YM W32/VBTroj.CEUU not detected by avast

Using
Avast Pro 5
Program Version : 5.0.462
Virus definitions version: 100325-0

http://www.virustotal.com/analisis/e5adb1eb8873162fc6922be05e37fe9a80131f4d6eae4df29497a1f291a823fd-1269522035

Symptom:

Every time the infected PC turned on yahoo messengers, it will start sending message to all her ym friends
one of this message:

CAUTION THE LINK BELOW IS A VIRUS, DO NOT DOWNLOAD AND EXECUTE

Have you ever seen me drunk before? Someone snapped a pic last night at the party. hxxp://www2.hostingpics4free.com:88/uploads/zij248afd/DSV-PartyPicture028.JPG.zip

  • I just found this pic of you last night, and I think you might want to save it, looks amazing. srv034.imageshares.info:88/cache/user2940/DVS-Picture009.JPEG.zip
  • Would you care if I tagged you in this picture? Or would you get upset at me? srv057.imageshares.info:88/DisplayPics/user3052/DVT-NewPhoto009.JPG.zip
  • This picture is creepy and disturbing! You have to check it out. hxxp://srv034.imageshares.info:88/cache/user2940/DVS-Picture009.JPEG.zip
  • I was at the mail, and you will never guess who i saw! hxxp://srv057.imageshares.info:88/DisplayPics/user3052/DVT-NewPhoto009.JPG.zip
  • I found the perfect wallpaper. You’ll love it, what do you think? hxxp://viewmorepics.facebookgallery.info:88/ImageView&profileID=1390/DVS-MyPhoto14.JPEG.zip
  • Have you seen my new glasses? I just found out I had to get new ones. Do they look ok?? hxxp://viewmorepics.facebookgallery.info:88/ImageView&profileID=1390/DVS-MyPhoto14.JPEG.zip
  • Why do I even bother taking pictures when they turn out to be like this. Don’t show it to anyone please. hxxp://img284.dlimageshack.info:88/img284/43930/MVC-NewPhoto12.JPG.zip
  • I finished editing this picture last night for my facebook profile… How do you like it? hxxp://img425.dlimageshack.info:88/~ProfileView/user4729/DVS-NewPhoto13.JPG.zip
  • The pics from my new digital camera keep coming out strange. Can’t you tell it doesn’t look right in this one? hxxp://c2ac-b.myspace-pics.info:88/images03/4986051/DVT-Picture004.JPG.ZIP
  • If you decide to open this picture you have to promise not to show it to anyone. ok? hxxp://c2ac-b.myspace-pics.info:88/images03/4986051/DVT-Picture004.JPG.zip

CAUTION THE LINK ABOVE IS A VIRUS, DO NOT DOWNLOAD AND EXECUTE

Infected PC will do :

  • Attempting to connect / contacts to a remote server / IRC (Internet Relay Chat) with a variety of IP.
  • Attempting to connect to several websites and try to synchronize the time.
  • Attempting to connect to some websites Mail Exchanger (MX). Including Microsoft.com, Yahoo.com, Google.com and Mail.Ru (service provider free e-mail the largest in Russia)
  • Attempting to connect to some websites using a variety of ports.
  • Synchronize to remote server / IRC server and communicate.
  • Downloading a file virus and a list of messages to be sent via the chat application. One link can get up to 50 different messages sentences.
  • ends a message to all existing contact address at the chat application.
  • Trying to access the network and spreading the virus. In this case even try to get through IPC $.

Its been spreading through Yahoo messenger since january 2010, though it not confirmed yet that it can spread through Skype, GTalk (Google Talk), Windows Live Messenger and MRA (Mail.Ru Agent).

Please make the links unclickable by replacing http:// with hXXp://.

To begin with please follow the steps posted by Essexboy here

Though there is still some room for doubt on the detections on VT as some are heuristic detections and it is somewhat strange to get alerts on .txt files (the one in the VT link). Though a file name and its extension don’t have to be what is actually in the file.

Send the sample to avast as a possible Undetected Malware:
Open the chest and right click in the Chest and Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.

All URL exept one seems dead. Have sendt Malware sample to avast… :wink: