Why KAV does not detect Trojan-Spy.Win32.Bancos.aam?

Forum for support for the Kaspersky AntiVirus for WinGate plugin

Moderator: Qbik Staff

Why KAV does not detect Trojan-Spy.Win32.Bancos.aam?

Postby kiav » May 24 07 10:52 pm

My configuration:

1. Windows XP Pof SP2
2. WinGate 6.1.2 (Build 1094) + KAV 2.0.1
3. KAV updates several times a day.
4. I use Microsoft Internet Explorer 6 + Maxthon 1.5.9
5. IE uses local proxy (WinGate, 127.0.0.1).

My situation:

My PC (see my configuration above) was infected by Trojan-Spy.Win32.Bancos.aam. I found infected file in Internet Explorer cache. Unfortunately it activated ant tried to steel my personal data.

This virus is known from Mar 08 2007 07:24 GMT.

My question:

How this virus could infect my PC? I found that it came through Internet Explorer, virus is well known for 2 months and I regularly update KAV virus base.

By the way. Quick scan detected virus.
kiav
 
Posts: 37
Joined: Aug 12 05 1:28 am
Location: Moscow, Russia

Postby jamesc » May 25 07 12:20 pm

Whats the date of the file in the cache?
What is the URL it was downloaded from?
What does KAV report as its last update time?

*You may also be able to search for the application name in the WinGate log file for your connection method.

*Edited
jamesc
Qbik Staff
 
Posts: 928
Joined: Apr 04 05 2:04 pm
Location: Auckland, New Zealand

Postby kiav » May 25 07 10:44 pm

jamesc wrote:Whats the date of the file in the cache?
What is the URL it was downloaded from?
What does KAV report as its last update time?

*You may also be able to search for the application name in the WinGate log file for your connection method.

*Edited


The date is 23:56:28 May 22, 2007

I do not know the URL. I do not how to find that URL. As for WWW proxy log file ... It does not contaion exactly file[1].exe, nor file.exe. But I found file.php (05/22/07 23:56:27).

As for now KAV last update was May 24, 2007.
kiav
 
Posts: 37
Joined: Aug 12 05 1:28 am
Location: Moscow, Russia

Postby jamesc » May 26 07 7:27 am

I do not know the URL. I do not how to find that URL


Internet Explorer 6 --> Tools menu --> Settings --> View files --> View menu --> Details View
*And if you still cant see the address then right click the column at top to add it in.


But I found file.php (05/22/07 23:56:27).


--> Then what's the URL for it? Was it a secure one? And what ip / user requested it?
jamesc
Qbik Staff
 
Posts: 928
Joined: Apr 04 05 2:04 pm
Location: Auckland, New Zealand

Postby kiav » May 26 07 7:44 am

Ok, here it is

URL: http://www.advery.ru/web/i/file.php
Type: Application
Name in cache: file[1].exe

Here are according WWW proxy log records:

Code: Select all
05/22/07 23:56:27   127.0.0.1   kiav   0000030044   Requested:   http://www.advery.ru/web/i/file.php
05/22/07 23:56:27   127.0.0.1   kiav   0000030040   Traffic    7775   333   274   7770   18s
kiav
 
Posts: 37
Joined: Aug 12 05 1:28 am
Location: Moscow, Russia

Postby jamesc » May 26 07 8:19 am

Thanks Kiav,

I just setup a box to test that and a LAN Client. WG Server with KAV, NAT disabled in ENS, Guest access via WWW Proxy for URL containing www.advery.ru

That link gives an error stating to contact the webmaster - I will get a second opinion from my colleagues re: where to go from here - Forum suggestions welcome too.
jamesc
Qbik Staff
 
Posts: 928
Joined: Apr 04 05 2:04 pm
Location: Auckland, New Zealand

Postby kiav » May 26 07 9:12 am

I am not sure that this URL is active yet. I wrote a letter on May 23, 2007 to www.ng.ru webmaster (this site contained the link with the virus) with details including WWW proxy log.
kiav
 
Posts: 37
Joined: Aug 12 05 1:28 am
Location: Moscow, Russia

Postby jamesc » May 28 07 9:56 pm

Can we review your WinGate registry? Please reference this forum post if you send it in.

GateKeeper --> Options menu --> Advanced --> Save registry settings.
sales@wingate.com
jamesc
Qbik Staff
 
Posts: 928
Joined: Apr 04 05 2:04 pm
Location: Auckland, New Zealand

Postby jamesc » Jun 19 07 12:46 pm

Issue due to different settings for the manual scan.

Image
The changes between version 6.x releases can be reviewed here:
http://www.wingate.com/showfaq.php?faqid=2

Skype: wingatejames
jamesc
Qbik Staff
 
Posts: 928
Joined: Apr 04 05 2:04 pm
Location: Auckland, New Zealand

Re: Why KAV does not detect Trojan-Spy.Win32.Bancos.aam?

Postby paolari » Jun 05 09 8:01 pm

How do i get rid of trojan horse viruses? I'm currently using Antivir PE classic, but it isn't working. I have run several scans and the program tells me it has deleted the trojan horses, but i get one of the virus warning straight after scanning, then when i turn the pc back on some time later, all three have popped up again. This is getting silly as some applications don't work properly and i keep getting an internet link to winscan or some other such nonsense. Help!
paolari
 
Posts: 1
Joined: May 31 09 10:56 pm

Re: Why KAV does not detect Trojan-Spy.Win32.Bancos.aam?

Postby logan » Jun 08 09 4:11 pm

I'm sorry, you won't find assistance with that question here. This is a support forum for the Kaspersky AntiVirus for Wingate plugin.
logan
Qbik Staff
 
Posts: 671
Joined: Oct 19 06 2:49 pm
Location: Auckland, New Zealand

Re: Why KAV does not detect Trojan-Spy.Win32.Bancos.aam?

Postby francisuk » Sep 14 09 11:13 pm

logan wrote:I'm sorry, you won't find assistance with that question here. This is a support forum for the Kaspersky AntiVirus for Wingate plugin.

ahhh that can be a suggestion then, Can qbik make a malware plugin as this person obusley has malware in hes machine.

paolari wrote:How do i get rid of trojan horse viruses? I'm currently using Antivir PE classic, but it isn't working. I have run several scans and the program tells me it has deleted the trojan horses, but i get one of the virus warning straight after scanning, then when i turn the pc back on some time later, all three have popped up again. This is getting silly as some applications don't work properly and i keep getting an internet link to winscan or some other such nonsense. Help!


1st my advise is get rid of Antivir PE classic is a load of crap! Thats why is free. Go with like kaspersky antiVirus, nod32 etc etc

download a program called malwarebytes google it :) and do a scan, it should pick out.

if that dont pick up nothing

2ndly download a copy of spyware terminator and do a full scan.

Francis
francisuk
 
Posts: 4
Joined: Sep 14 09 7:17 am
Location: UK


Return to Kaspersky AntiVirus for WinGate

Who is online

Users browsing this forum: No registered users and 17 guests

cron