why doesnt avast catch this?

Hello everyone.

My virus definition is up to date. I received an email with this subject

“Notify about using the e-mail account”

and this body (see below).

The email has an attachment with a zip file and inside the zip is an exe file. Of course I deleted it. But first I saved the zip file and scanned it manually. I am concerned that AVAST does not catch anything in it. It is clearly a virus. A little searching makes me think it is “W32.Beagle.J@mm” … see this link…

http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@mm.html

So why doesn’t Avast catch it? Should I report this somewhere?

Thanks!

====================
"Dear user of “Lycos” mailing system,

Your e-mail account has been temporary disabled because of unauthorized access.

Pay attention on attached file.

For security purposes the attached file is password protected. Password is “83252”.

I had the same thing, here’s what I got from Karel from Alwil:

the mail was originated by one of the last version of the Beagle
worm, the F version or latter (Beagle-J in this case). Those version are
able to send password protected (=encrypted) zip files. The password for
virus decryption is in the mail text. Of course, no virus detection is
possible in the ecrypted files.
After decryption (= un-zipping with the proper password supplied) the
virus is in the executable form and Avast can detect it and prevent
infection of the computer, but Avast cannot spot the virus in the mail
(because of encryption).


Regards,

Karel Divis
Virus analyst
Alwil software

Wow thats what I call a quick response. That makes sense actually. I tried to extract the file from winzip to see, but the password in the email does not work! LOL I will assume that avast would have caught it then.

Thanks!

No problem, glad to have helped.

We use Avast as the Virus scanner in our mail server (Merak).

One of our customers sent us an email which turned out to be a W32.Beagle.J@mm virus email.

The thing is - the attachment had been removed - but by Norton AntiVirus on the customers own PC.

So, it must be possible to scan inside password protected ZIP files! When will Avast be able to do this?

Maybe with CRC validation? Or by some pattern which is known only for this virus inside ZIP archive. Someone notified me today that avast! catched virus inside encrypted ZIP archive…

The file inside the archive is different each time - it has a random data appended. So, it’s not possible to detect it either by CRC, or even by size.
avast! will include the detection of those password-protected ZIP; it may cause some false alarms, however.

Hi Igor,

Kaspersky and AVPE claim to be able to detect those encrypted Zips ?

Isn’t it possible at least for the avast mailscanner, to read the password from the mail text ?

I guess brute force would significantly slow down the scanner even if the pwd is just 5 numbers ;D ;D :wink:

EDIT:

Ok, I just saw here:
http://forum.avast.com/index.php?board=2;action=display;threadid=3076;start=15
that this is soon solved hopefully

http://forum.avast.com/index.php?board=2;action=display;threadid=3076;start=msg22098#msg22098

Yes, claim ;D
According to what I have seen, Kaspersky simply detects password-protected ZIPs containing executable files (well, it’s a little more specific than that, but not much). If you create your own password-protected ZIP that matches the criteria, it will be detected as well. No content scanning occurs (yet).

Hey,

two Alwil experts at once

that’s lightning quick, although I guess you’re pretty busy at present with the worm war

:wink:

Grrr guess i’ll have to use 7-zip’s 256bit AES encryption for virus transport now :-\ Or RAR with encrypted filenames :stuck_out_tongue:

Sure, and also start sending WinRAR together with the worm so that the lammas on the other end can open and run it… :stuck_out_tongue: