples to, was it virus@avast.com , was the sample is a passworded Ziped/Rar archive?

–lee

You just came into these forums and you started to complain, not me. I wasn’t yelling, I just explained nicely what I think. Show me where do you see “yelling” in my reply. Do you see number of my posts ? It’s NOT about quantity, but I’m telling that to show you that I’m hanging in here pretty long time… also, it says how many posts I contributed with helping or at least trying to help others… that doesn’t mean anything to you, right ?

People like to cry… they don’t see thousands of good things that avast! brings to users, but when it comes to one small problem, they are here to yell. If you reread my first reply, you will see that I didn’t “attack” you or anyone specific, all I said, is, patience people.

I tried to speak nicely in my first reply, but I’m just sick of people crying whenever something small goes wrong. And that pathetic thumb down inside your topic name… ok, let’s kill everyone just because they didn’t add something you reported… as I said, people tend to make mistakes, so let them correct those mistakes.

Asking me where I came from… I don’t know what do you have if I tell you that… Have I asked you anything regarding that matter ? No. So, leave it aside and let’s calm down…

Hi lee16,

2004-11-20 I sent to an individual support person, per ALWIL request

2004-12-14 I sent to virus@asw.cz, per ALWIL request

both times file was zipped and passworded ‘virus’

Firstly Everyone please calm down! I get so tired of saying that.

Let’s leave the personal “comments” out of this. There is no need to start the arguing nonsense.

Secondly, the w97M.thus was actually discovered as an ITW virus back in 1999 I believe but has bloosomed into so many variants that it is treated in most cases as a pure virus.

Thirdly, since the user notified Avast of the virus back in November of 2004, enough time has passed and it should have been included in one of the VPS updates. I have not found it, but may have missed it.
Since Avast Support has not spoken openly on this, and the user is in limbo, I personally feel that the issue needs to be settled.

Yes, the Avast team is very busy for being a small company, but support is all part of it. Isn’t it?

The Senior Members of the forum and many other users are very good at helping with problems in general, but we have no way of manipulating the software to include new viri or fix bugs.

It is not too much to ask. I have joined the forum back in 2003 and still get complaints about the support system.

What more can I say !

I would like to add a few more comments to clarify my post:

  1. Avast! antivirus software is awesome and I recommend it to everyone I know
  2. Support from Alwil is the best!
  3. Alwil staff is probably extremely busy

However, I still feel that this virus should have been added to the VPS by now. Perhaps it was just an oversight because they’ve been working so hard on 4.6.

Me too…
Anyway, I don’t think this is a reason to blame or fight, or ask why we have this or another opinion.
Change the antivirus, like Sasha said, won’t solve this at all… Will the user has the support he/she can found here?
Could it be better? For sure… I just can’t complain about a free service, as plain as this…

We do detect all known variants of Thus, it’s one of the oldest macro viruses.

Not adding the sample spoken about is clearly just my mistake, I’ll try to do something with that this week.

The problem is that the particular sample we’re talking about has passed thru the Mac version of Office and althought the Win Office has no problems in reading the (different again) format, most antiviruses do (AFAIK). So such an sample needs completely different approach while creating the detection sample. I admit it’s not of your business, you just want avast! to catch it, I’m just explaining why it has missed it for so long time.

kubecj, thank you!

Yes, this makes sense. My wife is a school teacher, Macs are used throughout her school, and this particular sample was from her school.

This brings up an important point which I had not considered before, which is that viruses which “pass thru” a Mac may not be detected by an AV, yet still pose a threat when opened on a Win machine.

Based on my limited research, most AVs do detect the virus in this sample. (In addition to my earlier post from Jotti’s, both NAV and TrendMicro [HotMail] detect the virus.)

As far as avast!'s scanning engine is concerned, is each such “pass thru” virus effectively a unique virus? Or can the engine be made to automatically recognize the “pass thru” version of each virus it already knows?

This question is particularly hard to answer, regarding to low availabilty of Macs here. (Better said - non-existence, I don’t know anybody who has Mac or works with it, except for some DTP folks).

kubecj,

Thanks for the response! Your explanation makes a lot of sense.

John

I downloaded the latest prog & sig updates today, and now avast! detects the virus in my sample.

THANK YOU! THANK YOU! THANK YOU!

kubecj, now that you had a chance to look at this more closely, could you further explain how avast! handles macro viruses which pass thru a mac? In particular, was this a one-off solution for the W97M.Thus virus, or was a more general solution implemented? I’m wondering if I am protected with avast! from other “pass thru” viruses, as it seems likely (given my wife’s use of macs) to happen again.

Thanks again.

Kind Regards,

I admit this is a partial solution - but it should catch all Thus viruses passing thru the mac version of Office.

But since macroviruses are almost no problem today, and also the number of Mac samples was always much, much lower than Win samples, I’d consider it a minimum risk.