Avira missing downadup worm

Latest deinfitions of avira, completely missing what i believe are variants
of the downadup worm.

The bastard seems to be causing explorer DEP, renames essential windows
login files, creates autorun.inf on attatched usbs, which point either to a
recycler folder and a 'boot' file or a mispelled recycler folder, causing
the infection to be passed on, other files are alos infected on the drive.

Beware neither avira, malwarebytes or superantispyware picked up any of
these.

Gaz

Gaz wrote:
> Latest deinfitions of avira, completely missing what i believe are
> variants of the downadup worm.
>
> The bastard seems to be causing explorer DEP, renames essential
> windows login files, creates autorun.inf on attatched usbs, which
> point either to a recycler folder and a 'boot' file or a mispelled
> recycler folder, causing the infection to be passed on, other files
> are alos infected on the drive.
>
> Beware neither avira, malwarebytes or superantispyware picked up any
> of these.
>
> Gaz
Do a find for David Lipman's post on his mult-av scanning methods for help.
Try putting in multi av in the message box in Find and you should find a
post by Lipman on 11Feb09.

On 02/13/2009 05:08 AM, Gaz sent:
> Latest definitions of avira, completely missing what i believe are variants
> of the downadup worm.
>
> The bastard seems to be causing explorer DEP, renames essential windows
> login files, creates autorun.inf on attached usbs, which point either to a
> recycler folder and a 'boot' file or a misspelled recycler folder, causing
> the infection to be passed on, other files are also infected on the drive.
>
> Beware neither avira, malwarebytes or superantispyware picked up any of
> these.
>
> Gaz

*** Cross Posted ***

Hello Gaz:

If you have any suspected malware files, send them to:

<http://www.virustotal.com/>

for possible identification.

If you receive evidence to corroborate your theory, also pass those
files to the Avira, Malwarebytes and SUPERAntiSpyware folks for their
examination and inclusion in their databases.

Warm regards,

Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Use my Remove-it software, it will remove that malware from your system.
Choose yes for all options when prompted. Download it here
http://pcbutts1.com/downloads/tools/tools.htm


--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.




"Gaz" <gazter@msn.com> wrote in message
news:6vl9npFk2e7uU1@mid.individual.net...
> Latest deinfitions of avira, completely missing what i believe are
> variants of the downadup worm.
>
> The bastard seems to be causing explorer DEP, renames essential windows
> login files, creates autorun.inf on attatched usbs, which point either to
> a recycler folder and a 'boot' file or a mispelled recycler folder,
> causing the infection to be passed on, other files are alos infected on
> the drive.
>
> Beware neither avira, malwarebytes or superantispyware picked up any of
> these.
>
> Gaz
>

The Real Truth MVP wrote:
> Use my Remove-it software, it will remove that malware from your system.
> Choose yes for all options when prompted. Download it here
> http://pcbutts1.com/downloads/tools/tools.htm
>
>

Please be aware that The Real Truth MVP can not prove that he is a MVP.

Google pcbutts1 for more information.

--
JD..

Stalker.

--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.




"JD" <JD@example.invalid> wrote in message
news:zK2dnbB0p_vMlgvUnZ2dnUVZ_jadnZ2d@posted.grandecom...
> The Real Truth MVP wrote:
>> Use my Remove-it software, it will remove that malware from your system.
>> Choose yes for all options when prompted. Download it here
>> http://pcbutts1.com/downloads/tools/tools.htm
>>
>>
>
> Please be aware that The Real Truth MVP can not prove that he is a MVP.
>
> Google pcbutts1 for more information.
>
> --
> JD..

In article <FTnll.10572$8_3.7117@flpi147.ffdc.sbc.com>, toidi@tpap.com
says...
> Stalker.
>
> The Real Truth http://pcbutts1-therealtruth.blogspot.com/
> *WARNING* Do NOT follow any advice given by the people listed below.
> They do NOT have the expertise or knowledge to fix your issue. Do not waste
> your time.
> David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
>

Chris, Stalking on the internet is a crime, you are warned that you will
be reported to your providers if you continue.

Learn more about Butt's lack of ethics and obsessions in the links
below.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)
Public Service Warning: Learn about PCButts before you trust:
http://www.velocityreviews.com/forum...-removeit.html
http://www.google.com/search?hl=en&q=pcbutts1+thief
http://tinyurl.com/4rruwd

The Real Truth MVP wrote:
> Stalker.
>
You're not on the MVP list:

http://mvp.support.microsoft.com/

--
JD..

From: "JD" <JD@example.invalid>

| The Real Truth MVP wrote:
>> Stalker.

| You're not on the MVP list:

| http://mvp.support.microsoft.com/

| --
| JD..

