F-Prot virus submissions

[null]

I submitted a file named Hillery_Duff.scr to FSI (F-Prot) using the
submissions form at the FSI web site. It's another case of seeing
these infected files being spread around the newsgroups and finding
that both KAV and McAfee alert but F-Prot does not. I decided to start
submitting such files to FSI. Here's a copy of the response I just
received:

**********************************************************
Re: Virus submission 20040203-0149
From:
Viruslab <[email protected]>
Date:
Thu, 05 Feb 2004 14:37:09 +0000
To:
(my email addy deleted)

Wants reply: yes
OS: Windows 95/98 or ME
Symptoms: This .SCR file is being circulated on the newgroups.
McAfee alerts as Backdoor-azv Trojan. KAV alerts as Backdoor.Loony

F-prot does not alert.

Hello and thank you for using our submission form.

The file that you send us, through our submission form was analyzed as
a security risk named named W32/Xcombot.D@bd

A detection has been added and will be available in the next release
of our definition files

If you have any further questions, do not hesitate to contact our
viruslab support

Best Regards,
Thorkell Vignir

Viruslab department
Email address: (e-mail address removed)
FRISK Software Int. http://www.f-prot.com

*********************************************************
I encourage others to help out also by submitting suspect files to
their favorite av vendors.


Art
http://www.epix.net/~artnpeg

 

[Frederic Bonroy]

(e-mail address removed) a écrit :

Hello and thank you for using our submission form.

The file that you send us, through our submission form was analyzed as
a security risk named named W32/Xcombot.D@bd

Xcombot? Why not Loony...?

I am too lazy to verify if another virus named Loony exists already in
F-Prot's database, but it would have been more consistent, no...?

 

[LT Higdon]

I submitted a file named Hillery_Duff.scr to FSI (F-Prot) using the
submissions form at the FSI web site. It's another case of seeing
these infected files being spread around the newsgroups and finding
that both KAV and McAfee alert but F-Prot does not. I decided to start
submitting such files to FSI. Here's a copy of the response I just
received:

Just outta curiosity, what happens if you crank the heuristics on F-Prot?
Does it nail it as something then? Reason I'm asking is both KAV and McAfee
ID it as different things and just maybe their heuristics are juiced.

 

[null]

(e-mail address removed) a écrit :


Xcombot? Why not Loony...?

I am too lazy to verify if another virus named Loony exists already in
F-Prot's database, but it would have been more consistent, no...?

What bothers me about this particular file is McAfee's alert name of
Backdoor-azv which their descripriprion claims has Hackarmy (KAV) as
an alias name. Yet a different .SCR file floating around the
newsgroups is identified as Hackarmy by KAV. In pursuing several of
these damn things, I get the impression that at least some scanners
are misidentifying quite a bit. It's become with some scanners a real
mish mash of some sort of broad or heuristic detection without precise
identification.

Generally, I no longer trust av to reliably give an accurate enough
identification for their descriptions (if you can find them) to be
really useful in trying to help people here. When XYZ av alerts as ABC
malware, only the psychics might know what's going on nowdays

Without proof, I do get the impression that KAV is less prone than
some others to misidentification and false alarms. When it does burp
up an actual malware name, I also trust F-Prot to be reasonably
accurate as well.


Art
http://www.epix.net/~artnpeg

 

[null]

Just outta curiosity, what happens if you crank the heuristics on F-Prot?
Does it nail it as something then? Reason I'm asking is both KAV and McAfee
ID it as different things and just maybe their heuristics are juiced.

I use the only documented "added" heuristic switch available which is
/AI Seems there was another undocumented switch as well but I've
forgotten it. Anyway, FSI admits it doesn't currently have detection
but will in the next def files.


Art
http://www.epix.net/~artnpeg

 

[charles]

I submitted a file named Hillery_Duff.scr to FSI (F-Prot) using the
submissions form at the FSI web site. It's another case of seeing
these infected files being spread around the newsgroups and finding
that both KAV and McAfee alert but F-Prot does not. I decided to start

I also submitted a malicious file on 21.12.2003 that none of the AV's I
tried (NAV, F-Prot, AVG, Avast) detected and the only response I've
received so far has been the same from Thorkell at Frisk labeling it
W32/OptixPro.I@dr.

At this point still nobody detects it but F-Prot will real soon now!

 

[null]

I also submitted a malicious file on 21.12.2003 that none of the AV's I
tried (NAV, F-Prot, AVG, Avast) detected and the only response I've
received so far has been the same from Thorkell at Frisk labeling it
W32/OptixPro.I@dr.

At this point still nobody detects it but F-Prot will real soon now!

When you say "nobody", I'd be surprised if KAV and/or McAfee don't
alert. You can upload the file for av scanning to several sites listed
here:

http://www.claymania.com/anti-virus.html


Art
http://www.epix.net/~artnpeg

 

[charles]

When you say "nobody", I'd be surprised if KAV and/or McAfee don't
alert. You can upload the file for av scanning to several sites listed
here:

http://www.claymania.com/anti-virus.html

Thanks for that link.

I just ran the file against the KAV and Dr.Web online tests - neither
detected the trojan.

 

[null]

Thanks for that link.

I just ran the file against the KAV and Dr.Web online tests - neither
detected the trojan.

