I still like Avira

   November 14th, 2009

Yesterday I wrote about how I had stumbled upon a virus through Java in Firefox and how Avira didn’t quite stop all the infections.

I also mentioned I didn’t blame Avira because I felt that it was a new strain, and it looks like I was right.

Yesterday when I scanned the infected file it wasn’t reporting any issues.

Today I noticed a little update notice from Avira so for the heck of it I scanned the infected file again (kept it around to test with), and bam, detected!

detectedSo for the heck of it I popped it through my trusty online scanner, VirusTotal which will scan any file you upload against 41 antivirus engines.

The other day I got:

File iaStor.sys received on 2009.11.12 18:25:30 (UTC)
Current status: finished

Result: 1/41 (2.44%)

Reanalysing the file today I get:

File iaStor.sys received on 2009.11.15 00:09:41 (UTC)
Current status: finished

Result: 11/41 (26.83%)
So this was obviously a new strain and engines are finally starting to update!
Just for fun, here is the link to the report for the file I submitted.
Also, yay for Avira being one of the 11 detecting it now.  I picked Avira because of it’s high detection rates, so hopefully they will continue leading the sector. 🙂

5 Responses to “I still like Avira”

  1. Nick - Author Comment:

    I rescanned the file on again today out of boredom, and the new total is:
    Result: 20/41 (48.79%)
    I am actually very shocked it is not 100%
    There are some SHITTY antivirus engines out there! A virus is in the wild and weeks upon weeks later, Over half the engines this site tests with still aren’t detecting it! Yikes!
    I’m glad Avira is one of the good ones who was updated with in a couple days of discovery.
    Here is a link to the latest report for anyone interested in seeing which engines suck balls:
    It should surprise NO ONE that virus engines NOT detecting this virus include:

  2. KrAzE  Says:

    I am using Avira now per your recommendation here. I keep telling it to ignore this specific file I have, but it forgets after every boot… Unless this file gets regenerated on every boot.

    But it did find ONE trojan on my machine after being without antivirus for 5 months. I was hoping for 666 again.

  3. Nick - Author Comment:

    Hmm… I haven’t had any issues with ignore. I have it set to ignore a specific directory and that seems to work pretty good.

  4. Saltspring  Says:

    I have a Dell Dimension 8400 on the bench with a Stop 0x000007E error – as this particular Dell’s BIOS defaults to an AHCI disk config, the infection of the iastor.sys file prevents the system from loading windows (safemode included) changing to ATA mode doesn’t help (without a repair install at least).

    Avira found (but can’t clean) the iastor.sys infection for me as well.

    Thought to leave this note for others searching for this issue.

  5. Nick - Author Comment:

    Thanks for the comment Saltspring. Yes, that is the exact symptom of this rootkit.
    I have been seeing this A LOT lately. It’s a nasty little rootkit.

    Some systems this rootkit infect will boot. If it can, I have found the latest version of combofix can clean this rootkit. Some infected systems will NOT boot and will just bluescreen, yup, even in safe mode. The only fix I know of is to pull the drive, hook it up to another computer, remove the infected file, and find a good copy of the file to replace it with.
    What I have done is search the whole hard drive for iaStor.sys. Usually you can find some archived copies from service pack installs and stuff. If you can, you need to find one that is the same size as the old. Delete the old, and copy over your newly-found clean one.
    Then put the drive back in and you should be able to boot once again.

    Once booted, be sure to run Malwarebytes to cleanup any other infections! Chances are if the machine got hit with this rootkit, there are other infections on the system that used the same injection vector as this rootkit.

    Happy virus hunting and good luck.

Leave a Response


πGenerated: 8/9/20 @ 9:11 CDT