And NO MVP would be on the MVP Hosts file block list.
No MVP will be stealing and pirating others work either on a regular and period basis
either.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman wrote:
> From: "JD" <JD@example.invalid>
>
> | The Real Truth MVP wrote:
>>> Stalker.
>
> | You're not on the MVP list:
>
> | http://mvp.support.microsoft.com/
>
> | --
> | JD..
>
> And NO MVP would be on the MVP Hosts file block list.
> No MVP will be stealing and pirating others work either on a regular and period basis
> either.
>
>

David..

Thanks for the added information. I forgot that he's in the MVP HOSTS
file. But you're already on his list. ;-)

* PCBUTTS WARNING* Do NOT follow any advice given by the people listed
below. They do NOT have the expertise or knowledge to fix your issue. Do
not waste your time. David H Lipman, Malke, PA Bear, Beauregard T.
Shagnasty, Leythos.

I want to be on the list!

Christopher, can you hear me now?

--
JD..

From: "JD" <JD@example.invalid>


| David..

| Thanks for the added information. I forgot that he's in the MVP HOSTS
| file. But you're already on his list. ;-)

| * PCBUTTS WARNING* Do NOT follow any advice given by the people listed
| below. They do NOT have the expertise or knowledge to fix your issue. Do
| not waste your time. David H Lipman, Malke, PA Bear, Beauregard T.
| Shagnasty, Leythos.

| I want to be on the list!

| Christopher, can you hear me now?

| --
| JD..

TEMerc is also dismayed he's not on Butts hosts file list which is included in his
conglemeration of plagiarized and pirated material called "Remove-It"

# [Thieves and trolls]
127.0.0.1 www.pctipp.ch
127.0.0.1 pctipp.ch
127.0.0.1 www.raymond.cc
127.0.0.1 raymond.cc
127.0.0.1 www.claymania.com
127.0.0.1 claymania.com
127.0.0.1 www.elephantboycomputers.com
127.0.0.1 elephantboycomputers.com
127.0.0.1 www.it-mate.co.uk
127.0.0.1 it-mate.co.uk
127.0.0.1 mysteryfcm.co.uk
127.0.0.1 www.mysteryfcm.co.uk
127.0.0.1 www.internetinspiration.co.uk
127.0.0.1 internetinspiration.co.uk
127.0.0.1 www.mvps.org
127.0.0.1 mvps.org
127.0.0.1 bughunter.it-mate.co.uk
127.0.0.1 www.bughunter.it-mate.co.uk
127.0.0.1 www.siri.geekstogo.com
127.0.0.1 siri.geekstogo.com
127.0.0.1 siri.urz.free.fr
127.0.0.1 www.siri.urz.free.fr
127.0.0.1 noahdfear.geekstogo.com
127.0.0.1 www.noahdfear.geekstogo.com

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David H. Lipman wrote:
> From: "JD" <JD@example.invalid>
>
>
> | David..
>
> | Thanks for the added information. I forgot that he's in the MVP HOSTS
> | file. But you're already on his list. ;-)
>
> | * PCBUTTS WARNING* Do NOT follow any advice given by the people listed
> | below. They do NOT have the expertise or knowledge to fix your issue. Do
> | not waste your time. David H Lipman, Malke, PA Bear, Beauregard T.
> | Shagnasty, Leythos.
>
> | I want to be on the list!
>
> | Christopher, can you hear me now?
>
> | --
> | JD..
>
> TEMerc is also dismayed he's not on Butts hosts file list which is included in his
> conglemeration of plagiarized and pirated material called "Remove-It"
>
> # [Thieves and trolls]
> 127.0.0.1 www.pctipp.ch
> 127.0.0.1 pctipp.ch
> 127.0.0.1 www.raymond.cc
> 127.0.0.1 raymond.cc
> 127.0.0.1 www.claymania.com
> 127.0.0.1 claymania.com
> 127.0.0.1 www.elephantboycomputers.com
> 127.0.0.1 elephantboycomputers.com
> 127.0.0.1 www.it-mate.co.uk
> 127.0.0.1 it-mate.co.uk
> 127.0.0.1 mysteryfcm.co.uk
> 127.0.0.1 www.mysteryfcm.co.uk
> 127.0.0.1 www.internetinspiration.co.uk
> 127.0.0.1 internetinspiration.co.uk
> 127.0.0.1 www.mvps.org
> 127.0.0.1 mvps.org
> 127.0.0.1 bughunter.it-mate.co.uk
> 127.0.0.1 www.bughunter.it-mate.co.uk
> 127.0.0.1 www.siri.geekstogo.com
> 127.0.0.1 siri.geekstogo.com
> 127.0.0.1 siri.urz.free.fr
> 127.0.0.1 www.siri.urz.free.fr
> 127.0.0.1 noahdfear.geekstogo.com
> 127.0.0.1 www.noahdfear.geekstogo.com
>

He is quite insane, isn't he? An MVP that blocks mvps.org.

