Anti-Virus software - a salutary lesson

  squillary 06:51 07 Feb 07
Locked

Recently a friend of mine succumbed to a mass-mailing worm known as [email protected] click here to see what it does. Symantec discovered it on Dec 29 2006 and released a solution the very next day.

It copies itself to your system folder, puts one of two trojans into your current directory with a random filename, copies itself into random folders under disguised filenames, modifies the registry to ensure it runs at every reboot, disables the Shared Access service, ends security-related processes for various antivirus and spyware software, downloads an encrypted configuration file, downloads and executes various other programs, gathers email addresses from your addressbook, scans txt and htm and numerous other documents for more email addresses, sends those email addresses back to base for re-use elsewhere, then sends infected messages out using its own SMTP engine and spoofed address.

Not pretty, is it.

Some anti-virus software won't allow their processes to be disabled easily, while others fail completely to protect themselves click here and click here so you may or may not get a warning about that. If you don't then your AV is disabled against everything, not just this worm\trojan.

More worryingly at click here a test was done using various AV packages to see which ones could detect this worm on 28-29th January - a full month after it was found in the wild.

Kaspersky - Email-Worm.Win32.Banwarum.l
AntiVir - TR/Crypt.ULPM.Gen
Authentium - Possibly a new variant of W32/CodeCru-based!Maximus
Avast - no virus found
AVG - no virus found
BitDefender - no virus found
CAT-QuickHeal - no virus found
ClamAV - Trojan.Downloader-747
DrWeb - Trojan.Packed.2
eSafe - suspicious Trojan/Worm
eTrust-InoculateIT - no virus found
eTrust-Vet - no virus found
Ewido - no virus found
Fortinet - W32/Agent.NAF!tr
F-Prot - W32/CodeCru-based!Maximus
Ikarus - Trojan-Downloader.Win32.Small.gen
McAfee - no virus found
Microsoft - Win32/Vxidl.gen!B
NOD32 - Win32/Nuwar.gen
Norman - no virus found
Panda - no virus found
Prevx1 - Trojan.ADIRSS
Sophos - Mal/HckPk-A
Sunbelt - no virus found
Symantec (Norton) - [email protected]
TheHacker - Trojan/Downloader.Generic
UNA - no virus found
VBA32 - no virus found
VirusBuster - Trojan.Tibs.Gen!Pac24

People make a big play of their AVs downloading updates on a daily basis, but it's clear from this that there must be a backlog that's not getting fixed at all.

Combine that list with the products that are defenceless aganst getting themselves deleted by Task Manager: Ad-Aware Pro, Avast! V4.7, AVG Free V7.1, BitDefender Pro, CounterSpy, SpyBot S&D V1.4, Spyware Doctor V3.6, Trojan Hunter V4.5, WebRoot SpySweeper V4.5 and Windows Defender V1.1.1051

The result is you have AV software installed that can't detect the worm when it arrives, can't find it after it's installed and lets its process get deleted - and with no sign of a solution. In this situation you'll reasonably believe you have no problem while your machine is merrily sending out infected mail all day long and no doubt recommending it for being very effective because it hasn't found something that may be there.

The free ones can't have the resources to find and fix everything when so much is coming out, although the commercial ones (McAfee in this case) do deserve to be thought badly of. People need to be aware what it is you have in front of you and what it's doing.

If your AV software is among the ones that found nothing it may be prudent to select one from the list that passed or select a recommended one from click here . Obviously, don't be tempted to open attachments from unknown emails, but even then it won't help you if you torrent or fall foul of a drive-by web page or any other of the routes a virus\worm\trojan\whatever can get onto your machine. It's quite easy to be an innocent victim.

  Belatucadrus 11:19 07 Feb 07

"The free ones can't have the resources to find and fix everything when so much is coming out"

With the exception of Comodo, which is funded via other routes, all the main "Free" anti virus are free license copies of commercial products, so the resource issue only doesn't really exist.
The only exception to this is ClamWin which is opensource and strangely passed the av-comparatives test.
When it comes to testing I prefer independent tests such as that at VirusBulletin which keeps giving avast! & AVG 100% on its tests.

