Yodi Worm undetected by Avast

I just received one of those ecard emails. I foolishly checked it out, however, because I use FireFox and not IE, the the automatic payload did not work. I did, however, download the ecard.exe file and then proceeded to scan it with free Avast home. Alas, Avast did not detect any problems, but me, still being very skeptical, did a search on the web for this file and found out it contains the payload for the Yodi Worm. So, I’ve trashed it and never activated. Is Avast really this undependable? I’ve been using it for years and now wondering if I should switch to something else.

Please, update your virus database and check again.
Today there was an update of virus in ecards emails…

http://forum.avast.com/index.php?topic=29123

Well, I just did a manual update per your suggestion and it told me the files were up-to-date. Compilation date is 6/29/2007, File version is 000752-5. Thanks for the suggestion. This version did not detect the worm.

Can you send the samples to virus@avast.com ?
You can zip and password the files… Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.

I’m afraid I did not keep the file. I looked on the avast site to see where to send something like that but couldn’t find an email address to send to. So, I ended up here asking.

Yeah, so I got it sent to me again. Avast still did not recognize a virus or worm. So, I sent it to virus@avast.com per the instructions on the website. They rejected it because it was an executable file. Give me a break!

I can’t believe they would reject it, your email program probably did (OE doesn’t accept certain file types because they might be a virus, etc.).

If you sent it as per the instructions in this topic you will have seen that you should zip and password protect the sample file, so it shouldn’t have been an exe file attachment.

Just out of interest … did you receive this email on a regular POP account (port 110)?

If you received this email on a secure connection using SSL then avast cannot scan it because it is secured.

If you received this on a Webmail account using third party software (like YPops, Hotmail Popper, FreePops, MrPostman or the Thunderbird Webmail extensions) then it will not, by default be scanned by avast - but can be.

I don’t use OE, I use Eudora.

I’m not sure how to convert to a zip file. I don’t have any “zip” writing software available that I know of.

Patty

I received the email on a regular pop account, not SSL. However, the email directs you to a website which, for me, doesn’t run the payload because I use FireFox as opposed to IE with activeX activated (I am assuming you need this to get the payload). So, the website gives you the option to download the file called ecard.exe. So, after downloading the file and then scanning with Avast, Avast finds nothing wrong with the file. When I googled “ecard.exe” I found that the file contains a worm and is bad news. I can paste the text from the email here, if you like.

Snap in the other direction, I don’t use Eudora so I’m not familiar with its settings I only use OE as an example of one email that does check attachment file types.

7zip is a free zipping/archiving application, http://www.7-zip.org/.

However, if you add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

Thanks, I will try your suggestion to add the file to the Avast Chest. However, if it takes Avast this long to find threats out there and it depends on users such as myself to report them, I’m still concerned about Avast. I’ve gotten this same email 4 times now, so I know it’s out there and how many unwitting folks not as savvy as I am will just trust Avast and run the program to the detriment of their systems?

The email as you clearly said isn’t infected and that is what avast is scanning for so you will continue to get these emails and others like them based on social engineering trying to get people to visit sites for some reason or other. That visit may well download a payload which may or may not be detected, a lot depends on that payload is and if it is a new variant, etc.

So prevention is an important part of protection, never open attachments or click links in unsolicited emails. Even when they appear to come from friends as it is too easy to forge the from address. So confirm its origin with the sender if it is out of the ordinary for that friend to send emails of this nature.

I use an anti-spam application, MailWasher Pro (there are free options) and that not only detects spam but many of the phishing attempts and some suspect emails are also flagged as coming from suspect origins. These are flagged for deletion and you the user can also flag anything you consider suspect or spam that hasn’t been detected. Once I click process mail all those mails are deleted from the email server (they never get to your inbox) and then the email program is called and you download the remainder of the emails.

Whilst I appreciate your concerns, no one application is going to provide 100% protection.

True the file is not in the email. However, when I download the file and THEN scan with Avast, I would expect Avast to pick up the virus, no differently than if I got a virus file on a CD or floppy disk, no?

scan the file at http://www.virustotal.com/en/indexf.html to be sure

Where the file is (CD, floppy, attached in an email…) is not relevant, but the way you scan (deeper or not) the file.