Avast Doesn't Block XP Defender malware (ave.exe)
in [Anti-Virus]
|
From: David Kaye on 4 Apr 2010 01:23 "Beauregard T. Shagnasty" <a.nony.mous(a)example.invalid> wrote: >Ah. It seems I've posted "nearly an hour before you." How do you explain >that everyone else sees your clock an hour in the future? > >Currently 11:57pm Eastern Daylight Time I'm not sure. There is no setting on the user account at ES to adjust the time. My computer's clock is set to Pacific (US & Canada) with allowance made for DST. It adjusted correctly at the beginning of daylight time. Lemme see. I have a program that calls an API routine for system time. Let's see if it shows GMT correctly... Okay, the routine calls the GetTimeZoneInformation and GetSystemTime functions from the kernel32 library. The routines return an offset from GMT as 7 hours, which is correct. Normally it would be 8 hours, but we're on DST here in North America. Since Bush signed into law the advanced daylight time law several years ago, starting DST 3 weeks ahead of the way it used to be (and ending it 1 week later) it just might be that Eternal September is assuming that we're not on DST here yet. This would account for their server thinking GMT (UTC) is 8 hours ahead.
From: David Kaye on 4 Apr 2010 01:28 "Heather" <fergie(a)canada.invalid> wrote: >OK Shaggy......I will add to this cuz I have an obsession re correct time. >He has his Time Zone set wrongly.......right? As it is now Daylight SAVING >Time (which he may not have checked off), it is only 4 hours different to >GMT........not 5. My time zone and my DST offset are NOT set wrong. I'm also a time geek and I'm aware that the U.S. now advances DST time 3 weeks ahead of when it used to start. To quote Wikipedia: "....Starting in 2007, most of the United States and Canada observe DST from the second Sunday in March to the first Sunday in November, almost two-thirds of the year.[30] The 2007 U.S. change was part of the Energy Policy Act of 2005; previously, from 1987 through 2006, the start and end dates were the first Sunday in April and the last Sunday in October, and Congress retains the right to go back to the previous dates now that an energy-consumption study has been done.[31] ...." In fact, not only am I a time geek, but I've changed the registry entry to sync my computer's clock with NIST every 6 hours instead of the default once a week.
From: David Kaye on 4 Apr 2010 01:31 "FromTheRafters" <erratic(a)nomail.afraid.org> wrote: >It is possible for a trojan to drop a file named ave.exe that is for all >practical purposes unique to that system. The filename means nothing. >The thing that should be detected is the dropper itself - if you don't >install it, you don't have to identify and remove it. This may be the case given that the name displayed apparently adjusts itself to the system in use. Thus for XP it's called something like "XP Defender" and for Vista it's called "Vista Defender", etc. Also, whether it's called Defender or any number of other names also seems to change. Regardless, I should think that Avast's heuristics should have picked up some of the telltale signs of the infection even if it didn't have the exact definition in place. I'm thiking of going back to ZoneAlarm since Windows firewall was so easy to disable.
From: David Kaye on 4 Apr 2010 01:46 "Ant" <not(a)home.today> wrote: > >That's not very secure. Regardless, I set up this computer to behave as much like my customers' computers behave. In this way I can spot issues quickly. And it's been years since this particular machine has had any kind of infection at all. >Once malware gets in it often changes date stamps to match one of the >system files. Seldom, though. One of the easiest ways I've found to find the process causing an infection is to use a tool like PrcView to look within processes such as svchost, explorer, winlogon, etc and see the date stamps on the DLLs called. Makes it super-simple to spot them. >Since you appear to do this for a living you ought to know about >securing your machine. See my comments above. > >So did you kill it from task manager? Actually, no. Because I immediately knew what it was, I shut down the computer, booted from BART PE and manually copied back snapshots of the registry. >You can't rely on AV apps to protect a machine - they are a last ditch >resort. None of them can detect everything because malware is re- >packaged every day to avoid detection. The AV vendors are always >trying to catch up. This is where heuristic scanning comes in and why MBam can catch nearly everything. I had the impression, reading from Avast's documentation and various postings from people that Avast also had similar heuristic scanning. Apparently not. >You didn't say which browser was involved. Is it up-to-date? What >plugins and other applicatiuons are used as helpers to view embedded >content and are they sercurely configured and up-to-date? Think about >Java (not javascript), PDF and Flash viewers, ActiveX components and >other media players. Do you allow them to run automatically? Again, this particular computer is set up to imitate real world scenarios as are present in my customers' computers. Prior to the infection I had visited several websites from Google links. I did not click on anything within those web pages. I don't recall if there was a pdf among the stuff I looked at or not. My machine is set up top warn about ActiveX, but not Java, Flash, or pdfs. However, downloading of exe and dll files should be triggering *something* to warn me. As someone suggested, perhaps something else is being renamed as an exe. I did notice one thing that may be a clue. I couldn't run exe files any longer until I entered the exe extension in the filetypes section to replace what had been there. This was after the registry rollback, so I'm not sure where the exe reference was being pulled from. It should have reverted just like all other registry entries. So, indeed it could well be that ave.exe is really something non-exe that got renamed and thus wasn't detected by Windows as being bogus. I have not saved the ave.exe file to look at it. Perhaps I should have, but I had to use this particular computer and just wanted to get rid of the malware.
From: Heather on 4 Apr 2010 00:56
"David Kaye" <sfdavidkaye2(a)yahoo.com> wrote in message news:hp94gg$ekl$4(a)news.eternal-september.org... > "Heather" <fergie(a)canada.invalid> wrote: > >>OK Shaggy......I will add to this cuz I have an obsession re correct time. >>He has his Time Zone set wrongly.......right? As it is now Daylight >>SAVING >>Time (which he may not have checked off), it is only 4 hours different to >>GMT........not 5. > > My time zone and my DST offset are NOT set wrong. I'm also a time geek > and > I'm aware that the U.S. now advances DST time 3 weeks ahead of when it > used to > start. Hey David.....I am not arguing with you, but if all 3 of us are using ES and your time is an hour ahead of the two of us........something is out of whack on your end. It is 12:55 am as I type this. Cheers......Heather |