Strange alert from Avast

Discussion in 'other anti-virus software' started by aigle, Feb 28, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    One of my friends is getting this alert while using internet since few days( on dial up). I could not understand what is this. A full system scan by Avast did find nothing except for a trojan( Pirate) in a Temp folder.

    Any help? Thanks
     

    Attached Files:

  2. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    Is he getting that message while surfing the web or when using his email client? I have personnaly only seen that message from Avast when sending or receiving an email containing an executable file attachment (even with a clean file). Apparently Avast considers any emails containing an executable to be suspiscious.
     
  3. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Avast's mail heuristics at work :)
     
  4. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    The strange thing is that it warns about the Subject, but on the screenshot, it seems there's no Subject at all. Or isn't the Subject line to long so that it wraps outside of the visible area?

    Anyway, if the alert only happened once, I wouldn't worry too much about it...

    This is taking place only if you manually set the sensitivity to high level. With default settings, it only warns about such phenomena as double extensions etc. (i.e. it lets "standard" files, even executable, go thru without any warnings).
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    He does not use outlook and has no e-mil account for outlook even( none provided by ISP). Only uses web based mail.

    The alert come only while on internet and it comes so often that he can,t do his work.

    Is there a bot on his PC sending messages? But is it possibel even if ur outlook not yest configured for use at all.
     
  6. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    I would have thought it was a bot... and I always thought it was possible for bots to send e-mails regardless of whether Outlook is installed or not.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Very interesting to catch such a bot.

    What i sholud run? I will try to run a few scabnners like SAS, AVG AS and use an outbound FW to see what comes out.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    UPdate:

    This message was no more appearing. Anyway I ran multiple scans on the PC.

    AVG AS( not updated)- clean
    SAS( fast scan)- clean
    CFP intergrated scanner- clean( I actually installed CFP to see if something suspicious tries for outbound but none- malware probabaly did not tried that)
    CSI- clean

    Antivir - It caught these malware:

    1- 6 copies of a trojan in Application data and Temp Internet Files( differnet copies)- TR/Delphi.Downloader.Gen
    2- a suspicious crack application.:thumb:

    I uploaded all to VT. Some copies of first one are detected by KAV, AVG( Generic9.AVIV) , MS n Dr.Web plus many others- seems surely a true detection by Antivir.

    Second one is probably unrelated to this issue. It,s a suspicious heuristic detection. I deleted all of them after saving copies of them.

    Scanned them with Dr.Web cure it, it caught all copies of TR/Delphi.Downloader.Gen as DLOADER.Trojan :thumb: I have uninstalled Avast and installed AVG on that machine. Let,s see how it goes. I do think AVG is getting better in detection than Avast, just my feeling since many months, can,t be sure though.
     
    Last edited: Mar 6, 2008
  9. 031

    031 Registered Member

    Joined:
    Sep 5, 2007
    Posts:
    185
    Location:
    Bangladesh
    Wow aigle you truly have patience . :thumb:
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It,s interesting to do this. My main problem with that PC was that it slow- low specifications nad 256 MB ram and has a slow inetnet( dial up).

    BTW, I am still not sure if it is clean. I can,t keep an outbound FW on it as the user will not know how to reply it. Also not enough resources so I just kept one AV. I would have isntalled Antivir but its updates are not good with dial up.
     
  11. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    I did the exact same thing on my sister's 192MB RAM computer about 2 months ago. Avira was the only one to find anything that wasn't a FP. I assume they were FP's because I submitted them to VT and the scans were mostly clean except for the programs that alert to almost everything. I also submitted the files Avira found to CastleCops unknown files and one of them was a FP.

    It is interesting to do this, but it just drives home the point of blacklisting is far from perfect. I'm like you, I don't know if I got everything cleaned or not. I've since installed another 512MB of RAM, but I haven't scanned anything in two months. They have 3 kids and one is a newborn, too much noise for me to concentrate :ouch:.
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I tried one of the files detected by Antivir as TR/Delphi.Downloader.Gen.
    It sure is malicious, it creates many executables and launches a hidden IE window.
     
  13. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    It would be smart to send all undetected files to avast! developers so they can add them to virus database.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I will send. Any link for that?
     
  15. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    Also please note that having the files present in the Internet Temporary folder doesn't mean they ever got executed... this is where IE places all temp (cached) files it encounteres...
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    vlk! no point of this argument as malware made many of its copies and none was/ is detected by Avast. It will not be detected even if u execute it.

    Actually the file in Temp Internet Folder was a spoofed jpg file( an executable), which made many of its copies in Application data\ Real and Application data\ ICQ folders. It,s my analysis of this malware, I am not an expert and I may be wrong but sure it seems that malware was executed.

    One sample missed is no problem we all know .
     
  17. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    I'm in no way saying that it should not be detected by avast. It sure should.

    However, I'm just trying to calm you a bit, saying that the malware maybe hasn't really activated on that machine (if it's only found in the Temporary Internet Files folder).;)

    Vlk
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    No, it sure is executed. I told u that spoofed jpg file was there and it made copies in application data and if I remember well even some start up enteries.

    I understand well, any AV can miss a sample. It was my Friend,s chance to get it. But I am a bit dissappointed as it,s second tiome. Before I installed Avast for one of my friends, according to him, they got some alert from Avast while online, I am not well aware, wat they answred but it was shrtly after that the PC became unbootable and they had to go for a format and reinstall. Though I am not sure but I still suspct it was a failure.

    Also every time I upload malware on jotti, VT- I see AVG catching more than Avast.
     
    Last edited: Mar 6, 2008
  19. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    494
    Run also MC Afee,NOD 32,KAV ,BitDefender online scanners.
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Online scanners on dial up? Not possible.
     
  21. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    I've used several online scanners with a dialup connection. Panda, Kaspersky, McAfee, Trend Micro. I've never had any problems. I don't have any of those fast connections like DSL, cable, satellite, Fiber optics, or T-1 lines at home.:(
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    PC is slow and we have to pay 0.75$ per hour.
     
  23. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    My idea of a strange alert:

    Your computer has been taken over by aliens. Prepare for transfer to the mother ship. Resistance is futile. You will be assimilated.
     
Loading...
Thread Status:
Not open for further replies.