FP with Access accounting

[Biscuit]

aumonitor.exe

FP as Win32/AutoRunAgent.ET worm

This is a component of Access accounting software which checks online for updates.

FWIW I have the process disabled by Winpatrol.

[funkydude]

Zip the file up with the password "infected" and send it to samples("at")eset.com with the subject "False Positive"

[agoretsky]

Hello,

Which version of the virus signature database detects the Win32/AutoRunAgent.ET worm in the AUMONITOR.EXE file?

Is that part of a software package from Access Accounting Ltd. in the UK or another company? If the former, can you provide more information, such as the product and version the file is from? That will be helpful if the developer needs to be contacted in case more information is needed to resolve the issue.

Regards,

Aryeh Goretsky

[Biscuit]

Thanks for your reply.

It is an auto-update function of the Payroll module of accounting software by Access Accounting as in your link.

On the 24th Dec Nod32 also detected AccessUpdate.exe as the same worm.

Time Module Object Name Threat Action User Information
23/12/2008 19:46:57 pm AMON file C:\Program Files\Access Applications\Payroll\Access Update\AccessUpdate.exe Win32/AutoRun.Agent.ET worm domain\user Event occurred at an attempt to access the file by the application: C:\Windows\Explorer.EXE.

As this is a Payroll component for business in the UK, it is essential that their payroll software remains up to date. I suggest that Eset request that Access Accouting contact all their users urgently to ensure that their payroll software is updating correctly. Failure to run a payroll correctly in the UK can cost a company thousands of pounds in fines.

Nod32 has actually deleted my 2 access payroll files despite my attempts to stop it. Regular users I'm sure will certainly find their important files deleted.

[Biscuit]

Quote:

Originally Posted by funkydude

Zip the file up with the password "infected" and send it to samples("at")eset.com with the subject "False Positive"

I'm not sure I can get these files out of my system at the moment. I would need to shut down security on my desktop & server - which doesn't really appeal.

[funkydude]

Quote:

Originally Posted by Biscuit

I'm not sure I can get these files out of my system at the moment. I would need to shut down security on my desktop & server - which doesn't really appeal.

Simply right click the eye in the taskbar > disable antivirus and antispyware protection. Restore the files from quarantine, email them, enable anti virus.

Quote:

Originally Posted by funkydude

Simply right click the eye in the taskbar > disable antivirus and antispyware protection

According to his signature , he still uses v2

Quote:

Originally Posted by Biscuit

I'm not sure I can get these files out of my system at the moment. I would need to shut down security on my desktop & server - which doesn't really appeal.

Nothing bad will happen if you do nothing but simply disable AMON , restore files from Quarantine and right click them to RAR/ZIP them with a password . It takes just 10 seconds .

You then re-enable your protection and email the password-protected archive.

[Biscuit]

I'm using v2, as would most business server users (especially SBS). i.e. users likely to be running Access Accounting software.

As well as shutting down EMON & AMON in my local Nod32, I would also have to shut down Nod32 on my server as it would no doubt strip the FP as it goes out of Exchange. As I mentioned - that doesn't appeal, it just needs a quick call from Eset to Access to sort this out.

I no longer run Access Payroll on my system - although the software is there in case I need to refer to any old data. I'm simply trying to give Eset a heads-up.

[Biscuit]

Quote:

Originally Posted by agoretsky

Hello,

Which version of the virus signature database detects the Win32/AutoRunAgent.ET worm in the AUMONITOR.EXE file?

Sorry, I forgot to answer that. According to my logs, the database version was v3713 for the first FP. The second FP was being detected constantly since 23-Dec.

Quote:

Originally Posted by Biscuit

As well as shutting down EMON & AMON in my local Nod32, I would also have to shut down Nod32 on my server as it would no doubt strip the FP as it goes out of Exchange.

When there is a need , there is a way !

You don't have a web-based email ? Or you can't create an account in 30 seconds ? Or your Exchange will strip an encrypted password protected archive ? Or you also can't upload the password-protected archive to a web service like rapidshare and send ESET just the link to the files ?

As I said when there is a need , there is a way . It seems there is no need here because if you really wanted it , you would have done something . And definitely there are many things which can be done . If I were you I wouldn't rely on someone else to do what I can do . But it's your own choice . A choice that I can't understand .

Enjoy the holidays!

[Biscuit]

I was simply trying to give Eset a heads-up so that don't get sued. I don't use Access software any more & have no requirement for the auto update software. All Eset need to do is to call Access - it takes 10 secs to pick up the phone.

[agoretsky]

Hello,

Please send a copy of the AUMONITOR.EXE in a .ZIP or .RAR file protected with a password of "infected" to samples@eset.sk. Be sure to include the words "FALSE POSITIVE" in the Subject: field and include a link to this message thread.

Regards,

Aryeh Goretsky