  GANDALF <|:-)> 11:22 07 Feb 07

You are turning into an anorak and worrying far too much. AVG free all the way and a triple Meh! from me.

G

  Totally-braindead 12:08 07 Feb 07

Some of the products you mention are not anti virus programs so its hardly surprising they do not detect a virus. As to the others I take your point.

  Allyginger 12:28 07 Feb 07

My AVG picked up the Flash and Greeting.postcard.exe and put them in the virus vault. I deleted them from there.So that info on the webste is not correct. These were in an email attachment.

  squillary 13:44 07 Feb 07

Really. AVG call it "I-Worm/Luder". They now appear to have a removal tool click here - whether that was issued after 29th Jan I couldn't say.

However, on 11th Jan on their own forums AVG hadn't even heard of it - click here=

In the meantime the advice for people who were infected click here and click here was to reformat their hard drives. Those HJT logs don't look fake to me - but maybe those guys are just making it up after all. As, presumably, was my friend who got infected. Funny that...

Claims that any of the programs rate 100% are about par for the course. None of the AV companies claims 100% success against 0-day threats. They know what they're being tested against by the likes of VirusBulletin and ensure they catch them all, which doesn't really tell anyone anything. The av-comparatives.org site shows the situation a little more clearly.

I perfectly well accept I'm cautious, but I've rarely come across such risible self-delusion as I have here. Make your own choice of course, but I'll continue to view the claims and recommendations [i]to others[/i] seeking help as almost offensive.

'Meh' doesn't cut it. It's as puerile as it sounds.

  Allyginger 16:00 07 Feb 07

My AVG found the greetings.postcard.exe virus on the 30 December 06. The Flash one was found on the 25 Jan 07 and then again on the 28 Jan 07. According to the log file. That was when the emails were downloaded by my client Thunderbird. Now I check first with Mailwasher then delete anything suspicious with that then download any other emails with Thunderbird.

  Totally-braindead 16:11 07 Feb 07

squillary I make my decision on AVG based purely on my experience and of those of my friends who also run AVG.
I have been running AVG for perhaps 3 years now with no problems whatsoever.
Before that I was on one of the paid for anti virus programs, Norton in my case, it was fully updated and would not delete a virus that got in. I was paying my subscription to Symantec and asked for help removing it. They said I was not entitled to help as the subscription I paid was only for the virus definitions update and not for support.
I deleted Norton (that took a while)and installed AVG it found and deleted the virus right away.
My friends use mainly AVG but a couple use AVAST. I never claim that a free anti virus is as good as paid for one that to me would be ridiculous. But none of them have ever had a virus problem that AVG did not sort.
A few of them did have paid for anti virus, various makes and did have problems. They do not have the problems with the free anti virus.
If you use a paid for anti virus and you have problems. You get rid of the paid for one and have no problems. So if this was you what would you do?
If I did feel it was necessary to go for a paid for anti virus then I would go for NOD32 as in my opinion it is the best anti virus program out there. But why should I. I use a free one, it causes no problems, doesn't slow my computer down and protects me.
In my opinion it is you that is suffering from the delusions. I use a free anti virus because it works for me and my friends, based on our experiences it is good enough to keep us safe when on the internet. You presumably feel that you are better off with your paid for anti virus and if thats what you think then fair enough. But it is you that are ridiculing people all because they use a free anti virus.

  GANDALF <|:-)> 16:13 07 Feb 07

My comments still stand. I run a mailout list of over 95 AVG users. This list has been going for over 2 year ( I have been using AVG for over 3 years.....prob. 4) and not one person has contracted a virus. I read all the Virus tests that are carried out in 'laboratories' and as far as I'm concerned they do not portray real life.

The question of 'which AV' is trotted out at regular intervals and there ar ethe usual stats also trotted out but rarely is there a real life comparison. One AV can rate 100% with one test lab and the same can then rate 80$ with another which should make any intelligent person think carefully.

