malware analysis

[badgolferman]

Installed trial version of NOD32 and it found malware on my computer.
No other scanner has ever flagged this file as malware before. I
submitted to the following sites for analysis by their virus scanners.
Here are the results. Why do the two AntiVir results differ? Why do
so many of the vendors disagree? What is your analysis?

----------------------
http://virusscan.jotti.org/
File: XPKey.zip
Status: INFECTED/MALWARE
MD5 a041d4f9fb88242e0fef31f20e8ac534
Packers detected: UPX
Scanner results

AntiVir Found SecurityPrivacyRisk/XP.Keyfinder riskware,
SecurityPrivacyRisk/PSW.RAS.A.2 riskware,
SecurityPrivacyRisk/PSW.RAS.A.3 riskware, SecurityPrivacyRisk/RAS.A
riskware
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found HackerTool/Keyfinder
Kaspersky Anti-Virus Found not-a-virusSWTool.Win32.RAS.a
NOD32 Found Win32/PSWTool.RAS.A application
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

------------------------
http://www.virustotal.com/flash/index_en.html
This is a report processed by VirusTotal on 06/08/2006 at 02:21:47
(CET) after scanning the file "XPKey.zip" file.

Antivirus Version Update Result
AntiVir 6.34.1.37 06.07.2006 no virus found
Authentium 4.93.8 06.08.2006 no virus found
Avast 4.7.844.0 06.06.2006 no virus found
AVG 386 06.07.2006 no virus found
BitDefender 7.2 06.08.2006 no virus found
CAT-QuickHeal 8.00 06.07.2006 PSWTool.RAS.a (Not a Virus)
ClamAV devel-20060426 06.07.2006 no virus found
DrWeb 4.33 06.07.2006 no virus found
eTrust-InoculateIT 23.72.31 06.07.2006 no virus found
eTrust-Vet 12.6.2246 06.07.2006 no virus found
Ewido 3.5 06.07.2006 no virus found
Fortinet 2.77.0.0 06.08.2006 HackerTool/Keyfinder
F-Prot 3.16f 06.07.2006 no virus found
Ikarus 0.2.65.0 06.07.2006 no virus found
Kaspersky 4.0.2.24 06.08.2006 not-a-virusSWTool.Win32.RAS.a
McAfee 4779 06.07.2006 potentially unwanted program Generic PUP
Microsoft 1.1441 06.08.2006 no virus found
NOD32v2 1.1584 06.07.2006 Win32/PSWTool.RAS.A
Norman 5.90.17 06.07.2006 no virus found
Panda 9.0.0.4 06.07.2006 no virus found
Sophos 4.06.0 06.08.2006 no virus found
Symantec 8.0 06.07.2006 no virus found
TheHacker 5.9.8.156 06.07.2006 no virus found
UNA 1.83 06.06.2006 no virus found
VBA32 3.11.0 06.07.2006 no virus found

 

[Ian Kenefick]

Installed trial version of NOD32 and it found malware on my computer.
No other scanner has ever flagged this file as malware before. I
submitted to the following sites for analysis by their virus scanners.
Here are the results. Why do the two AntiVir results differ? Why do
so many of the vendors disagree? What is your analysis?

This file is actually a keyfinder. I think it's called Magic
Jellybean. It's really not malicious in the hands of someone who has
genuinly lost their product key. It's my understanding that it is
detected because it could possibly be misused. The file is NOT
malicious.

 

[badgolferman]

This file is actually a keyfinder. I think it's called Magic
Jellybean. It's really not malicious in the hands of someone who has
genuinly lost their product key. It's my understanding that it is
detected because it could possibly be misused. The file is NOT
malicious.

Yes, I know what kind of file it is, but yet the questions remain. Why
the inconsistent analyses from AntiVir and why do the vendors disagree?

 

[David H. Lipman]

From: "badgolferman" <[email protected]>

| Ian Kenefick, 6/7/2006,8:33:05 PM, wrote:
||
| Yes, I know what kind of file it is, but yet the questions remain. Why
| the inconsistent analyses from AntiVir and why do the vendors disagree?

From my understanding, Jotti's scanner are based upon Linux and sometimes produces different
results because of this.

 

[Art]

Installed trial version of NOD32 and it found malware on my computer.
No other scanner has ever flagged this file as malware before. I
submitted to the following sites for analysis by their virus scanners.
Here are the results. Why do the two AntiVir results differ?

You'd have to ask the guys who run the sites. Could be you caught
it at a time when detection was just added and one site hadn't been
updated. Or it could be a scan options setting issue.

Why do
so many of the vendors disagree?

You mean you expect them to use the same malware names? Ha!
Or do you mean that some alert and some don't. That's not unusual,
especially wih controversialware such as this sample. Not all vendors
alert on controversialware.

What is your analysis?

The nature of the alerts tells me that the sample software is probably
commercial software which is legit but controversial since it can be
used for nefarious purposes.

Nothing at all unusual about the whole thing. It's a ho hum and what
else is new

Art
http://home.epix.net/~artnpeg

 

[Ian Kenefick]

Yes, I know what kind of file it is, but yet the questions remain. Why
the inconsistent analyses from AntiVir and why do the vendors disagree?

As far as jotti and virus total are concerned. They both use command
line scanner versions of the products. Jotti's is Linux and Virustotal
is Windows based. Perhaps Virustotal has not iuncluded the parameter
for riskware detection or older version which doesn't include the
detection for this type of 'threat'.

As for vendors disagreeing... There is no real answer for this I
think. Some vendors like Kaspersky add a lot of stuff that they think
should be added whilst vendors like Dr.Web and NOD32 tend not to add
them. More and more this is changing though since 'what the public
wants the public gets'.

 

[Dustin Cook]

You mean you expect them to use the same malware names? Ha!
Or do you mean that some alert and some don't. That's not unusual,
especially wih controversialware such as this sample. Not all vendors
alert on controversialware.

Which is why BugHunter doesn't even offer names. Who's name should I
follow, one I create? Nah...

The nature of the alerts tells me that the sample software is probably
commercial software which is legit but controversial since it can be
used for nefarious purposes.

It's not commercial. It's a freeware XP cd key recovery program. If you run
it on the host, it'll give you the install key, along with your office
install key if possible. It's a handy utility.