Comodo let me down!

Mythoz · April 16, 2008, 1:38pm

Ok my previous post was deleted with the following message:

Hi Mythoz,

Your post had some virus scanners detect a virus sample in it. I didn’t see a problem in the links, Only the info on the virus it self, But I deleted your post for our users sake.

Try to take extra caution when posting certain links

I am assuming the checkers detect a virus simply because of the html code appended to the html files which I included in my post. So to protect those of you who may be inclined to go running the code blindly I have reposted with the offending data Base64 encoded.
Hopefully this will protect you poor innocents.
Ironic really, comodo antivirus cannot detect the code yet the message board users can?

Foolishly I clicked an unknown program, no alert from Comodo. HD lit up and went nuts and comodo firewall popped a connection request which I blocked.
CTL+ALT+DEL popped the task manager window which instantly dissappeared again, and again …

Hit the big button on the wall and killed everything.

Restarted and checked my startups found this:

HKCU \ run
svcshare = C:\WINDOWS\system32\drivers\spoclsv.exe

removed it and used spybot to kill the running process. Spybot reported it as an “FUJACKS-J” infection.
Looked it up and found this to be the most informative and comprehensive information:

LINKS REMOVED

This has some extra info too in the “more info” tab.:

LINKS REMOVED

Luckily I killed the machine in time to minimize the damage but even scanning a known infected file comodo does not recognize it.
This is extremely dissappointing as it is an old virus and not a very clever one.

It placed a “Desktop_.ini” file in every folder it visited.
It appended:
(Base64 encoded to protect the simpletons)

PGlmcmFtZSBzcmM9aHR0cDovL3d3dy5rcnZrci5jb20vd29ybS5odG0gd2lkdGg9MCBoZWlnaHQ9
MD48L2lmcmFtZT4=

To every html file it found. (probably would have done the asp,aspx etc too but it didnt find any)
It prepended 75kb of code to every exe it found (probably com etc too but it didnt find any)

Each time an infected file is run it reinstalls spoclsv.exe and the registry entry and attempts to connect to the net (didnt note where)
The pre infection program code is not infected just appended after the virus code.
The virus PE headers have the section names nsp0,nsp1,nsp2,vmp0

Come on comodo this is basic crap!!! doesnt even infect programs in memory!!! I am a little pissed right now!

===============================================

To clean up the mess I used Uedit to find and replace in files:
(Base64 encoded to protect the simpletons)

PGlmcmFtZSBzcmM9aHR0cDovL3d3dy5rcnZrci5jb20vd29ybS5odG0gd2lkdGg9MCBoZWlnaHQ9
MD48L2lmcmFtZT4=

replacing with nothing.

then did a uedit find in files searching for nsp0 to locate all infected exe, scr files. Not sure if this would detect com files too as they dont have PE headers but suprisingly windows loads com files the same as exe files checking for the PE headers first (you learn something new everyday) so it probably prepends the same code to com files.

You can find the original code at 75269d (12605h) and deleteing the previous bytes using uedit removes the virus. I only had 35 files to do luckily.
(the virus only infects files which have an embedded icon oddly enough)

Not sure if this information helps anyone but it never hurts to have info.
Now I am clean again I have to look for a new virus checker.

Mod Edit: Some AV’s Detected posted links as a Virus (Eg, Avast!), So links have been removed.

EricCryptid · April 16, 2008, 3:24pm

Firstly, CAVS is in Beta at the moment and recent tests suggest only a 75% Detection rate. I’m currently using it myself along with Comodo BoClean to instantly stop malware.

I suggest you do a full scan with SuperAntispyware (Free Edition) which is particularly good ad removing any reminents of Viruses.

The new version of CAVS - CAVS3 is due to come out in the very near future. I suggest you run something like Script Defender and BoClean along with CAVS while we wait for the new version to come out.

Eric

Mythoz · April 16, 2008, 10:25pm

Hello Eric

Alpha, Beta, Theta there is no excuse for missing this one. Granted a program in Beta is going to have issues, but to not detect a virus which was reported almost eighteen months ago? A virus which uses no encryption, no morphing, no advanced hiding techniques, it simply uses an open registry key to start it and perpends the same 75Kb to every file it infects, openly announces it has been in a folder with the ini file and makes more noise than a herd of elephants in a china shop. That is not an issue for a program which purports to call itself a virus checker, that’s a complete failure.
For goodness sake I have a text editor that can detect it, what’s more it can edit text files too, can Comodo?

People need to have confidence in their virus checker, Beta or not. In Beta stage you expect perhaps that it doesn’t detect some of the fancy intelligent viri, you expect that when you click a certain checkbox while you have minesweeper running, three windows open and the toaster making breakfast the whole thing may crash. You do not expect that the simplest of malware, written by some ignorant kid from China, could completely bypass the thing.

