Protecting over 230 million PCs, Macs, & Mobiles – more than any other antivirus


Archive for May, 2009
May 27th, 2009

False positive alerts in “Tools”

Are you always sure that what you are downloading is safe? Every day, many of our users report “false positive alerts” to us. I use quotes, because most of them are actually malware. See the picture below. The reported “wrong-detection” is Win32:Ardamax-LV [Spy].


False positive alerts report

Ardamax is a well known legitimate keylogger, but the “bad guys” often use it to steal account information. In this case, keylogger is a part of some hack. This is the reason why 90% of antivirus programs detect this keylogger as suspicious (VirusTotal report).

So, do you put your trust in unknown web sources such as RapidShare, MegaUpload etc. or in your antivirus program?

Categories: lab Tags: ,
May 22nd, 2009

Inside Win32:Allaple

Win32:Allaple was a succesful worm few years ago. There are some instances of the worm in the wild also now, but the first boom was notably higher. The payload is a nice piece of polymorphic code, let’s look how it looks and how it works.


Read more…

Categories: analyses Tags:
Comments off
May 21st, 2009

Caro workshop #3

Few Avast viruslab guys & developers attended 3rd CARO workshop in Budapest/Hungary. We found a bit of time to make a short visit of the historical center. Here are some pictures caught by my “faithful friend” Canon EOS 400D.

Categories: lab Tags:
Comments off
May 21st, 2009

Rogue malware ranking

Nowadays the internet is full of hacked websites that redirect browsing users to various malware distribution networks. Website hacking consists basically of adding an iframe, script tag or some more sophisticated javascript to the clean code. These methods are dependent only on the reputation of infected domains. Last week (2009-05-13) we released the detection signatures of one interesting redirector – Its name is JS:Redirector-I [Trj]. The source is a type of Rogue malware which is comonly known to use social engineering to spread. Now we can talk about ’search engine related’ social engineering. The redirector itself doesn’t look particularly sophisticated – simple code is hidden as shown in next image:

Read more…

Categories: analyses Tags: