AVG 7 Free Edition missed virus

[George Neuner]

Hi all,

I got hit with what looks like W32.HLLW.Moega. It places an
executable named "wupdated.exe" in the root directory and in
Windows\System32 and installed itself as a service.

I noticed it when web access slowed to a crawl. The log in ZoneAlarm
reported hundreds of incoming connections originating from the Netbios
port (139) of non-existent computers on my home LAN. I'm not sure why
ZoneAlarm was allowing outgoing connections from it ... I'm certain I
didn't authorize it but there are other people here so maybe someone
did. The virus appears in ZoneAlarm as "Generic Host Process for
Win32 Services" with an icon that looks like "Windows Update".

I checked AVG's scan logs and it shows that the virus executable has
been there for about 2 days but, for some reason, AVG has the virus
executable marked OK - as in no infection.

According to some of the security pages I've read, this virus has been
around since 2003. I am really unhappy that the latest AVG didn't
catch it.

George

 

[David H. Lipman]

From: "George Neuner" <gneuner2/@comcast.net>

|
| Hi all,
|
| I got hit with what looks like W32.HLLW.Moega. It places an
| executable named "wupdated.exe" in the root directory and in
| Windows\System32 and installed itself as a service.
|
| I noticed it when web access slowed to a crawl. The log in ZoneAlarm
| reported hundreds of incoming connections originating from the Netbios
| port (139) of non-existent computers on my home LAN. I'm not sure why
| ZoneAlarm was allowing outgoing connections from it ... I'm certain I
| didn't authorize it but there are other people here so maybe someone
| did. The virus appears in ZoneAlarm as "Generic Host Process for
| Win32 Services" with an icon that looks like "Windows Update".
|
| I checked AVG's scan logs and it shows that the virus executable has
| been there for about 2 days but, for some reason, AVG has the virus
| executable marked OK - as in no infection.
|
| According to some of the security pages I've read, this virus has been
| around since 2003. I am really unhappy that the latest AVG didn't
| catch it.
|
| George
| --
| for email reply remove "/" from address


Are you still infected or are you just venting ?

 

[TaxMan]

I checked AVG's scan logs and it shows that the virus executable has
been there for about 2 days but, for some reason, AVG has the virus
executable marked OK - as in no infection.

According to some of the security pages I've read, this virus has been
around since 2003. I am really unhappy that the latest AVG didn't
catch it.

ZIP it with the password "infected" and send it to (e-mail address removed)

 

[JTS]

According to some of the security pages I've read, this virus has been
around since 2003. I am really unhappy that the latest AVG didn't
catch it.

Well, it is free you know. I never liked this program. It misses a lot of
stuff.

 

[George Neuner]

ZIP it with the password "infected" and send it to (e-mail address removed)

I'd love to ... but I deleted the executables I could find. I can't
get them back and I can't figure out where they came from in the first
place. The only possibility seems to be a mail attachment, but if it
arrived that way then the mail that carried it is gone.

Does the scan log carry any information that would be useful? If so,
do you know where the log file is kept?

George

 

[David H. Lipman]

From: "George Neuner" <gneuner2/@comcast.net>

|
| I'd love to ... but I deleted the executables I could find. I can't
| get them back and I can't figure out where they came from in the first
| place. The only possibility seems to be a mail attachment, but if it
| arrived that way then the mail that carried it is gone.
|
| Does the scan log carry any information that would be useful? If so,
| do you know where the log file is kept?
|
| George
| --
| for email reply remove "/" from address

No, sorry...

Grisoft would need a sample of the actual binary file to create a signature to detect and
delete it from a platform.

In the future, you can do the following...
The web site Virus Total tests samples against several AV vendor's scanners including
Grisoft v718 and will share the submitted sample with those that don't recognize the
submission.

Virus Total -- http://www.virustotal.com/flash/index_en.html

Another way to submit a sample is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

HTH for future needs...

 

[George Neuner]

Well, it is free you know. I never liked this program. It misses a lot of
stuff.

I've been using AVG free editions for about 3 years and this was the
first virus I've caught using them ... actually it's the first
computer virus I've caught in my life.

Free doesn't mean crappy ... I was using McAfee in 1984. It was free
(and good) for more than a decade before Network Associates bought it
.... afterward the program went seriously downhill IMO as they tried to
make it stupid friendly. I went to Norton for a while after that.

I've had lot's of problems with lot's of vendors. The NAI versions of
McAfee crashed themselves frequently and the computer occassionally.
I tried NAI's own program when McAfee failed me and I couldn't even
get it to install on some of my machines (I have 4). Every version of
Norton since 2K inexplicably interferes with the operation of a CD
writer on one machine and a DVD writer on another (both with hardware
burn proofing). Symantec's own program, when I tried it, could never
manage to update over a modem.

If there were a PD list of virus signatures available, I'd write my
own AV software. It's easy enough to locate probable infection's by
signing executables, but that only tells you something has changed,
not what changed it. The value of AV programs is being able to
reverse the damage.

George

 

[Martin, VK2UMJ]

[SNIP]

did. The virus appears in ZoneAlarm as "Generic Host Process for
Win32 Services" with an icon that looks like "Windows Update".

I thought there always was a legitimate "Generic Host Process for Win32
Services" which consisted of file "svchost.exe"???

 

[zeetboy]

I have been woring in a small retail computer shop as a tech for about
five years am totally self taught, I dont claim to be an expert in any
way but I have been dealing with viruses daily and I have found that
it really doest matter what A/V software people run, if they are doing
file sharing, going to to porn sites, downloading free software, ect
they will come in with viruses. We sold and used Norton until the
release of 04 and I put in on a few systems and saw how poorly they
ran. Sometimes not evan running afterwards, I could no longer in feel
good about selling Norton. We started taking everthing off and putting
on AVG6 and now AVG7 and we triy to inform people what not to do and
how to help stay clean, Some people will always be back no matter what
they are running. But we have been real happy with the results of AVG
and I have seen it cuase very few problems. I like the fact it will
almost always install properly on an infected system (never posible
with norton) and now it will scan in safe mode something that I found
pretty lacking in AVG6
Just my 2 cents
Greg

 

[George Neuner]

[SNIP]

did. The virus appears in ZoneAlarm as "Generic Host Process for
Win32 Services" with an icon that looks like "Windows Update".

I thought there always was a legitimate "Generic Host Process for Win32
Services" which consisted of file "svchost.exe"???

There is. However svchost.exe has a generic icon in ZoneAlarm. The
virus executable was named "wupdated.exe" and had a custom icon.

George