Protecting over 230 million PCs, Macs, & Mobiles – more than any other antivirus


Author Archive
January 18th, 2011

I swear, I didn’t write this rootkit

As of January 19, we have lived 25 years with  malware. The first ever virus for the personal computer was written by two Pakistan brothers, Basit and Amjad Farooq Alvi. ©Brain was the name of this virus, it infected the MS-DOS FAT boot sector and it was harmless. This MBR rootkit just promoted their company with following text:

Welcome to the Dungeon © 1986 Basit * Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES 730 NIZAM BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE: 430791,443248,280530. Beware of this VIRUS.... Contact us for vaccination...

Read more…

Categories: lab, Virus Lab Tags: ,
September 6th, 2010

Spring cleaning in our virus database

We would reach 3 millions of detections in our virus database (VPS)  this week, but … this huge number means that when you put all the detections together, there is no difference between sophistical algorithmic detection and “temporary” machine generated detection.

Read more…

Categories: lab, Virus Lab Tags: , ,
March 1st, 2010

Get avast! Free Antivirus or a „free“ upgrade with the Alureon rootkit

avast! Free Antivirus can be downloaded for free from our servers or from other download servers such as, and others.  But why limit yourself to avast! Free Antivirus if there are other products available with additional functionality that can be downloaded for free?

At least, that is what some people are thinking. Read more…

Categories: Virus Lab Tags: , , ,
February 9th, 2010

Human exploiting

In this time, most of all new computers are sold with Windows 7 64bit. This new operation system and new processor features (DEP + ASLR) makes exploiting more difficult. Easier way how to run attacker’s code on victim computer is to convince users to download it voluntarily. Last week we received one interesting example. Let see it… Read more…

Categories: analyses, Virus Lab Tags:
August 19th, 2009

Win32:Induc, new concept of file infector?

A few days ago, Andreas Marx (independent AV tester) sent all AV companies a file infected by “Delphi Source Code infector”. This file was linked by and a few others. Two days ago an analysis of this innovative file infector was published by Kaspersky Lab and F-Secure. But this is just the recent media bubble. This virus is actually several months old and all AV companies were blind. Why? Read more…

Categories: analyses, Virus Lab Tags: , ,
July 3rd, 2009

Swizz with me

Swizzor is the detection name for a highly sophisticated, long lived piece of malware / adware. It’s based on a huge distribution network and is made by highly skilled bad-guys. At first sight, Swizzor looks like the usual modern software. The bad code is divided into small pieces and is distributed in the whole file by some code-generator. This technique makes analysis and detection difficult.

Let’s look at Swizzor from the other side… What is the first thing the common user sees before running some file? Yes, it’s an icon. The icon is code-generated as well as the whole file. And here inter alia can be seen the mathematical skill of the bad-guys. As Swizzor evolves and each generation becomes harder to detect, the icon becomes more sophisticated too. It’s interesting to see bad-guys producing nice art.

Swizzor icon - 1st generation

Swizzor icon - 1st generation

Read more…

Categories: lab Tags: ,
Comments off
June 11th, 2009

What is Win32:Patched [Trj]

A patch is a utility that can be used to change a few bytes in the original file. It’s usually used to bypass license validation or to enable a hidden function. These patches are normally used with the knowledge and agreement of the user. However, another group of patches is actually malware which is used to perform the same functions without the user’s knowledge or agreement. In this case, system files are patched to gain backdoor access to a system (i.e. by changing the startup key to run the malware after booting). These files are detected by avast! as Win32:Patched.

The difference between file infectors (viruses) and patches is shown in the picture below. Patches just change a few bytes and can’t spread themselves. File infectors infect (patch) the victim file and add a virus body to perform a malicious action and can infect other files.

Different between Patcher x File infector

Differences between Patcher x File infector

Read more…

Categories: lab Tags:
Comments off
May 27th, 2009

False positive alerts in “Tools”

Are you always sure that what you are downloading is safe? Every day, many of our users report “false positive alerts” to us. I use quotes, because most of them are actually malware. See the picture below. The reported “wrong-detection” is Win32:Ardamax-LV [Spy].


False positive alerts report

Ardamax is a well known legitimate keylogger, but the “bad guys” often use it to steal account information. In this case, keylogger is a part of some hack. This is the reason why 90% of antivirus programs detect this keylogger as suspicious (VirusTotal report).

So, do you put your trust in unknown web sources such as RapidShare, MegaUpload etc. or in your antivirus program?

Categories: lab Tags: ,
May 21st, 2009

Caro workshop #3

Few Avast viruslab guys & developers attended 3rd CARO workshop in Budapest/Hungary. We found a bit of time to make a short visit of the historical center. Here are some pictures caught by my “faithful friend” Canon EOS 400D.

Categories: lab Tags:
Comments off