Why Avast can't detect this virus? (paint.exe)

Hi!

I have some problem with this virus [ru lang]:
http://www.virustotal.com/ru/analisis/5209e0a7a7cc4fae87f411825192c4f74b509cdea2d61599b9b6c6b6a42fdb08-1271785885

I sent this file named “Paint.exe” two times (month ago and one-two weeks ago), but Avast still not detect this virus.

P.S. strange that Avast heuristic doesn’t detect this file.

Sorry for my bad English.

Thx.

How did you send it to avast ?

If email to virus (at) avast (dot) com, was the sample zipped and password protected and Undetected Malware in the email subject ?

I have tried to draw attention to this topic.

Hi .NeXus,

It is cloaked malware and it is being described here:
http://www.prevx.com/filenames/2126489705135194034-X1/PAINT.EXE.html
and related: http://www.prevx.com/filenames/X1209231862433248165-X1/IMAGES+.EXE.html
A hack like cheat garena maphack is the one leading unto the paint.exe virus infection.
Number of reports: 41
Number of positive reports: 1
Positive report percentage: 3%
Entry time: 2009-10-07
File name: Paint.exe
File size: 92 KB (94209 bytes)
Md5: 176288f6f22a80c76329853f8535d45b
Loading point information
Execution type: REGISTRY
Registry section: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Entry: mspaint
Look for these in the start-up list: paint.exe / shnlog.exe should not be running there.

Brief description of process
paint.exe is process associated with malicious software Backdoor.Win32.Agent.ah. Backdoor.Win32.Agent.ah is a Trojan for the Windows platform. Troj/Agent-GG includes functionality to access the internet and communicate with a remote server via HTTP. Use antivirus software to protect computer against virus attacks.
What to do with this process?
System process “paint.exe” is reported as a Virus and Trojan!
Your personal data stored in computer are in danger!
Kill or disable process “paint.exe” and try to remove it from your computer.
After successfull removal try to scan your computer with an updated antivirus and antispyware application,
like MBAM and SAS,

polonus

Just wondering if this is different than the Windows program paint.exe? I imagine it is. If it is will the program paint.exe be removed when the virus is removed?

Hello,
thank you for notice, detection will be added. This sample runs the original mspaint, but additionally it puts itself to registry key “Run” and wait for something.

Milos

Run and wait something huh…sounds dangerous^^

Good thing its added in the database^^

-AnimeLover^^

The second question - why heuristic not detect this virus? Other anti-virus software can detect the virus by using heuristics, and Avast failed this test.

Hi .NeXus,

Yes, that is strange because GData reports it as Trojan.Generic.3191429.
GData also uses avast heuristics and finds it. Avast as such missed it.
I have no explanation for this behavior of the avast scanner.
Did you send it to avast to add to their detection?

polonus

GData is finding it but that signature name is from the Bitdefender scanner element of GData.

Heuristics are a somewhat strange beast to define and much less so when you also have to consider their sensitivity, too high and you get FPs, too little and you miss some, the balance is the problem.

Also, given what Milos said, perhaps this could be sitting dormant until someone actually uses paint.exe so it may not be scanned by the Code Emulation in the Heuristics part of the File System Shield and Code Emulation.

I don’t know if code emulation is set in the Heuristics of the on-demand scans, it seems this is only in the Custom Scan options, Sensitivity, Heuristics, Use code emulation.

Hi DavidR,

Heuristics and behavioral scanning are becoming more and more vital specially in the light of the arising new threat of so-called “one-liners or singletons”,

polonus

Yes they may well be becoming more important, but setting the right balance is also essential.

I have heuristic on max level - I want maximum detection rates with costs of FP. But I can’t say what virus Avast can detect with heuristic.

If you found virus detected by Avast heuristic only, plz tell us abut that.