--
JD..

On Feb 14, 2:47*am, 1PW <barcrnahgjuvf...@nby.pbz> wrote:
> On 02/13/2009 05:08 AM, Gaz sent:
>
> > Latest definitions of avira, completely missing what i believe are variants
> > of the downadup worm.
>
> > The bastard seems to be causing explorer DEP, renames essential windows
> > login files, creates autorun.inf on attached usbs, which point either to a
> > recycler folder and a 'boot' file or a misspelled recycler folder, causing
> > the infection to be passed on, other files are also infected on the drive.
>
> > Beware neither avira, malwarebytes or superantispyware picked up any of
> > these.
>
> > Gaz
>
> * * * * * * * * * * * **** Cross Posted ***
>
> Hello Gaz:
>
> If you have any suspected malware files, send them to:
>
> * * * * * * * * *<http://www.virustotal.com/>
>
> for possible identification.
>
> If you receive evidence to corroborate your theory, also pass those
> files to the Avira, Malwarebytes and SUPERAntiSpyware folks for their
> examination and inclusion in their databases.
>
> Warm regards,
>
> Pete
> --
> 1PW *@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Another acquiantance of mine having installed Avira premium installed
in his PC did miss it also... It was not even recognized as
conficker,downadup, kido etc, but just plain recycler.

"Gaz" <gazter@msn.com> wrote in news:6vl9npFk2e7uU1@mid.individual.net:

> Latest deinfitions of avira, completely missing what i believe are
> variants of the downadup worm.
>
> The bastard seems to be causing explorer DEP, renames essential
> windows login files, creates autorun.inf on attatched usbs, which
> point either to a recycler folder and a 'boot' file or a mispelled
> recycler folder, causing the infection to be passed on, other files
> are alos infected on the drive.
>
> Beware neither avira, malwarebytes or superantispyware picked up any
> of these.
>
> Gaz
>
>
>

If you would like to submit them to http://uploads.malwarebytes.org I'll
see that we do detect them with a future update.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:R7idnbRRTPlB8AvUnZ2dnUVZ_t7inZ2d@giganews.com:

> From: "JD" <JD@example.invalid>
>
>
>| David..
>
>| Thanks for the added information. I forgot that he's in the MVP HOSTS
>| file. But you're already on his list. ;-)
>
>| * PCBUTTS WARNING* Do NOT follow any advice given by the people
>| listed below. They do NOT have the expertise or knowledge to fix your
>| issue. Do not waste your time. David H Lipman, Malke, PA Bear,
>| Beauregard T. Shagnasty, Leythos.
>
>| I want to be on the list!
>
>| Christopher, can you hear me now?
>
>| --
>| JD..
>
> TEMerc is also dismayed he's not on Butts hosts file list which is
> included in his conglemeration of plagiarized and pirated material
> called "Remove-It"
>
> # [Thieves and trolls]
> 127.0.0.1 www.pctipp.ch
> 127.0.0.1 pctipp.ch
> 127.0.0.1 www.raymond.cc
> 127.0.0.1 raymond.cc
> 127.0.0.1 www.claymania.com
> 127.0.0.1 claymania.com
> 127.0.0.1 www.elephantboycomputers.com
> 127.0.0.1 elephantboycomputers.com
> 127.0.0.1 www.it-mate.co.uk
> 127.0.0.1 it-mate.co.uk
> 127.0.0.1 mysteryfcm.co.uk
> 127.0.0.1 www.mysteryfcm.co.uk
> 127.0.0.1 www.internetinspiration.co.uk
> 127.0.0.1 internetinspiration.co.uk
> 127.0.0.1 www.mvps.org
> 127.0.0.1 mvps.org
> 127.0.0.1 bughunter.it-mate.co.uk
> 127.0.0.1 www.bughunter.it-mate.co.uk
> 127.0.0.1 www.siri.geekstogo.com
> 127.0.0.1 siri.geekstogo.com
> 127.0.0.1 siri.urz.free.fr
> 127.0.0.1 www.siri.urz.free.fr
> 127.0.0.1 noahdfear.geekstogo.com
> 127.0.0.1 www.noahdfear.geekstogo.com
>

You may also add me to the displeased user list. He'll block my software
(BugHunter) but so far, I don't get the recognition David has been given.
I want my spotlight too!


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org