You wrote:

"BTW, out of curiosity, why do you bother creating a different subject (let alone a subject) to each of your posts?"

I just try to describe what I'm talking about--sometimes these posts get off subject.

Regards,

By the way, did you notice that Dr. Web and VBA have the same name/description for the malware? Get the idea they are sharing signatures? Dr. Web is a Russian product, and Virus Block Ada is in Belorussia.

Regards,

Heh, and I thought that I was waiting for a long time (it's been 10 days now since I submitted the virus...)

Here's how VirusTotal scanned "my" virus:
https://files.myopera.com/ermi/files/VirusTotal.png https://files.myopera.com/ermi/files/VirusTotal.png
10 days later:
https://files.myopera.com/ermi/files/VirusTotal%2B10.png https://files.myopera.com/ermi/files/VirusTotal%2B10.png

You can see that only Panda "got it" in the mean time. It's interesting to note that also AVs with a good reputation like NOD 32 and Kaspersky fail...

If you upload to VirusTotal or Jotti, Clam is in the loop to get a copy of their nondetected viruses from them, so they will get a crack at it if they want it. Some AVs still shy away from "nonviruses" like spyware, adware. It might be interesting to see the description of what you found. No one AV can cover everything completely, but Kaspersky does a good job of covering malware, and so does BitDefender. NOD 32 relies a lot upon its high powered engine to fill in the gaps. Clam usually has a quicker reaction time than most of the AVs, and they've really stepped up their signatures--guess they finally realized if you have only 1% heuristic detection (see https://winnow.oitc.com/avmalwarestats.php), you've got to rely heavily upon signatures.

Regards,

packer: themida, as b0ne said me themida is a very nasty packer that makes difficult even gathering executable informations

I'm no expert. But the thing disabled my WinXP firewall and also the Task Manager (couldn't open it)... maybe something else, too. I ran Autoruns and this is what I saw:
https://files.myopera.com/ermi/files/virus.png
Notice the yellow icon for scvhost.exe? That's the same icon of the virus .exe file.

If someone's interested here's the virus, packed in a .rar:
https://files.myopera.com/ermi/files/probably_a_virus.rar (be careful! )

Personally I trust no AV so I always keep a system image file for backup. That way I got my system back in a few minutes.

take a better look the process is not svchost but scvhost so it looks like a malware, delete from autorun, kill the process if you cannot do it because of task manager
use process explorer or install unlocker and remove it on the next reboot:
https://ccollomb.free.fr/unlocker/ https://ccollomb.free.fr/unlocker/
take care to not delete svchost (the system process)

Thanks, but as I wrote I got my system back already, with an image backup.

Clam has signatures for many ciadoor.13 variants, so it probably doesn't support the packer in which your malware was wrapped. Many of the Ciadoor variants appear to be spyware.

It appears to me that there is a 50% chance that anything packed (not zipped) has malware. Some kinds of packers are used mostly to hide malware, so anything packed with them probably has a 75% chance. If Clam can't unpack something, perhaps it should flag it for the user, who can then decide what to do--check it with VirusTotal, or consider where it came from and whether he/she is expecting the file and delete/ignore it. Right now, if an AV program can't upack something, you will never know about it!

Regards