I am sorry, while I appreciate the hard work done at Comodo providing these products for free I find this absolutely unacceptable. Wether a program is free or costs hundreds of dollars it is equally as useful if it fails in the basics. If it were some exotic viri I may be tempted to stick by Comodo but to miss something this simple begs the questions, what does it check for? Just how protected am I really?
I shall continue to use the Comodo firewall which I have found to be pretty good to date but I cannot continue to run your antivirus with confidence either in Beta or version 2k if you can allow something so trivial to circumvent you.

On another side issue and something you may expect from a Beta.
The first thing I did when the virus hit was disconnect the computer from the internet and the network, isolating it completely. Now while I was sitting cursing and removing the infection I noticed on the computer next to me a window saying comodo antivirus had found an update on the web would I like to download it. I clicked yes and to my amazement it downloaded it and reported that I was now up to date and protected.
This was an incredible feat as the infected computer was the internet gateway and without it on the network none of the others have any access whatsoever to the outside world.
So either you have developed technology which far surpasses anything I have seen before or the update mechanism is nothing much more than window dressing. Which also answers the question I had about why when I do a manual update does it download lots of data when I have auto update apparently updating constantly?

Oh and apparently the link from my original post still report a virus in Avast hence they were removed.
As the post is incomplete without them I post them again here this time Base64 encoded. Be warned if you are using a virus checker other than Comodo then following the links may cause an alert.
However since both links are to reputable virus reporting sites you can take that as you may. If you are using Comodo you have no worries, it wont detect anything on the sites false or otherwise.

aHR0cDovL3d3dy5jZXJ0LWluLm9yZy5pbi92aXJ1cy9GaWxlSW5mZWN0b3JGVUpBQ0tTLmh0bQ==

aHR0cDovL3d3dy5zb3Bob3MuY29tL3NlY3VyaXR5L2FuYWx5c2VzL3ZpcnVzZXMtYW5kLXNweXdh
cmUvdzMyZnVqYWNrc2ouaHRtbA==

system · April 17, 2008, 4:46am

Mythoz post:3:

Hello Eric

Alpha, Beta, Theta there is no excuse for missing this one. Granted a program in Beta is going to have issues, but to not detect a virus which was reported almost eighteen months ago? A virus which uses no encryption, no morphing, no advanced hiding techniques, it simply uses an open registry key to start it and perpends the same 75Kb to every file it infects, openly announces it has been in a folder with the ini file and makes more noise than a herd of elephants in a china shop. That is not an issue for a program which purports to call itself a virus checker, that’s a complete failure.
For goodness sake I have a text editor that can detect it, what’s more it can edit text files too, can Comodo?

People need to have confidence in their virus checker, Beta or not. In Beta stage you expect perhaps that it doesn’t detect some of the fancy intelligent viri, you expect that when you click a certain checkbox while you have minesweeper running, three windows open and the toaster making breakfast the whole thing may crash. You do not expect that the simplest of malware, written by some ignorant kid from China, could completely bypass the thing.

I am sorry, while I appreciate the hard work done at Comodo providing these products for free I find this absolutely unacceptable. Wether a program is free or costs hundreds of dollars it is equally as useful if it fails in the basics. If it were some exotic viri I may be tempted to stick by Comodo but to miss something this simple begs the questions, what does it check for? Just how protected am I really?
I shall continue to use the Comodo firewall which I have found to be pretty good to date but I cannot continue to run your antivirus with confidence either in Beta or version 2k if you can allow something so trivial to circumvent you.

On another side issue and something you may expect from a Beta.
The first thing I did when the virus hit was disconnect the computer from the internet and the network, isolating it completely. Now while I was sitting cursing and removing the infection I noticed on the computer next to me a window saying comodo antivirus had found an update on the web would I like to download it. I clicked yes and to my amazement it downloaded it and reported that I was now up to date and protected.
This was an incredible feat as the infected computer was the internet gateway and without it on the network none of the others have any access whatsoever to the outside world.
So either you have developed technology which far surpasses anything I have seen before or the update mechanism is nothing much more than window dressing. Which also answers the question I had about why when I do a manual update does it download lots of data when I have auto update apparently updating constantly?

Oh and apparently the link from my original post still report a virus in Avast hence they were removed.
As the post is incomplete without them I post them again here this time Base64 encoded. Be warned if you are using a virus checker other than Comodo then following the links may cause an alert.
However since both links are to reputable virus reporting sites you can take that as you may. If you are using Comodo you have no worries, it wont detect anything on the sites false or otherwise.

aHR0cDovL3d3dy5jZXJ0LWluLm9yZy5pbi92aXJ1cy9GaWxlSW5mZWN0b3JGVUpBQ0tTLmh0bQ==

aHR0cDovL3d3dy5zb3Bob3MuY29tL3NlY3VyaXR5L2FuYWx5c2VzL3ZpcnVzZXMtYW5kLXNweXdh
cmUvdzMyZnVqYWNrc2ouaHRtbA==

We do appreciate your concern. CAVS 2 isn’t that effective, Just wait for CAVS 3 please

Josh

system · April 20, 2008, 4:02am

Bump. Thread locked. If you need this Thread reopened please PM myself or another Mod with a link to this thread.

Josh