Seems you found a new one then. Good for you in sending a sample to a
av vendor.


Art
http://www.epix.net/~artnpeg

 

[James Love]

Hi,

Would it be possible for you to Zip up the file and send to the other
AV vendors so detection can be added? If you send it to all of the
below then we should all be protected.

Many Thanks.

James

Mcaffee: (e-mail address removed)
Avast: (e-mail address removed)
AVG: (e-mail address removed)
Antivir: (e-mail address removed)
Kasperky: (e-mail address removed)
Nod 32: (e-mail address removed)
EZ antivirus: (e-mail address removed)
Dr Web: (e-mail address removed)

 

[null]

Hi,

Would it be possible for you to Zip up the file and send to the other
AV vendors so detection can be added? If you send it to all of the
below then we should all be protected.

Many Thanks.

James

Mcaffee: (e-mail address removed)
Avast: (e-mail address removed)
AVG: (e-mail address removed)
Antivir: (e-mail address removed)
Kasperky: (e-mail address removed)
Nod 32: (e-mail address removed)
EZ antivirus: (e-mail address removed)
Dr Web: (e-mail address removed)

Why? McAfee and KAV alerted on the file, as I had posted. The file is
all over the newsgroups, so vendors who are on the ball have had
samples for quite some time now.


Art
http://www.epix.net/~artnpeg

 

[James Love]

Sorry Art, I meant to send this to Charles as he said his trojan was
not detected by KAV or Dr Web but having sent it to Fprot I am sure
you are right and they will pass to the other AV Vendors.

Cheers

James

 

[BoB]

Sorry Art, I meant to send this to Charles as he said his trojan was
not detected by KAV or Dr Web but having sent it to Fprot I am sure
you are right and they will pass to the other AV Vendors.

Cheers

James

It would be nice if a cooperative site could be developed where
all users could submit undetected virus and all AV companies
could download suspect files and get their databases updated.

Nice, but not likely, due to the nature of business competition.

BoB

 

[null]

It would be nice if a cooperative site could be developed where
all users could submit undetected virus and all AV companies
could download suspect files and get their databases updated.

Nice, but not likely, due to the nature of business competition.

I would imagine such a site would be severely abused and also flooded
by the black hats making it inoperative.

Jame's proposal isn't a bad one but his list of vendors was too short.
However, if the general public are to be encouraged to submit suspect
samples to a long list of av vendors, they should also be clued in to
first making an attempt to learn wheher or not a file is actually
suspect. They should scan with several up to date scanners. I don't
think it does anyone any good to bombard vendors with samples of known
malware. And the habit of checking with several _good_ scanners is an
excellent safe hex habit to get into anyway. That's the real beauty of
the file upload antivirus scan sites, IMO. Plus it's a check on
possible false positives their resident scanner might produce.


Art
http://www.epix.net/~artnpeg

 

[charles]

Hi,

Would it be possible for you to Zip up the file and send to the other
AV vendors so detection can be added? If you send it to all of the
below then we should all be protected.

Many Thanks.

James

Mcaffee: (e-mail address removed)
Avast: (e-mail address removed)
AVG: (e-mail address removed)
Antivir: (e-mail address removed)
Kasperky: (e-mail address removed)
Nod 32: (e-mail address removed)
EZ antivirus: (e-mail address removed)
Dr Web: (e-mail address removed)

When I originally found this malware I asked here where to send it
([email protected]) and did in fact send zipped
copies to several of the addresses provided.

Symantec came back with an automated return message with a procedure for
resubmitting using NAV.

The only advice/classification I received was the one from F-Prot.

 

[Ian Kenefick]

Just outta curiosity, what happens if you crank the heuristics on F-Prot?
Does it nail it as something then? Reason I'm asking is both KAV and McAfee
ID it as different things and just maybe their heuristics are juiced.

Heuristics rarely detect a single binary piece of malware. They work
reasonably in the case of a virus or a varient. "Cranking Heuristics" is
this a technical term?

Regards, Ian

 

[charles]

Hi,

Would it be possible for you to Zip up the file and send to the other
AV vendors so detection can be added? If you send it to all of the
below then we should all be protected.

[/QUOTE]

When I originally found this malware I asked here where to send it
([email protected]) and did in fact send zipped
copies to several of the addresses provided.

Symantec came back with an automated return message with a procedure for
resubmitting using NAV.

The only advice/classification I received was the one from F-Prot.

Changing the header on this thread to provide this update.
If anyone is interested,

Received from Symantec -

"... crypter3.1.exe is non-repairable threat. NAV with the latest beta
definition detects this. Please delete this file and replace it if
neccessary. Please follow the instruction at the end of this email
message to install the latest beta definitions. This file is contained
by X:\xxx\trojan-crypter3.1.zip

This Trojan dropper drops Backdoor.OptixPro.13"

They also included the update.exe with their reply.

Received from DiamondCS support -

"This is a silly.. yet elaborate file dropper. It writes out the bytes
specified in the file to an EXE and then runs that EXE

The EXE dropped is RAT.Optix Pro 1.32, detected by TDS
Detection for this dropper has been added"

I ran TDS-3 after loading the update and it was detected.

Surprizingly, F-Prot still does not detect the trojan.