Warning for Trojan: Win32/Meredrop/Trojan-Dropper, no detection by Avast

I just received an email containing this trojan, which Avast does not alert on. Fortunately, I was using a system with Comodo AV at the time, which did alert for Heuristics:Suspicious. Other onboard scanners a-squared and ClamWin confirmed a positive detection.

24/42 http://www.virustotal.com/analisis/83dcd619a1f8f103a4b2234dc90329c947b80225ee7ce411c00da1f2695e0ab6-1279204609

Sample sent to Avast for inclusion.

How are you managing to use avast and CAV at the same time?
Seems indeed infected. Strange is to be missed…

Hello Tech.

I am not, I have Avast 5 free on 4 systems, and CAV (CIS 3.14.x) on 2 systems (one, a network commercial server). I added CAV to the second system when Avast shields stopped running for the third time, and couldn’t be revived without a fresh Avast install. I determined Avast does not alert on the trojan from the VirusTotal and onlinescan.avast.com results I received.

According to Prevx, this (ORIGINAL_LETTER.EXE) is a new malware first seen by them on July 14, 2010.

The current VT result is 34/42, including Avast.

Thank you, Avast!

Did you try to troubleshoot that?
Did you ask for help in other thread?

Yes, to both. :frowning:

<<

I’m a new avast user and a new forum member.
I scanned a downloaded file before to open it with my new avast and told me it was CLEAN…but as a new user a checked it either by Emsisoft AntiMalware and surprise!!
I made some other tests and everytime avast skip to detect Meredrop on the contrary of Emsisoft!
I’m sending the image of the situation!

Thank you

Lentisco_01

I'm a new avast user and a new forum member. I scanned a downloaded file before to open it with my new avast and told me it was CLEAN...but as a new user a checked it either by Emsisoft AntiMalware and surprise!!

this emsisoft thing is known to have false positives. upload file to virustotal.com to make sure its not fp but misdetection of avast.

Hi Altarir,

Trojan-Downloader:W32/Bredolab is a family of trojan-downloaders that are known to download and install rogue antivirus programs - also known as rogueware - onto the infected computer.

The installed rogueware generates misleading or downright false alerts, notification messages and/or scanning reports to pressure the user into “purchasing” or “activating” the rogueware in order to disinfect or remove the supposed threats. Even if the user does so however, the program may not function as intended.

Activity

During installation, Bredolab variants create the following registry entry so that the trojan-downloader runs every time Windows starts:

• HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"RunGrpConv" = “1”

It also creates the following mutex so that only one instance of the downloader will be running on the system:

SYSTEM_4D2EF3A

Currently, all the variants analyzed were found to download files from Russian websites such as those listed below:

http://mud[…].ru
http://davidbred[…].ru

The files downloaded from those websites are encrypted and will be decrypted by the trojan-downloader before being executed on the infected machine.

Residing on the web here: http://support.clean-mx.de/clean-mx/md5.php?Sunbelt=Trojan.Win32.Bredolab.mt+(v)
avast should detect this as Win32-malware.gen, also re: http://www.securityweek.com/fake-av-fake-support

polonus