In the last 2 years very infection that I have had to deal with on peoples' computers has been as a result of their lack of knowledge and I cannot remmber when I last saw a virus. If you give permission to certain Trojans or programmes, no amount of AV or firewall will stop them as was and still is the case in Spyaxe etc.

Myself, I use AVG free, spyware terminator and have not used a firewall for 4 years. I get no problems at all and believe me I do check. Instead I use a little common sense, lay off voting for Pr0n sites and do not accept 'free' offers of registry cleaners.

This is all that anyone needs to do. Any olf free AV, Spyware terminator or AVG aAtispy and any old firewall if they think they need one. there is absolutely no need to start panicking or stat crunching about 'tests' carried out in labs that vary from lab to lab. Common sense is rarely referred to which is a pity as it is probably the most important thing now.

Hope this fuller answer satisfies you but it is still an upgraded quadruple Meh! from me.

G

  Allyginger 16:38 07 Feb 07

I use AVG anti-virus 7.5 also AVG's anti-spyware 7.5. I also run Spybot S & D, Ad-Aware SE and Spyblaster and finally Microsoft's Malware program. I usually run these weekly.That's in addition to using Mailwasher. I have had no trouble using these products. As for test sites. Well i do go to Virus Bulletin on occasions. But of course tests done on various sites give different results. You take your pick. I did use Norton for a while. Had no trouble with it but used up a lot of pc resources. So switched to AVG.

  squillary 02:02 12 Feb 07

Allyginger: My AVG found the greetings.postcard.exe virus on the 30 December 06.

Impressive. Especially considering Grisoft hadn't heard of it a dozen days later. I suggest you write to congratulate them. Or maybe realise there are several variants to this one and the name of the attachment doesn't define which one got caught. Bad luck - try again.

Totally-braindead: I have been running AVG for perhaps 3 years now with no problems whatsoever.

Hang on. If something had been downloaded and been let through, then hid itself, how would you know? Because the very thing that didn't stop said it couldn't find it? Genius! I assume you're using online scanners of product that's been proven better (most other product tbh). That's really the only way to stand a chance of telling. And that applies to the user of any product, free or paid-for.

> So if this was you what would you do?

Good question. I'd try to understand what happened. I certainly wouldn't change to a product that's been evaluated to be worse by almost every measure. My opinion would be worthless when set against a more objective and informed evaluation.

So lets be clear - I don't feel compelled to pay for an AV when a better or equivalent free (or even cheaper) one is available. That would be nonsensical. I go for the best package I reasonably can. I certainly don't pretend that saving the odd few quid would compensate for losing files or even being offline for a while. If free ones were better I'd switch tomorrow - I could do with the cash - but they're all objectively and demonstrably worse by almost an order of magnitude. It's that clear.

GANDALF <|:-)>: Common sense is rarely referred to which is a pity as it is probably the most important thing now.

I don't recall many posts when I don't mention common sense, but I agree with your point as a generalisation. But then people would have to be as nerdy as you or I and I don't think that's reasonable either. The worst issue I personally have is getting an email-arrival notice from Outlook while I'm typing which opens an email I wouldn't dream of opening normally (must switch that off - done). Accidents like that happen. Then what? Say it's their own fault and walk away?

Why do you read virus lab reports anyway? What good would they do? It's probably not worth linking to that site that evaluated AVs again, which discarded the unrealistic Virus Bulletin reports for live downloads from Kazaa finding 394 infected files in 1023 downloads. Not real-world enough? What do you want?

What it does tell me is that the claim of not seeing a virus for years depends very much on knowing what your doing and what you're going to face before you even go anywhere on the internet. Personally, I don't consider myself a good enough fortune-teller to do that. Insurance policies are for the unexpectd, not the expected. I thought that was obvious.

This thread is now locked and can not be replied to.

What is ransomware and how do I protect my PC from WannaCry?

What I learned from my mentor, Oscar-winning VFX supervisor Phil Tippett

Siri vs Google Assistant